Bless you sir. There are others arguing that same point. For our size
of firms down here...isn't it better than a cobbled up peer to peer
network with Win98s that more often than not it's replacing?
I consider it a compromise I can live with. All of us compromise, don't we?
SBS 2000... our little boxes got beat up pretty bad with code red/nimda.
SBS 2003... we're chugging along just fine. We have XP sp2 firewalls on
our desktops on by default.
Show me a big firm that says "we do best practices" and I'll show you
that they are breaking them somewhere, and more often than not, they
probably have local admin on the desktop.
It's the choices we make these days.... and quite honestly how paranoid
the admin is.
I have a daily email that tells me what's been going on in my security
log.....personally I think monitoring keeps me secure.... but that's
just me.
Is it ...or anything else 'always a compromise'?
Nope... I think it's the choices we make.
Barrie Dempster wrote:
On Wed, 2005-11-16 at 11:56 -0600, Thomas W Shinder wrote:
Hi Susan,
I think you misunderstood what they were trying to communicate during
that Webcast, and the presenters didn't do a really good job at
explicating their positions.
Many people think that there is no more perimeter (or edge), or that the
perimeter (or edge) somehow magically changed to the end point on the
corporate network. Neither assertion is true or believable. Sure, there
is a more heterogenous set of security zones that need to be segmented
from one another, but to say that there is no more "perimeter" or no
more "edge" is ridiculous at best, delusional at worst (sort of like
saying that SBS doesn't represent a security compromise).
Depends on what you consider a security compromise. Is it really a
compromise if looking after a single server is only a small part of your
overall duties (which is the case in most SBS deployments).
Most will agree that it's not best practise to have everything on one
box, but for it's purpose as the single server for a small company with
often no IT staff, only having one box to look after means it gets more
attention. You can argue against that with all the usual arguments about
putting all these services on a single box, however as soon as you start
adding boxes you decrease the attention span dedicated to each box and
that is also a security compromise. Overall you make a choice between
one server or many - both having merits and failings, which one is the
compromise is specific to you. If however you choose based purely on
cost THAT is quite likely to be a security compromise.
Don't get me wrong I do NOT advocate having SBS with one interface on
the net and one on the LAN, but if you have a cheap router with
firewalling capabilities and a single SBS server, you are no more
compromising than someone with a similar setup and a few more servers -
this is how I see most SBS servers deployed. The important thing there
would be your single server would get more attention than the other guys
set of servers. In my opinion it doesn't matter how secure you are, if
the administrator isn't paying attention then there is no point.
I wouldn't write off the SBS choice as a compromise on Security all of
the time, until you have weighed in all the factors, it's certainly not
a delusional state to have an SBS box set up and be confident that you
are on top of it from a security perspective.
It is entirely situation dependant and the compromise may or may not
exist depending on the other contributing factors.
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
