To do this, we are essentially completing the tasks in the home screen of the Windows SBS Console, which should look like the following screenshot.
I'm assuming that you understand the concepts of firewalls and ports; otherwise, you will struggle to safely configure your network.
I'm also aware that OneCare, for servers, only provides an introductory offer for anti-malware and another product will be required; however, it is easier to describe the installation of one product rather than trying to answer for all products, so I'm using OneCare as a template. You will, however, need an anti-malware product that is server aware, or need to exclude server product locations such as the exchange data stores and other locations.
Network security configuration
There are a few areas where we can improve the security of the network. They are around the firewall, reducing the traffic that arrives at the SBS 2008 server, and the security certificate that is used to secure and identify the server communications.
Configuring the firewall ports
You will need the following ports configured on your firewall to direct traffic to SBS 2008:
If you were using SBS 2003, then you can close down ports 444 and 4125, which might have previously been open.
Loading a third-party security certificate
SBS 2008 creates a security certificate to secure its communications. Certificates are only valuable if everybody seeing them trusts the system that issues the certificate. All computers that are part of the SBS 2008 network trust the SBS 2008 server, so trust is achieved in this way. For those that are not part of the SBS 2008 network, a special certificate must be loaded onto those machines so they will trust SBS 2008, else they will provide warnings to users about the integrity of the communication.
There are organizations called Certificate Authorities who have established trust in the marketplace and most IT systems trust the certificates they issue. If you wish to have a more publically trusted certificate, then you will need to purchase one of these.
One area where third-party certificates are often needed is when using mobile devices, to enable the loading of the SBS 2008 certificate onto the phones. Without the certificate on the phone, synchronization of Outlook information to the phone cannot take place.
Importing a certificate
If you already have a certificate or have purchased one and have been sent a file containing the certificate including the private keys, then you should follow this process.
There are two steps to follow:
- Importing the certificate into the Local Computer Certificate store
- Assigning the certificate using the SBS Console
Importing the certificate
Start Windows SBS Console (Advanced Mode) from the Start menu and click on the Network tab and then the connectivity button. As this is the advanced console, you will see extra tasks available on the righthand side.
Click on the Manage certificates task—if this is not present, check you are running the Advanced Mode console: it will say so in the title bar. This will run a management console with the certificates for your computer made visible. Expand the Personal tree and right-click on Certificates and select Import from the All Tasks menu item.
Click Next to pass through the welcome screen for the Certificate Import Wizard and then click on the Browse button to locate the certificate. Then, click on Next to continue.
You will now be required to enter your Password to enable access to the key. I would put a check mark in the two remaining check boxes to Mark the key as exportable to enable you to export the certificate should you need to in the future and include the extended properties. Then, click on Next.
You will be required to confirm the location, which should be Personal and again click on Next. If it is not set to Personal, click on the Browse button and change the Certification store to Personal.
Now click on Finish to complete the process and you will see a message stating that The import was successful.
Close the Certificates Management console.
Assigning the certificate
In the Windows SBS Console, click the task Add a trusted certificate to start the process. Click on Next to skip past the introduction.
If you have assigned a certificate before, you will be told that A valid trusted certificate already exists and you have the choice of renewing your existing certificate or replacing it. Select I want to replace the existing certificate with a new one and click on Next. If you have not added a trusted certificate before, then you will not see this screen.
On the Get the certificate page, select the option to use a certificate already installed on the server and click on Next.
The certificate that you installed will show in the list with a Type of Trusted, while the certificates issued by SBS 2008 will show as Self-issued. Select your Trusted certificate and click on Next.
Click on Next to start the process and then Finish to exit the wizard.
If you wish to purchase a certificate, then the wizard can help provide the information needed to obtain a certificate.
While the wizard facilitates the purchase of a certificate from one of the Microsoft providers, you can use the information provided with most certificate providers.
Start by opening the Windows SBS Console and navigating to the Connectivity section of the Network tab.
Click on t he Add a trusted certificate button in the righthand Tasks pane to bring up the Before you begin screen. If you wish to familiarize yourself with certificates, click on the What is a trusted certificate link and read the information.
