Yes – you heard right, CEO of Scorpion Software, Dana Epp has released a free security tool to help address one of the often raised security concerns about the Remote Web Workplace in Small Business Server 2003. By default SBS 2003 allows all users (including administrators) to remotely access their desktops inside the network. This is via the Remote Web Workplace portal and requires the users username and password. Administrators can also access your server via the same page. Dana has for some time had a product called AuthAnvil which gives you two factor authentication for your SBS servers RWW page and this helps secure things a lot as it requires you to have a token combined with your password to access the inside of your network. AuthAnvil is a great product and I use it to secure the assets of SBSfaq.com (and yes – people have tried to hack it without success). If you implemented AuthAnvil for your users then you would have no concern about people trying to attack your RWW as it would be impossible for them to access your server without the users password AND their token.
However, the reality is that SMB resellers and customers are a cheap bunch. They don’t value or respect security because “it’s never happened to them”. They’ve typically never had a network breach and therefore they can’t quantify and justify the value that a solution like AuthAnvil presents to them. Therein lies the problem. Installing AuthAnvil AFTER a network attack is shutting the gate after the horse has bolted. Great response, but too late.
Scorpion Software are very community minded and Dana brings his considerable security experience to bear in this respect with the products that they create. Dana has heard and recognises that an RWW without AuthAnvil is a potential security risk. Administrator accounts can easily access the server once the password is guessed. In response to that risk, Dana has create the RWWProtect tool. This free tool is available to anyone from their site and will allow you to restrict the RWW to just Normal Users in your network. It will prevent administrator users from accessing at all. For me, RWWProtect is not needed, as I have the two factor authentication in place.
Check out their site (http://www.authanvil.com/rwwprotect/) and while you are there, check out the other cool products they have. Security should not be an after thought, it should be designed in from the beginning.