4. Installing an anti-virus solution
Computer viruses are an increasingly prevalent concern. Proliferation of malicious software through e-mail and other messaging systems is a difficult problem for organizations, because viruses can spread so quickly and can overwhelm network resources. Besides
arriving through e-mail, a virus can propagate from a shared network drive, from the Internet through a Web browser, or through infected files on removable media like floppy disks or CD-ROMs.
To adequately protect your Small Business Server network from computer virus infection, implement an anti-virus solution that adequately defends the network perimeter, Microsoft Exchange Server, additional servers, and remote and local client computers. Also ensure that you have a good backup and recovery plan, because you may need to restore the system to the state it was in before the virus infection occurred. For more information about creating a backup and recovery plan, see “Creating a Backup and Recovery Plan” later in this paper.
Installing an anti-virus package is only the first step in your anti-virus solution. You should have an operations plan in place that describes how to protect your organization from viruses and how to react and recover should your organization encounter a virus attack. See the following Operations Checklist for important points to consider when developing your operations plan. Each item on this checklist is discussed in more detail later in this section.
Install Current Anti-Virus Software–Verify that all servers and client computers have the latest updates from the anti-virus software vendor.
Block Attachments–Define which attachments should be blocked.
Install Security Patches–Install the security patches for Microsoft Outlook®.
Review Security Bulletins–Receive and act on security bulletins from Microsoft and your anti-virus vendors.
Plan an Exclusion Mechanism–Have a mechanism for excluding new viruses even if an update is not yet available.
Develop a Reaction Plan–Define how to deal with a virus infection.
Develop a Notification Plan–Develop a procedure for notifying users and partners of a virus infection.
Install Current Anti-Virus Software
New computer viruses are constantly emerging, and they can spread worldwide within hours. If your virus protection is not current, your organization is at significant risk of virus infection. Your operations procedure should ensure that the list of areas scanned by your anti-virus software is current and that you receive regular security updates (virus signatures) from your anti-virus vendors.
One of the best ways to protect against virus infection is to block particular e-mail attachments. Attachments can be blocked at the server or client level. As a precaution, many organizations block all attachments (for example, .exe files).
Install Security Patches
You can install a security patch on Microsoft Outlook 98 and Outlook 2000. This patch is built into Outlook 2000 Service Release 2 and Outlook 2002 (a component of Microsoft Office XP). The patch prevents certain attachments from running directly from the client computer (instead, the user must first save the attachment) and prevents other attachments (those considered more dangerous) from being downloaded from the mail server.
This security patch can help prevent the use of unauthorized attachments, but for it to work, everyone must install the patch on client computers that have e-mail. To be fully protected, ensure that all client computers running MAPI contain the patch. You must also prevent virus access via POP3, IMAP4, or HTTP.
Review Security Bulletins
To be informed about reported viruses and to ensure that your systems have the necessary updates, review the security bulletins from Microsoft and from your anti-virus software vendor. In some cases, you may receive a warning about a new virus before an update to your anti-virus software is available. First verify that the virus is genuine by checking with your anti-virus vendors; some virus notifications may be hoaxes.
Plan an Exclusion Mechanism
Most anti-virus software allows you to block messages that have certain subject lines or are from certain sources. This enables you to put a temporary blocking mechanism in place until you can update your anti-virus software.
Develop a Reaction Plan
If your organization is infected with a computer virus, how you react to the problem is important. Developing a reaction plan in advance will help your organization respond quickly and appropriately to the problem. Your plan should include the following actions:
Notify appropriate parties.
Block entrance of the virus.
Prevent further spread.
Deploy anti-virus updates.
After notifying appropriate parties, you must do all you can to ensure that the virus does not spread. If a fix is not yet available from your anti-virus software vendor, consider restricting the flow of e-mail (by disabling connectors and possibly network connections, for example) both within and outside of your organization.
Develop a Notification Plan
After verifying that the virus is genuine, you must ensure that all appropriate parties are notified. Notify the following parties:
Users–Provide instructions to prevent further spread of the virus.
Partners–Warn them that you have received the virus and may have passed it to them.
Anti-virus vendors–Verify that the virus has been reported.
Notify users about what they should do if they receive e-mail messages containing the virus. You should also have a well-publicized, predefined plan for how your users should report suspected viruses.
Often the primary cause of a virus spread within an organization is the uninformed user who opens an attachment containing a virus. Properly informed, these same users can be the best defense against the continued spread of a virus. In many cases, you can communicate to your users that a particular virus cannot damage computer systems unless it is executed. For example, if a user receives a virus as an attachment in an e-mail message, the virus attachment can often be safely deleted without any harm to the e-mail server or the user’s computer.
