Best Practices

Updated March 2004

To view recommended best practices for feature areas in Microsoft® Windows® Small Business Server 2003, click any of the following feature area links:

Reinstall service packs and hotfixes after an upgrade.

During server upgrades, hotfixes and/or service packs will be removed. To ensure a high level of security and stability, after Setup, reapply the latest service packs and hotfixes. To scan your computer for recommended updates and service packs, see Windows® Update at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=3326).

Use the user account templates in the Add User Wizard to add users to the Windows Small Business Server domain.

The Add User Wizard enables you to create a user account based on user templates. The user template settings are based on the needs of a typical business and include common user properties, such as group memberships, disk space and e-mail quotas, Windows® SharePoint™ Services site group memberships, organizational unit placement, and company address information. Creating a user account that is based on a user template reduces the need to manually enter account properties. When creating a new user account, you enter the unique information, such as user name, e-mail alias, and password, and then the new account inherits common properties from the template you apply.

Windows® Small Business Server 2003 has four predefined user templates based on the needs of a typical small business: User Template, Mobile User Template, Power User Template, and Administrator Template.

You can either use these templates to create your user accounts, or you can create new templates. For more information about the predefined user templates, click Start, click Help and Support, and then search for the topic "Managing user templates." For information about creating a new user template, search for the topic "To add a user template."

For information about modifying the templates, search for the topic "To change user template properties."

Use the user account templates in the Change User Permissions Wizard to update properties for existing user accounts.

For more information, click Start, click Help and Support, and then search for the topic "To reapply templates to existing users."

Apply Group Policy.

If your client computers are running Windows® XP or Windows® 2000 Professional, you can set up Windows® Small Business Server 2003 to use Group Policy features. Group Policy enables an administrator to define and customize many Windows settings for users or client computers, including items that are available on the Windows desktop, logon scripts, available menu items, and security settings. You can define Group Policy settings that apply to a particular computer, a specific user, a domain, or an organizational unit.

Before applying Group Policy to Windows Small Business Server 2003, click Start, click Help and Support, and then search for "Group Policy integration."

To access Group Policy Management from Server Management

1. Click Start, and then click Server Management.
2. In the console tree, click Advanced Management, and then click Group Policy Management.

   From the Group Policy management console, you can add, remove, or edit Group Policy settings.

Disable or delete user accounts that you no longer need.

Windows® Small Business Server 2003 offers two ways to remove a user account, by either disabling it or deleting it. If a user is permanently leaving the organization, it is recommended that you delete the user account rather than to disable it. However, if a user is temporarily unavailable but expected to rejoin the organization at a later date, you might consider disabling the account rather deleting it.

For more information, click Start, click Help and Support, and then search for the topic "To disable a user account."

No best practices are currently documented for this feature area.

No best practices are currently documented for this feature area.

Limit the size of your public folders.

If you do not limit the size of your public folders, the folders can grow extraordinarily large and cause Exchange to stop functioning.

To limit the size of your public folders

1. In the Server Management console, double-click Advanced Management.
2. Double-click First Organization (Exchange), double-click Servers, double-click YourComputerName, and then double-click First Storage Group.
3. Right-click Public Folder Store (YourComputerName), and then click Properties.
4. Click the Limits tab.
Click the Issue Warning at (KB) check box and type 281600 in the corresponding check box.
Click the Prohibit Post at (KB) check box and type 307200 in the corresponding text box.
Click OK.

The first number causes a warning to be issued when the size of a public folder reaches 275 MB, and the second number prohibits additional posts when the size of the folder reaches 300 MB. You can customize these numbers to meet your specific needs. To calculate the number of kilobytes from a given number of megabytes, multiply the megabytes by 1024. For example:

Configure connection filtering to block unsolicited e-mail.

Exchange Server 2003 supports connection filtering based on block lists, which are lists that can be queried by your Exchange server to identify verified spam sources. Connection filtering leverages external services that list known sources of unsolicited e-mail, dial-up user account lists, and servers open for relay based on IP addresses on block lists that they maintain. Connection filtering complements third-party content filter products. You can also configure connection filtering without using a block list provider by creating global accept and deny lists of Simple Mail Transfer Protocol (SMTP) addresses from which you want to globally accept or deny all e-mail.

To configure connection filtering, you must first create and configure a connection filtering rule, and then apply it your SMTP virtual server. For more information, search for "Configure Connection Filtering" in Exchange server Help. To access Exchange server Help, click Start, click Server Management, and then press F1.

Use server usage reports to evaluate resource needs and plan for future requirements.

Server usage reports include a predefined collection of statistics that can help you understand how clients access and use the Internet, e-mail, fax, remote connectivity, and Outlook® Web Access features. By proactively monitoring this information, you can determine how employees are using the key resources on the server, evaluate resource needs, and plan for future requirements that can help make employees more productive and your network more supportable.

For example, if a server usage report suggests high Web activity, and you are using a dial-up connection to access the Internet, you might want to replace the dial-up connection with a DSL connection. Or, if a usage report shows a lot of fax activity, you might consider adding another fax device on your local network.

For more information, click Start, click Help and Support, and then click Monitor your server.

Never change the settings on the following monitoring tasks in Task Scheduler: Collect Usage Data and Collect Server Performance Data.

When you configure server monitoring using the Monitoring Configuration Wizard, the following tasks are created in Task Scheduler: Collect Usage Data, Collect Server Performance Data, and Small Business Server - Server Status Reports - NameOfReport.

Do not change the settings of the Collect Usage Data and Collect Server Performance Data tasks because this will break the monitoring feature of Windows® Small Business Server 2003.