On the Get the certificate screen, select the I want to buy a certificate option and click Next.
You will be asked to confirm several details for your certificate before the request is generated. Confirm the details and click on Next.
The SBS 2008 wizard will generate a request that you can either save to file or copy to the clipboard.
If you have chosen a SBS 2008 DNS provider, then you will also be prompted with a link to a site to acquire a certificate. I clicked the link and used the information provided here to request a certificate. The whole process took about 5 minutes with my provider before I had the certificate.
Once you have completed this step, click on Next to move on.
If the request process is taking time, select the top option to give your provider more time to process the request, otherwise select I have a certificate from my certificate provider. Click on Next to continue.
You can either click on the Browse button to select your certificate file or click into the text box and paste the encoded text to define your certificate. Click on Next to continue.
The certificate will be imported into the system and then you will see the screen informing you that The trusted certificate is imported successfully.
You should now be using a certificate that has its trust authority provided from outside your organization and no longer requires a certificate to be installed.
Configuring backups and running a test backup
Backing up an SBS 2008 system is a vital part of the daily routine. SBS 2008 can reliably automate this for you, without the need for additional software, once the configuration is complete. I would recommend using at least two and ideally, three USB disk drives that can be plugged into the server for the backup, but easily swapped on a regular basis to enable you to take the backup off-site.
These drives would be used only for the SBS backup and are specially configured in SBS. Provided that one of the configured set of drives is attached to SBS 2008, it will continue to take backups.
For security, I would advise that the drives are swapped daily or weekly. Also that the non-active drives are removed from your premises while not connected to the server and stored in a secure, ideally fireproof, location. However, as these systems contain hard disks, they should be handled with care and just like tapes, they are still prone to wear. You should check the health of these drives and plan to replace them once every year or 18 months.
It is possible to back up to spare internal drives, but these will not give you the "my office caught fire" protection that taking a drive out of the office offers.
If you are running SBS 2008 in a Microsoft Hyper-V version 1 environment, you can still use USB drives, but you cannot disconnect the USB drives without shutting down the server. Hyper-V R2 does enable the removal and attachment of USB drives into SBS 2008.
Most file and email recovery scenarios should be possible without the need to use the backup drives themselves, as SBS 2008 has other facilities that can be used. So, these backups are more commonly used in a disaster recovery scenario when the server is not functioning or has blown up and has been replaced.
SBS 2008 does not support tape-based backup without the need for third-party software. Both tapes and disks wear out, so be prepared to put a drive into storage every 6-12 months and buy a new drive to keep an archival history of your server and data.
Some people are unsure why they will ever need a backup; however, recovering a machine or a vital file from a backup is far quicker and lower in cost than trying to pick up the pieces of a server or disk that has failed. I've known some people who only realize the importance of a backup once all their business data is lost, sometimes dealing a fatal blow to the business.
Configuring backups in SBS 2008
Start at the Windows SBS Console and select Configure server backup from the Home tab.
Click on Next to skip the Getting Started screen and move to the Specify the backup destination screen. You should see your connected USB drives in the display. If you are using internal disks, select Show all valid internal and external backup destinations and click on the Refresh button to show these devices.
If the devices still do not show, check in Device Manager, found in the Start menu, to see if the drives have been correctly detected and the drivers have loaded. If not, try removing the devices and then re-loading the drivers.
You will then need to label each removable drive so you can recognize which is which. Match the labels that you write on the drives with the entries in the Disk 1 Label and Disk 2 Label entry boxes on the screen and then click on Next.
It is worth the effort of labeling them; otherwise, when you are trying to recover a file and it tells you to insert drive six, finding drive six can be very time consuming.
You are now prompted to choose all the devices that should be backed up. You select what gets backed up at the drive level and SBS 2008 handles the rest. If you only have one drive in your system, or a RAID or mirrored set that appear as one drive, then you may not have any options to change on this screen.
Check the drives to back up and then click on Next.
You can choose when SBS 2008 will create backups. While the process may sound confusing, SBS 2008 creates a complete disk backup by combining previous backups with the latest changes. This means that only the parts of a disk that have changed get backed up each day. I've found that I can enable SBS 2008 to create backups several times a day, without impact on the server, and without consuming a huge amount of disk space, but giving me the capability to restore to any of those times rather than the backup from the night before, should I need to. So, in the event of a disaster, I lose less.
