Aimless Ramblings from a Blithering Lunatic . . .

Just another Microsoft MVPs site

Category: 979

Taking the Plunge

I did it.  No – hell didn’t freeze over, and no – pigs aren’t flying.  But yes, I just recently did some network reconfiguration here at the office, moving from a dual-nic SBS Premium setup with ISA 2004 to a single-nic setup with a hardware router/firewall instead.   Gasp!  The horror! . . .

I’ll admit that for a long time I thought it would be a cold day in hell before you could pull ISA from my dead hands – but I would also be lying if I didn’t tell you that I definitely had a love/hate relationship with ISA – and it usually depended on the hour as to whether I was loving it or hating it.

So what is my thinking?  You know, if someone figures that one out would you please clue me in? smile_teeth    

Like most technology decisions, this was motivated by business needs – both the business needs of our clients as well as our own business needs to profitably deliver quality services to our clients.  First – we’re seeing an increased demand in managed security with the SMB client.  Second – we are continuously looking for ways to increase productivity and gain efficiency.  Third, we’re revamping our product offerings to better line up with our core business as an MSP by adding products that allow for additional recurring revenue opportunities.

So, the big question is what did we decide on to replace ISA 2004 in our office?  CheckPoint’s Safe@Office 500W Unified Threat-Management device.  Now why did this solution win out?

1)   Affordability / Flexibility.  The CheckPoint has several base models to choose from (wired or wireless with 5/25/Unlimited clients)  And nice add-on services including gateway anti-virus, anti-spam, web content filtering, etc.  The base models make it affordable to get this device into smaller clients who wouldn’t normally consider ISA.  Additionally, the add-on services allow clients to purchase features cafeteria-style and provide us with additional recurring revenue.

2)   Efficiency in Management.  CheckPoint offers their Security Management Portal for centralized management of these devices.  Their SMP was designed and built from the ground up for target MSPs and how we work: 

      *   Everything you can configure locally via the device can also be configured centrally from the SMP.  Additionally, with the SMP we can create groups with common configurations and apply those group settings to multiple devices very quickly and easily. 

      *   The SMP also streamlines setting up site-to-site VPNs between devices.  Simply build your VPN community in the SMP and pick the devices you want to belong to that community, then the SMP will generate the necessary configuration and push out to each of the devices.  This also allows you to have IPSec VPNs between devices that can only get dynamic public IPs.  When one device’s IP changes, it notifies the SMP which automatically updates the configuration on the other devices in the VPN community. 

      *   The SMP allows you to customize both administrative and customer-facing reports, so you can change the layout, the content, and even the look and feel to match your branding.  Customer-facing reports offer a lot of nice, colorful graphs which make sense to CXO level individuals at your clients. 

      *    The SMP is available either in a hosted solution, or in a purchase and run on your own server setup.

From a technical standpoint, there are pros and cons to both ISA and the CheckPoint (or other hardware firewalls).  There are a lot of things that ISA does better than many hardware devices – primarily web publishing, with its ability to inspect http traffic and route requests based on HTTP host headers, as well as providing egress filtering that integrates with Active Directory.  Where ISA falls short is when you have a service provider who needs to efficiently manage multiple installations at different customer sites with different needs.  Sure, I could probably build a repository of management scripts, and use Level Platforms’ Managed Workplace to push those scripts out to our managed client base, but why recreate the wheel – and run the risk of having to recreate those scripts as subsequent generations of ISA are released? 

Also, I will admit that I am beginning to question the feasibility of ISA on SBS.  I still don’t fully buy in to some people’s arguments that ISA on SBS is inherently insecure.  I’m beginning to question the feasibility of ISA on SBS not because of the security implications, but of the added complexity in setup and administration.  If you look at the SMB space and the SBS customer – their needs are changing.  Two years ago we could sell an SBS Premium to a customer who relied on Exchange and file shares.  In that scenario, adding ISA to the mix wasn’t that complicated or that big of a deal.  The customers we’re encountering today are looking for much more diverse and mature solutions.  Our typical SBS-based deployment is now a multiple-server environment.  SBSers are doing more with Exchange – particularly in terms of mobility, depending on SharepPoint for workflow management, version controls and increased collaboration, instead of simply document storage.  Our SBS clients are also much more likely to be running at least one Line-Of-Business app – in our experience most likely Dynamics GP and/or Dynamics CRM.

