Hardening SBS / OWA

[dave-lew99]

I'm in the midst of putting a proposal together for my boss for us to buy SBS Server, mainly to make my job easier - i'm a Dev who also looks after the company IT.

It would let us do all the nice AD stuff as well as the exchange calander/contacts/mail facilities.

At the moment we have an LDAP server which does auth for some network services and a postfix/dovecot setup for email.

The main stumbling block is being able to convince my boss that it will be safe to put OWA on the web. Obviously it'll be SSL enabled and from what i've read, use FBA.

How else can i harden the box? The plan was just to forward ports 25 and 443 from the web using our ordinary Draytek router, i've seen that people publish OWA through ISA server though.

What else could i do to protect it from attacks?

 

[dave-lew99]

Thanks for the info and links guts, the IIS checklists look particularly useful, in this case it'll be SBS server - so doing our AD etc and no front/back end style configuration.

We specifically want to be able to do push email to mobiles so the VPN solution doesn't work (i have a Cisco router to go in to do our VPNs, to be replaced with an ASA in the next 6-12 months as our VPN requirement has increased by some margin)

Have you had any trouble with mobile clients and none-standard ports? (not that security by obscurity is a solution)

I'm going to deploy the trial edition of SBS as part of my proposal, so i can get up to speed with the current versions (the last exchange/windows server i really used was 2003)

 

[dave-lew99]

We have VPNs anyway, for our other internal office systems, a VPN won't solve the problem for using smartphones with Exchange, pretty much the only reason OWA would be on the web and not via VPN.

It would need to work with windows mobile ActiveSync and it's equivalents for Symbian and the iPhone etc.

I'm happy that IIS is secure enough (or at least there is plenty of easy to follow information to make it so), i really dislike using odd ports - it causes so much more hassle than it's worth. My boss is a different story.

Proper IDP will come later i think. As it stands now, i've no reservations about exposing OWA.

As re certificates, i may set it up to require client side certificates to be installed, one for each staff member, then i can start to use that for other services (and i'll have it for the VPNs anyway).

What are you guys using for PKI management? Windows Server built in?

 

[dave-lew99]

I'll look into those, the idea of exposing OWA isn't really for the webmail bit of it, it's so phones and so on will sync properly, remote users will just be able to use Outlook anyway over the VPN - although since you can do Outlook over HTTPS then i may just do that instead.

 

[dave-lew99]

Thanks BRS, i was about to say that SBS Vs Server 2k8 + Exchange 2k7 for 7 people is a bit of a no brainer!

andyd, your SSL certs, do you have to buy additional ones for everywhere you want to deploy them? All of our internal ones are a bit ad-hoc, i was hoping to put them under a common CA and just import that as a root onto workstations and devices, keeps the costs down.

For stuff accessible from public places (ie if we were to run our own HTTPS server) then i'd use a bought in signed one, as it's just easier for site visitors.

One of the reasons for pushing for SBS over what we have, is being able to enforce a proper password and security policy, i'm happy that i can make it secure without a lot of work.

 

[dave-lew99]

I looked at hosted exchange and it would come out quite a bit more expensive (due to the mailbox sizes mostly), i'd prefer to keep it in house really, plus if we went hosted, i haven't a hope in hell of getting AD, this is to solve an e-mail problem, SBS does it at an extremely cost effective level, which is how i'm getting it past the powers that be.

The only port we have open at the moment is for VPNs, i'd only open 443 to SBS, i may proxy it through apache, just so i'm not exposing it directly to the web.