Re: IIS6 on W2k3 DCs

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: IIS6 on W2k3 DCs"
• In reply to: Danny: "Re: IIS6 on W2k3 DCs"
• Next in thread: Laura A. Robinson: "RE: IIS6 on W2k3 DCs"
• Reply: Laura A. Robinson: "RE: IIS6 on W2k3 DCs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 18 Jan 2005 14:48:55 -0800
To: Danny <nocmonkey@gmail.com>

They are drooling over Remote Web workplace
Ninja Feature: Remote Web Workplace in SBS2003:
http://blogs.msdn.com/tristank/archive/2004/10/14/242211.aspx

You can have a backup domain controller now....okay here goes the myths
of SBS again... we HAVE to be the PRIMARY domain controller [hold all
the FSMO roles] but we can have BACKUP domain controllers all we want.

And our SBScals cover a member server so we don't have to buy server cals.

Why wizards? Because they keep people from being stupid. There are over
500 commands in scripting the firewall and email setup in SBS to nicely
and correctly configure email, Internet access, and do it securely.

Understand the wizards...but once you understand them...you let them run.

Show me a screwed up SBS box and I'll show you an Enterprise-y Gold
Certified partner who "thinks" they know what they are doing and end up
mucking up everything. The number of Enterprisey folks who come in
saying "I need to dcpromo this SBS" and we freak out and tell them that
all of those steps are in the scripted install setup. Install this guy
several times to see what it does ...but the wise person let's "it" do
the heavy lifting.

The reality is many people do not truly understand what they are doing
and would indeed be better served by guidance or ...at least.. reading
the documentation.

Susan [somehow this is turning into a "educate the folks on what SBS is
and can be post" which tends to happen when I enter into
conversations...sorry about that...]

[and like I posted to Jim Harrison...even WE know better not to try to
put SMS on our SBS boxes ;-)

Danny wrote:

>On Tue, 18 Jan 2005 08:14:30 -0800, Susan Bradley, CPA aka Ebitz - SBS
>Rocks [MVP] <sbradcpa@pacbell.net> wrote:
>
>
>>...well... not exactly [sorry folks for hijacking this again] as we can
>>indeed expand and quite frankly big server folks are drooling over our
>>Remote Web workplace feature and Monitoring functions.
>>
>>
>
>The big server folks are drooling over the wizards?
>
>
>
>>You hit the 75 max brick wall and we have a transition pack that
>>"un-does" the 75 limit and allows us to break the parts off into
>>separate boxes.
>>
>>
>
>I did not know about this transition pack - I am just reading about it
>now. Once installed, does it allow you to implement another DC for AD
>replication -- an inherent limitation of SBS 2003, correct?
>
>
>
>>I'll be honest with you ...our biggest threat vector IMHO are stupid
>>passwords and that Mail server [smtp auth attacks and what not].
>>
>>
>
>Passwords - they are fun! If you can't afford [1] biometric
>authentication, then your best bet is to educate your users and
>enforce a policy -- thereby decreasing your threat vector.
>
>As for your mail server, none of my Microsoft based (Exchange is a
>popular one) email server implementations are accessible from the
>Internet. Instead, it's my personal preference to implement a real
>mail gateway MTA, such as Postfix on FreeBSD, which then seamlessly
>transports the email to the Exchange server(s). This combination is a
>weapon of mass destruction against malware, spam, and other nasty
>email borne crap. A 486 clunker could easily handle any SBS MTA
>requirements, so cost is not a factor; the aforementioned software is
>"free". You don't need to be a Unix buff to set it up, either.
>
>
>
>>For small businesses in SBSland we truly recommend a web server on the
>>side in a DMZ or outsourcing the web site. [see even we don't want IIS
>>or any web site to be straight exposed on that DC]
>>
>>
>
>I concur.
>
>
>
>>I just cringe these days at the words "best practices" as I think it's
>>too "checklisty". I think you need to evaluate the entire
>>risk/threat/vulnerability factors in your network and know what works
>>for you. Like the upcoming Security Configuration Wizard coming out in
>>Windows 2003 sp1... you run that "best practice tool" on our SBS 2003
>>box and you break the monitoring email and you possibly break our
>>backup. Now tell me... how did that make me safer?
>>
>>
>
>Personally I believe "wizards" are for non-wizards who don't know what
>they are doing and need their hand held, so why would you run the
>Wizard anyway?
>
>[1] - If biometrics was affordable relative to the cost of a security
>breach due to weak passwords, then we all should be able to justify
>the cost of such a system. In the mean time, I try my best to educate
>my users and enforce a balanced password policy.
>
>...D
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: IIS6 on W2k3 DCs"
• In reply to: Danny: "Re: IIS6 on W2k3 DCs"
• Next in thread: Laura A. Robinson: "RE: IIS6 on W2k3 DCs"
• Reply: Laura A. Robinson: "RE: IIS6 on W2k3 DCs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]