Finding an effective way to communicate with all users is vital. If there is a new virus threat, you can send users a high-priority e-mail message describing the threat and the recommended action. Make sure that the subject line of the message displays the nature of the threat. If the users know what to do, they can greatly reduce the spread of viruses.
Choosing an anti-virus software vendor
Make sure that the software you choose implements the advanced features available with the Exchange 2000 Server Virus Scanning API 2.0. Evaluate how quickly various anti-virus software vendors release virus patterns and software updates. You should also verify that your vendor will ensure that its software is compatible with service packs and product updates.
5. Securing Access to the server
There are several ways to improve the security of your Small Business Server by controlling access to the server:
Control physical and network access.
Grant the appropriate level of access permissions.
Enforce strong passwords.
Control external access.
Controlling physical and network access
Controlling physical access to your Small Business Server computer is one of the easiest ways to improve your network security and avoid accidental network outages. Many types of security attacks are impossible or difficult without physical access to the server. Preventing access to the server and other network components will prevent accidental disconnections or damage.
Grant the appropriate level of access permissions
Users should be granted only the access permissions necessary to perform their jobs. This will help prevent accidental administrative errors. Small Business Server 2000 provides predefined user templates to help you assign the appropriate level of access when creating user accounts:
Small Business User
Small Business Power User
Small Business Administrator
Each type of user account is placed in the appropriate global security groups created by Windows 2000 Server and Small Business Server. Each group is granted a specific level of access to network resources. Using these templates helps ensure that users receive only the minimum level of access they need. For example, only members of the Small Business Administrators group can log on at the server computer.
You can also create your own user account templates.
Small business user and power user
By default, the Small Business User has access to the following group memberships and resources.
By default, the Small Business Power User has the same group memberships as the Small Business User and also has access to the following administrative-level resources.
Small Business Server 2000 includes two preconfigured management consoles. These consoles are designed so that an administrator can delegate tasks by granting members of the Power User group certain server administration rights. These consoles are:
Small Business Server Administrator Console for Administrators
Small Business Server Personal Console for Power Users
Enforce strong passwords
Ensuring that user accounts with administrative access to the server are protected with strong passwords adds an additional level of protection to the server. If your client computers are running Microsoft Windows 2000 Professional, you can use Group Policy to enforce a strong password policy. Before applying Group Policy to Small Business Server, see “”Checklist: Implementing Group Policy through Active Directory”” in Windows 2000 Server Help.
To access Group Policy from the Small Business Server Administrator Console:
In the console tree, double-click Active Directory Users and Computers.
Right-click the Active Directory® object corresponding to your Small Business Server domain. Click Properties, and then click the Group Policy tab.
From Group Policy Object Links, click Default Domain Policy. The Default Domain Policy dialog box appears.
Add, remove, or edit Group Policy objects as needed. For more information about setting up Group Policy, see Windows 2000 Server Help.
Click Close to apply Group Policy.
In addition to a password policy, you should implement the following guidelines:
Discourage employees from writing down their passwords or giving them to others.
Encourage employees to lock their workstations, even if they are away for only a moment. (This applies only to client computers running Windows 2000 Professional or Windows XP Professional.)
Encourage employees to use a password-protected screen saver.
Use Windows XP Professional, Windows 2000 Professional, or Microsoft Windows NT® Workstation 4.0 client operating systems because of their built-in security features.
After implementing a strong password policy, educate users about good and bad passwords. Remind users that the best password is useless if it is written on a note and placed on the monitor.
General Password Recommendations
Passwords should not contain:
A user’s name or e-mail alias.
The name of the user’s child, parent, spouse, or friend.
Any word (such as table or computer) found in a dictionary.
A birth date.
A phone number.
A Social Security or other government identification number.
Any easily obtained personal information.
Good passwords should contain a combination of the following:
Uppercase letters (A, B, C, . . . Z).
Lowercase letters (a, b, c, . . . z).
Numbers (0, 1, 2, . . . 9).
Special characters (such as punctuation).
At least eight characters (more is better).
Administrator Password Recommendations
For the administrator:
Use a strong password at all times (for example, diT$34ppK).
Log on with your user account, not with “”Administrator.””
Never leave a computer unattended while logged on with a user account that is a member of the Administrator group.
Do not give others the Administrator account password.
Rename the built-in Administrator account.
Control external access
In addition to taking the preceding measures, if you connect your server to the Internet, you must take appropriate steps to prevent unauthorized access from the Internet. For example, you should configure a firewall and properly secure remote access. For more information, see the white paper entitled “Small Business Server 2000 Internet Connectivity.”
