Microsoft's Approach to BackOffice Server Security

Security is a topic that always generates interest, and the Microsoft BackOffice Server (BOS) arena is no exception. The complexity of security issues has given rise to businesses that focus solely on ensuring that Windows 2000 and Windows NT networks are correctly configured and secure. Given that a significant percent of the target market for BOS comprises businesses with a single server and only a few clients, how can neophyte BOS 2000 administrators be sure that their Internet-connected networks are reasonably secure?

Microsoft has taken on the task of keeping BOS 2000 administrators from accidentally opening up their network to outside attack. The company has done this by setting up the installation so that applications and services with outside access are—by default—disabled, locked down, or not installed.

You would expect the Internet Connection Wizard (ICW), which provides Internet connectivity for all of your local clients, and the Internet Security and Acceleration (ISA) Server, which provides firewall services to the network, to be two of BOS 2000's most commonly used features. Therefore, Microsoft has ensured that using those two applications won't get you into trouble. ICW locks down all of the TCP/IP ports not explicitly selected to be open—and opens only those ports that the applications you select require. By default, the ISA Server blocks all inbound IP traffic. Then, the ICW configures the ISA Server to allow access to IP traffic as needed by the application set that the administrator installs.

However, even though the ICW works with the ISA Server to provide a secure Internet connection for your network, none of your network users will be able to access the Internet because the default BOS 2000 installation of ISA Server locks out all users from the Internet. You must use the BOS 2000 Add User Wizard to add your users to the BackOffice Users Group. (The BOS 2000 Setup program configures ISA Server to let only members of this group access the Internet.)

In a similar vein, one of Win2K Server's most useful features is the two-user Terminal Services license that supports remote administration of the server via the terminal services client. This feature also supports a Web-based interface (using the Terminal Services ActiveX control) to support remote administration from any machine equipped with a suitable browser. The default BOS 2000 installation doesn't include installing the Web client, so you can't accidentally open yourself up to problems.

Because BOS 2000 hasn't shipped yet, I haven't seen the final product documentation. What concerns me is how well differences from the standard BOS 2000 application installation set will be documented. If Microsoft makes other changes to the default installations (and I'm sure the company will), I hope that the differences will be clearly documented in a single location. Also, if a lot of interrelated dependencies change based on the installation scenario you select, I hope that those interdependencies are clearly documented. I guess we won't know until the retail product hits the shelves. But it's something you'll need to keep an eye out for when you configure your BOS 2000 installations.