SBS & Site Server Secure Installation

An effective e-commerce solution for small businesses

You might know me as the Accidental Hacker (see "The Accidental Hacker," February 1998), but my primary business is developing e-commerce Web sites. My customers aren't all big companies—some are rather small, and Microsoft Small Business Server (SBS) is a product of choice not only for these small businesses' internal needs but also for their e-commerce Web sites. Many of these companies use Microsoft Site Server 3.0 Commerce Edition as their e-commerce solutions' foundation. Microsoft developed Site Server mainly for installations on the full BackOffice platform. But for many small businesses, using only SBS and Site Server—rather than installing the full BackOffice solution—is an attractive idea. SBS and Site Server together provide most of the functionality that BackOffice provides, for a fraction of the cost. Although SBS and Site Server are easy to install and configure, making sure this solution works securely on the Internet is a complicated process.

Fortunately, I recently finished installing SBS and Site Server for a client, and I have all my installation records at hand. In this article, I share my checklist for installing SBS, Site Server, and the additional components you need to secure your e-commerce solution. If you follow my approach, you'll have a nicely secured SBS e-commerce installation.

Step 1:
Install SBS 4.0 on a Clean Server
I won't describe this procedure in depth—you can install SBS by following the installation wizard on the software's first installation CD-ROM if you have Windows NT Workstation 4.0 or Windows 9x installed on your system. You can also find complete installation instructions on Microsoft's Web site (http://microsoft.com/backofficesmallbiz/support/ setup.asp) or in the software's documentation. Before installing SBS, make sure your server complies with SBS's hardware requirements.

When I install SBS, I usually don't select any of the Microsoft Exchange Server installation options. The Exchange Server component in SBS 4.0 isn't the latest version and doesn't offer strong enough protection from mail relaying. If you install the SBS 4.0 version of Exchange Server, you'll open the door to bulk emailers who'll use this SMTP server as a relaying host.

Step 2:
Install SBS 4.0 SP1
The basic rule I live with is to install all the latest Microsoft releases and service packs on my servers. Site Server needs the NT 4.0 Option Pack installed, but to get the Option Pack running, you need to first install SBS 4.0 Service Pack 1 (SP1).

You can order the two SBS SP1 installation CD-ROMs from Microsoft at http://microsoft.com/backofficesmallbiz/guide/service.asp. Situations such as installing SBS and Site Server make me glad I have a TechNet subscription and access to all Microsoft service packs and patches on CD-ROM. If you install and support solutions on Microsoft products, a TechNet subscription can pay for itself many times over. For subscription information, go to http://www.microsoft.com/ technet/subscription/about.htm.

Step 3:
Run Proxy Server Upgrade Wizard for SBS
The Option Pack works only with Proxy Server 2.0, but SBS 4.0 includes Proxy Server 1.0. Fortunately, you can use a simple tool, the Proxy Server 2.0 Upgrade Wizard for Small Business Server, to prepare for the upgrade to Proxy Server 2.0 in SBS. To download a free copy of the Upgrade Wizard, go to http://backoffice.microsoft.com/ downtrial/moreinfo/proxywizard.asp.

Step 4:
Install Proxy Server 2.0
When you install SBS, you don't have the option not to install Proxy Server 1.0. However, you need to install Proxy Server 2.0 before installing the Option Pack. The good news is that you don't have to buy a Proxy Server 2.0 upgrade. A special offer from Microsoft gives SBS customers a Proxy Server 2.0 upgrade for only the cost of delivery. For information about this offer, go to http://microsoft.com/backofficesmallbiz/guide/ freeproxy.asp.

Step 5:
Install NT Server 4.0 Option Pack
Fortunately, Site Server Commerce Edition includes an installation CD-ROM for the NT 4.0 Option Pack, so you don't have to overwork your modem to download all this data. Install the Option Pack in custom mode: Add SMTP (remember that you didn't install Exchange Server when you installed SBS) and Windows Scripting Host (WSH) modules from Internet Information Server (IIS) 4.0. Don't install any samples for IIS—clear the selection when you install the Option Pack on any production server. I recommend deleting all sample content and HTML documentation, because intruders can use sample files to access hidden system information. For example, using http://victim/adsamples/config/site.csc, an intruder can find a copy of the site.csc file and the username and password of the Microsoft SQL Server system that functions as an advertising server. And http://victim/SiteServer/samples/knowledge/ search/viewcode.asp?source=/mystore/global.asa gives intruders the full source code of the global.asa file.

Step 6:
Reinstall Proxy Server 2.0
After you install the Option Pack, you need to reinstall Proxy Server 2.0 to get it working under the Microsoft Management Console (MMC). After this reinstall, Proxy Server will add its extensions to the MMC, and you'll have the fully operational Proxy Server that the README file in the Option Pack describes.