When you start putting all of this on to one box, change management becomes a bit of a challenge to say the least.  And even us long-time ISA fans have to admit that ISA is usually the first thing to come up when we start thinking about moving services off our SBS.  But investing in another box, plus another Windows Server license, plus ISA is often hard to swallow – especially when you look at it from a customer perspective and include services to install and configure that box.  From a business standpoint, when you compare that option to a solution like the CheckPoint that offers a significantly lower entry point, provides the MSP with a mechanism to recurring revenue, and provides a pre-build solution to efficiently manage a large number of devices from one central location, and it becomes a bit of a no-brainer.

Now the question is just how well this is going to work.  We’re now at 4 days since CheckPoint has replaced ISA in our office, and so far so good.  I’ll be sure to report back on my post-ISA experiences  smile_regular

Vista RC2, IE7 and SBS Self-Signed Certs

Yes Virginia – there is a Santa Claus . . .    oh wait, wrong story . . .

So as I mentioned in my previous post, I took the plunge and installed Vista RC2 on my primary production machine, and so far it’s going well . . .  granted a bit of a learning curve – but well worth it.

Like a lot of SBSers out there, we’re making extensive use of self-signed SSL certificates for accessing RWW, OWA, ActiveSync, etc.  Well, if you’re being a good little tech and running Vista as a non-admin, and you haven’t had much experience with IE7 yet, you might be trying to figure out just how to get those certs installed . . .

The first thing you notice when browsing to a site using a self-signed certificate, is that you don’t get to see the site right away – rather, IE7 gives you a full page warning insted of the old Security Warning pop-up.  So, you click to continue to the website, and you’ll notice that your address bar has changed to a deep red indicating the security risk with this site.  If you click on the ‘Certificate Error’ in the address bar, you can view the certificate.  But viewing the certificate – you notice one minor problem . . .   you don’t have an option to actually install the cert!

The thing is, you need to have administrator permissions to install your cert.  So here’s the trick . . .   click on Start | Programs.  Right-click on Internet Explorer and select ‘Run as Administrator.’  When prompted, enter admin credentials, and IE opens.  Navigate to your site, on the warning page select to continue to the site, then click on the Certificate Error in the address bar, and then view the certificate.  Now you have the option to install the cert.  But slow down there, young grasshopper . . .    if you just click through the add cert wizard like you do in XP, it’s not going to work for you.  You see, by default the add cert wizard is going to install the certificate for just the current user – and since we’re running IE as Administrator – you guessed it – the cert gets installed for the Administrator account – not yours.  So how do you get around this?  When you’re running the import cert wizard, you’re going to want to specify a location for the certificate:

Click Browse, the click to select ‘Show physical locations’ – then scroll up in the list, expand Trusted Root Certification Authorities and select Local Computer.

 Click OK, then finish the import certificate wizard.  Close IE (after all, you don’t want to be browsing as an admin)

Open IE, navigate to your site and voila!  There you go . . .

The compromise of SBS . . .

I’m sure that most people here are aware that there are circles in the IT community where SBS is a punchline.  One of the most common assertations is that ISA on SBS is a security compromise.  So I figured it was time to address this head on.


Is ISA on SBS a security compromise?  Completely – because the mere notion of a firewall on Windows is a security compromise at best . . . we should all be running a SonicWall or Cisco Pix if we really want security.     Sorry, I couldn’t resist a little jab  :^)


Seriously – is ISA on SBS a compromise?  Absolutely – because SBS itself is a compromise.  Which is why it fits so well in the small business space, because each and every small business is a living, breathing example of compromise on a daily basis.  You can’t truly appreciate or understand Small Business Server if you don’t understand small business.  And you can’t understand small business if you haven’t experienced it. 


I can’t help but wonder if the people who look down on SBS with disdain have truly experienced small business.  Have they laid awake at night worrying about making payroll – knowing that their employees have families to feed and mortgages to pay?  Do they realize that for many small businesses, money could be spent in several different places – so that server upgrade often relates to not being able offer the raises or bonuses we’d like, or offering additional benefits.  We have to take care of our employees and our customers, but we also have to invest in our businesses to insure our long-term ability to take care of our employees and our customers.  We can’t afford an imblanace either way – literally.  So each day is a compromise.


Would I love to be able to follow ‘best practices’?  Absolutely.  But look at the average small business with 25 users or less . . .  how would I be helping them by deploying a DC, a secondary DC, an ISA server, a front-end Exchange box, a back-end Exchange box, a file & print server, a Sharepoint box and a LOB server?  Not only would there be extensive cost at deploying that sort of solution, but extensive cost to maintain and administer that set up.