For that reason, I configure SBS 2008 to take several backups per day. The less time between backups, the less data that has changed and gets written to the backup drives.
You can chose the pre-defined once and twice a day backup options or choose Custom to Check as many time slots as desired. Click on Next to continue.
You are now asked to confirm all the details. If you are sure they are correct, click on the Configure button. If you are unsure, then click on the Back button to change the settings.
When you click on Configure, you will be reminded that the backup devices will be formatted. This means that any data on them will be destroyed. If you are happy with this, then click on the Yes button.
It will take several minutes to format the drives during which time the progress bar will slowly move across the screen.
Once all is completed, you will get a confirmation screen where you should click on Finish.
Performing a test backup
There is nothing worse than believing your system has a working backup, but not testing it, so I advise that you now perform a backup to ensure the process works. You should include this in your quarterly maintenance plans to ensure your media is still problem free and working. I've seen too many people think they had a working backup, only to discover they did not, when they needed it.
You should also perform a test recovery of a file.
Within the Windows SBS Console go to the Backup and Server Storage tab and you will see the configured backup settings with Status of No previous backups. Click on the Backup now button in the task pane on the righthand side of the screen to start a backup.
You will be asked if you wish to perform a backup now and you should click on the OK button to proceed.
The first backup will take longer than all others to run. The dialog box gives you the option to close the window and continue using the system while the backup runs. Since the purpose is to check the backup works, I would personally not click on the Close button, but would take this opportunity to have a short break!
Once the backup has completed, you will see a prompt either telling you that it was successful or that the backup failed. Click on Close and if need be, diagnose the reasons why the backup failed, although it is rare that it would.
Configuring OneCare for servers or other anti-malware solution
SBS 2008 ships with a trial version of Microsoft OneCare for Servers to provide a three months trial of the Microsoft anti-malware solution. However, the retirement of OneCare has just been announced and no replacement has yet been announced for it, so installing this product is just a stop gap until an alternative arrives.
To this end, I am simply going to say that you configure OneCare from the Windows SBS Console Home tab. From here, select Help protect your server with Windows Live OneCare for Server and the OneCare configuration screen appears. If you have not subscribed to the update service, it will prompt you to do so.
If you are not installing OneCare, then you must install another anti-malware solution. Personally, I do not like those that install alternative firewall solutions as I often turn these off due to the issues they create.
Looking at the OneCare settings , you can see the areas Microsoft recommends your anti-malware software ignores, so it would be advised that you configured the same exceptions:
- C:ProgramDataApplication DataMicrosoftSearchDataApplicationsWindowsWindows.edb
- C:ProgramDataApplication DataMicrosoftSearchDataApplicationsWindowstmp.edb
- C:Program Files (x86)Microsoft Forefront SecurityExchangeServerData
- C:Program FilesMicrosoftExchange ServerMailboxFirstStorage Group
- C:Program FilesMicrosoftExchange ServerMailboxFirstStorage GroupMailbox Database.edb
- C:Program FilesMicrosoftExchange ServerMailboxSecondStorage Group
- C:Program FilesMicrosoftExchange ServerMailboxSecondStorage GroupPublic Folder Database.edb
If you do not configure similar exclusions, then your anti-malware solution may well quarantine the Exchange email database or some other important system.
We have now finished the configuration of your SBS 2008 server. You can supply IT services to your business such as email, connectivity, and security management. You are also providing Internet services, such as those offered by Remote Web Workplace and Office Live for Small Business. All of this is being delivered in a reliable and secure fashion.
You will able to send and receive emails into SBS 2008 now that the firewall is configured. Remote access should also be working, so accessing the server and services from https://remote.yourserver.com/remote will bring up the Remote Web Workplace, giving access to email and your Windows SharePoint Services site, both externally and internally.
Your anti-virus and anti-malware products should be working and reporting themselves as active and secure on the Security page.
Finally, your backups should be working and tested to ensure they are working.
If you have achieved all of this, then the configuration of your server is complete.