6. Completing the To Do List
The To Do List contains tasks that you must complete before using Small Business Server. It is recommended that, after installation, you immediately complete the tasks in the order displayed. If you choose not to do so, users might not have access to some Small Business Server features.
The To Do List is created dynamically, based on the choices you made during Setup. It appears after Setup is completed. Here is the complete list of tasks that may appear and a brief reason why they must be completed:
Add Client Licenses–Client access licenses (CALs) are enforced by Small Business Server. To connect more than 5 client computers (the default installation), you must add licenses.
Define Client Applications–If you want to deploy additional software to your client computers as part of client deployment, you must complete this task before you add users. After applications have been defined, they are assigned to specific users and deployed to computers as part of the Add Users task.
Add Users–Before users can access network resources, you must create a user account for each user.
Add Printer–After physically connecting a print device to the server, you must configure it before network clients can send print jobs to it.
Configure Internet Information Services–You need to secure Internet Information Services (IIS) if it is running with Microsoft Internet Security and Acceleration (ISA) Server 2000.
Enable Network Interfaces–Before you establish any Internet connection to the Small Business Server computer, you must re-enable all network adapters that were disabled during installation.
Internet Connection Wizard–The Small Business Server Internet Connection Wizard is the recommended way for you to configure Internet connectivity and e-mail for the network and to configure the ISA Server firewall. For more information about connecting to the Internet, see “Connecting to the Internet” later in this paper.
Configure Remote Access–You must perform this task to enable the server for remote user dial-up or virtual private network (VPN) access.
Configure Modems–You must configure modems in order to receive faxes.
Configure Access for Terminal Services–To enable power users to have remote access to the server by using Terminal Services, you must complete this task.
Configure Exchange Management–For users to create and manage mailboxes and distribution lists, you must complete this task.
Configure Server Status Report–To receive reports on server status, you must complete this task.
Getting Started–Take a tour of Small Business Server.
If you have upgraded Small Business Server from a previous version, the following tasks will also appear:
Upgrade Required Components–Before you can use the upgraded Small Business Server, you must also upgrade the Shared Fax Service and Shared Modem Service on the client computers.
Intranet Virtual Root–During the upgrade, the previous Small Business Server intranet files were not altered, but they can no longer be accessed. To restore the original intranet, you must complete this task.
7. Connecting to the Internet
Microsoft Small Business Server 2000 provides Internet services to the small business network. This is one of the server’s most important functions, and it is also one of the most complex configuration tasks. Use the Small Business Server Internet Connection Wizard to remove the complexity and ensure that all configuration steps are performed correctly. Before running the wizard, you must perform the following basic tasks:
Select an Internet service provider (ISP).
Determine your network topology.
The following sections provide you with an overview of these elements. For more detailed information, see the white paper entitled “Small Business Server 2000 Internet Connectivity.”
Selecting an ISP
The minimum ISP services required to support the current and future needs of the organization using Small Business Server 2000 are:
Electronic mail routing and queuing.
Registration and maintenance of your Internet domain name.
Determing your network topologies
There are several ways to connect a local area network (LAN) to the Internet. The following connection types are supported by Small Business Server 2000:
Full-time broadband connection (for example, xDSL, cable modem)– This connection type requires one network adapter (NIC) to connect your server to the LAN and a second NIC to connect your Small Business Server to the Internet via your full-time broadband connection.
Router–This connection type uses a router device with an IP assigned by your ISP to connect your Small Business Server computer to the Internet.
Modem or Terminal Adapter –This connection uses a modem or Integrated Services Digital Network (ISDN) terminal adapter to connect to the Internet.
The Small Business Server Internet Connection Wizard simplifies the configuration of the networking, firewall, and e-mail services used to connect your Small Business Server computer to the Internet. It is highly recommended that administrators use the Small Business Server Internet Connection Wizard instead of configuring these services manually because the Small Business Server Internet Connection Wizard performs all of the actions necessary for the correct integration of the services.
If your server’s networking configuration gets corrupted or changed in any way, or if you manually configured the server, you can correctly reset the configuration by simply running the Small Business Server Internet Connection Wizard again. Running the Small Business Server Internet Connection Wizard is an excellent way to verify that the server’s networking configuration is returned to a known baseline state when you are troubleshooting networking problems.
For more information about Small Business Server Internet Connection Wizard and the tasks that it performs, see the white paper entitled “Small Business Server 2000 Internet Connectivity.”
Look for 8 to 10 in part three next week.