Let’s face it – SBS customers aren’t shopping for ISA server any more than they’re shopping for Exchange.  What they’re looking for is a solution that let’s the work smarter.  Does the small business owner care about running ISA on their DC?  Nope – not in the least.  The fact is that it isn’t realistic to sell that client a separate ISA server – simply put, the costs outweigh the benefits.  


Is ISA on SBS a compromise?  Sure – it’s a compromise between the benefits of the full product and great pricing of an integrated bundle.  I will be the first one to admit that in a perfect world ISA would always run on its own dedicated box.  In the small business arena, that just isn’t going to happen in an overwhelming number of cases.  So the question facing most small businesses isn’t whether or not they should run a dedicated ISA box in addition to their SBS, but whether they should run ISA on SBS or stick with their $39 Linksys router.


So what’s the bigger security compromise and risk for the small business – running ISA on their SBS or sticking with a low-end nat-ing router?  Because down here in the trenches – that’s the reality.

I want to make a request . . .

Ok – so I’m pn-site with a client today, and log in to an XP Pro SP2 workstation.  The login script fires off, and proceeds to update Trend’s OfficeScan module.  In order to do the update, the OfficeScan service is stopped which results in one of our Security Center balloon notifications saying that ‘Your computer might be at risk . . . ‘    Which got me thinking . . .  The SP2 team did a great job with the Security Center, keeping an eye on Patching / Firewall / Anti-Virus.  However, I’d like to turn it up a notch.  Specifically, I want another Security Center warning:


WARNING:  Your computer *is* at risk because you are running with elevated (Power User or Administrator) privileges.  Click here to understand why this is dangerous and how to correct this issue.


Furthermore, I think IE should be automatically set to high-security (just like our Win2k3 servers are by default) whenever anyone with Administrative privileges logs in. 


I’m so freakin fed up with all of the nasty stuff that is out in the wild – preying on the innocent.  The simple fact of the matter is that all of this stuff is virtually harmless if we’re running with least privilege.  Malware launched by a web site we visit is stopped in it’s tracks because our user account doesn’t have the necessary rights to install software.  If it can’t install – it can’t hijack our browsers, track our surfing habits, or throw pop-ups at us.  And I’m getting equally disgruntled at OEMs who’s answer to every support call is to insert the recovery CD . . .


I want everyone to repeat after me:


*  I have a right to have a safe & secure online experience!
*  I have a right to take control over my PC!
*  I don’t have to suffer through dozens of SPAM messages daily!
*  Software vendors do NOT have the right to force me to subject myself to risk and accept lower security in order to use their product!
*  OEMs do not have the right to disregard my data and insist on a complete format & reinstall of the operating system before supporting their machine!


It is time we took back control of our computing experience – recapture it from the OEMs, the ISPs and the Software Vendors.  It is time we stand up, and fight back.  It is almost 2005 . . .  Judas – look how long the security model of Win2k / XP has been around – there is ABSOLUTELY NO REASON THAT SOFTWARE VENDORS SHOULD BE REQUIRING LOCAL ADMINISTRATOR RIGHTS AFTER THEY’VE HAD YEARS TO GET THIS RIGHT! 


And I’m sorry – but this is not a Microsoft problem.  This, unfortunately, is the evolution of the internet.  I don’t care if you’re running Windows, Mac OS X or some flavor of Linux – you’ve got security issues to patch for.  I don’t care if you’re browsing with IE, Firefox or Netscape – you have security issues to patch for.  I for one refuse to change my OS or my browser – because I will not let the perpetrators of these attacks (and yes, I believe malware and viri are in deed attacks) dictate my computing environment.  Yes – I use Windows.  Yes – I use Internet Explorer.  I have never had a single virus on any of my machines.  With the exception of the occassional tracking cookie, I’ve never had any form of malware on any of my machines.  It can be done – and with surprisingly little effort.


So – I want to challenge everyone.  We’re a little over 5 weeks from 2005, but I want everyone to start thinking / acting on a New Year’s Resolution:  if you have clients who aren’t running least-privilege on their desktops, find out what applications need tweaked, and get those desktops down to least privilege.  Then take those applications and submit them to www.threatcode.com.  Educate your clients and users – explain that they have the power to take back control of their online experience.  We will not be intimidated, manipulated or scared into changing our operating systems or web browsers, or allowing 3rd parties to dictate our security levels!