Step 7:
Install SQL Server 6.5 SP5
Site Server's components need SQL Server SP4 or later to work properly. SBS SP1 upgrades SQL Server to SP3, but you can't install SBS SP4 on the SQL Server version that SBS includes (SQL Server in SBS is a custom version). However, if you install SQL Server 6.5 SP5 on top of SBS's SQL Server, you can run Site Server's components.

Step 8:
Install Site Server 3.0
Which Site Server components do you need to install? Most small businesses don't use complicated technologies such as Personalization and Membership (P&M) server components in their Internet shops. These components are flexible and powerful in big commercial stores and Web sites with millions of subscribers, but most of my small-business customers find this technology too difficult to use.

One problem with installing P&M components disappeared in late 1998. Before the release of SQL Server SP5, you couldn't install P&M components easily because they required SQL Server SP4 and a Site Server hotfix. With SQL Server SP5, you can easily install P&M components and forget about post-SP4 hotfixes. However, I usually clear the selection of the P&M components, as well as the knowledge management functions, when I install Site Server. In most cases, I need to install only the extended logging filter from the Site Server installation CD-ROM.

Step 9:
Install Site Server 3.0 Commerce Edition
To make this installation more secure, clear the selection of all samples and the software development kit (SDK). Leaving sample content on any production server is a dangerous practice.

Step 10:
Install Site Server 3.0 SP2
Yes, I know—too many service packs. However, you need Site Server 3.0 SP2 to get Site Server Commerce Edition to work properly with SQL Server 6.5 SP5 and to eliminate bugs in the original Site Server code.

Step 11:
Install NT Server 4.0 SP4
I'm lucky that we finally have SP4. Otherwise, I'd have to describe in this step which post-SP3 hotfixes you'd need to install.

Step 12:
Install NT Server 4.0 Post-SP4 Hotfixes
We live in a cruel world and can't seem to go for long without post-service pack hotfixes. However, installing these hotfixes is important for your e-commerce solution. Microsoft plans a special roll-up fix for release after every full service pack to install fixes to the service pack for all known problems. Unfortunately, I have no current information about how roll-up fixes will work.

Additional Tasks for Securing SBS
Now you have SBS, Site Server Commerce Edition, and all the necessary components installed, but you need to do more to secure your e-commerce server from intruders. First, make changes to the Registry to deny anonymous network access to your e-commerce server. NT has a special feature whereby anonymous logon users can list domain usernames and enumerate share names. NT uses this feature for interdomain communications in multidomain networks. The downside to this feature is that anyone can use it to get a list of domain users.

To disable this feature, run regedt32 and go to HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetControlLsa. From the Edit menu, click Add Value, enter RestrictAnonymous for the value name, select REG_DWORD for the data type, and enter 1 for the data value. Exit the Registry Editor and restart the computer so that the change can take effect. To learn more about this Registry feature, see the Microsoft article "Restricting Information Available to Anonymous Logon Users" at http://support.microsoft.com/ support/kb/articles/q143/4/74.asp.

You need to complete the next task when you install your online store templates. Check the permissions in your store's Config folder. Every store a business creates in Site Server Commerce Edition has a Config folder in which Site Server stores important information about Order Processing Pipeline and databases. You'd be surprised by how many companies keep a site.csc file, which stores SQL Server account and Data Source Name (DSN) information and is accessible to anyone over the Internet. Check the security settings for the Config folder in the MMC, and change them if they threaten security. To make changes to these MMC security settings, open the Config Properties window of your store's Config folder, select the Directory Security tab, and clear all three check boxes in the Authentication Methods dialog box, as Screen 1 shows.

Next, implement sound security policies such as minimum password length and password-guessing blocking. Although many security consultants think that renaming the administrator account is useless, I recommend renaming the account and also denying administrative access over the network; the goal is to let only the person sitting at your e-commerce server access the system with the administrative account. I usually go one step further and create two decoy accounts with Administrator and Root names to trap novice intruders. Of course, you need to turn on all auditing features for these accounts so that you'll receive notification if the accounts come under attack. You can turn on these features in User Manager.

I always delete all shares that the SBS installation wizard creates, and I recommend that you delete them also. Further, make certain that administrators in your company know to delete these shares.

To secure SQL Server, I remove all unnecessary accounts (e.g., Probe, Guest), and I change the password for the sa account from the default clear password. In addition, I create special accounts with limited-access rights for working over the Internet. An example of such a special account is one I might name CommerceUser that has limited permissions for browsing for products in the online store and adding the products to the shopping basket. Special accounts can protect you from big problems if an intruder gets an account-password pair and tries to steal information from your database.

Finally, configure routers (or Proxy Server 2.0) to drop all IP packets for ports 135 through 139 and 1433 coming from the Internet. When you do this, you can be sure you've effectively blocked incoming NetBIOS over TCP/IP (NetBT) data and outside access to your SQL Server system. On Cisco routers, I use the easy commands in Listing 1 to add filters that close NetBT ports to access from outside the network.

If you've gone through the steps I've outlined, you now have a secure foundation for your SBS and Site Server online enterprise. I wish you good luck and success with your e-commerce venture.