Always use the Change Server Status Report Settings task to change the settings of the tasks called Small Business Server - Server Status Reports - NameOfReport.

When you configure server monitoring using the Monitoring Configuration Wizard, the following tasks are created in Task Scheduler: Collect Usage Data, Collect Server Performance Data, and Small Business Server - Server Status Reports - NameOfReport.

By default, the following Small Business Server - Server Status Reports - NameOfReport tasks are created when running the Monitoring Configuration Wizard.

• Small Business Server - Server Status Reports - Send server performance reports
• Small Business Server - Server Status Reports - Send server usage reports

Do not use Task Scheduler to modify tasks called Small Business Server - Server Status Reports - NameOfReport because Task Schedule can potentially break the e-mail reports.

For more information about modifying server performance or usage reports, click Start, click Help and Support, and then click Monitor your server.

Delete old log files generated as a result of monitoring the computer running Windows Small Business Server 2003.

When you run the Monitoring Configuration Wizard and select the Usage Reports option, logging is automatically enabled for the following services:

• Exchange Server
• Fax
• Internet Information Services
• Remote Access Service

Because log files can be very large, it is recommended that you delete the log files to free disk space on your server. If you need to save log files, you can create a backup of the files, or save them at a different location. For more information about monitoring log files, click Start, click Help and Support, and then search for the topic "Monitoring log files."

Create a scheduled task to back up your internal Web site.

By scheduling a task to back up your internal Web site, you create a copy of your Windows® SharePoint™ Services database on your hard disk. If a file or list item is accidentally deleted from the internal Web site, you can restore it from the backup copy on your hard disk without needing to perform a full recovery from backup media. You do not need to include the backup copy of the database in your full server backup. The original copy of the Windows SharePoint Services database is included in the server backup.

For more information, click Start, click Help and Support, and then search for the topic "To enable recovery of individual SharePoint files."

Run the Configure E-mail and Internet Connection Wizard to connect your server to the Internet.

A key function of Windows® Small Business Server 2003 is to configure Internet services to your small business network. To configure Internet services, use the Configure E-mail and Internet Connection Wizard. The wizard is designed to correctly configure settings for your network, firewall, secure Web site, and e-mail services that are used when connecting your computer running Windows Small Business Server to the Internet. Additionally, you can use the wizard to return your server's network configuration to its original state.

For more information, click Start, click Help and Support, and then search for the topic "Understanding the Configure E-mail and Internet Connection Wizard."

Use the DHCP Server service provided with Windows Small Business Server 2003.

During Setup, if an existing DHCP Server service is detected on the local network, you are prompted to choose whether you want to use the existing service or if you want to disable the service and use the DHCP Server service provided with Windows® Small Business Server 2003. It is recommended that you disable the existing DHCP Server service. Once disabled, Setup will install and configure the DHCP Server service on your computer running Windows Small Business Server 2003. By using the DHCP Server service provided with Windows Small Business Server 2003, you will ensure that your DHCP settings are properly configured for the local network.

If you decide to use the existing DHCP Server service, you can later configure Windows Small Business Server 2003 as your DHCP server. To do so, you must disable the existing DHCP Server service, install the DHCP Server service on your computer running Windows Small Business Server 2003, and then configure the DHCP scope.

For more information about installing the DHCP Server service, click Start, click Help and Support, and then search for the topic "To install a DHCP server." To configure the DHCP scope for Windows Small Business Server 2003, see "Configuring Settings for an Existing DHCP Server Service on Your Network" in Appendix C of Getting Started.

Use the Windows Small Business Server tools to add or update user accounts in the Windows SharePoint Services site groups.

Users must belong to a Windows® SharePoint™ Services site group to access the intranet. It is recommended that you use the tools, such as the Add User Wizard, Add Template Wizard, and Change User Permissions Wizard, to create, modify, or update user accounts. User accounts based on the user account templates are members of the Windows SharePoint Services site group by default.

For more information, click Start, click Help and Support, and then search for the topic "To manage intranet access."

Use Remote Web Workplace to access the company Web site from the Internet.

To access the company Web site through the Internet, you need to publish the site to the Internet. To do this, it is recommended that you use the Configure E-mail and Internet Connection Wizard. This will ensure that the proper permissions are set to allow only authorized users to access the Web services.

After your company Web site has been published, it is recommended that you use Remote Web Workplace to access the site from the Internet. Remote Web Workplace has security features that help prevent malicious users and programs from accessing your Windows Small Business Server network. For more information, click Start, click Help and Support, and then search for the topic "Understanding Remote Web Workplace security features" and "To allow access to Web services on the server."

No best practices are currently documented for this feature area.

Use the Remote Web Workplace to connect remotely to the Windows Small Business Server network in a secure manner.

It is recommended that remote users connect to the Windows Small Business Server network through the Remote Web Workplace. For more information, click Start, click Help and Support, and then search for the topic "To enable and configure the Remote Web Workplace." Alternatively, if you want to connect using a virtual private network (VPN) connection, use the Remote Access Wizard to configure the necessary settings.

Log out of the Remote Web Workplace.

Logging out of the Remote Web Workplace when you are finished helps to prevent unauthorized users from accessing network resources.

Use the latest available version of your Web browser.

Using the latest available version of your Web browser will help ensure that the security features built into the Remote Web Workplace are enabled and functioning correctly.

Use a certificate signed by a trusted certification authority (CA).

When you run the Configure E-mail and Internet Connection Wizard, Windows Small Business Server 2003 creates an unsigned certificate for you if you do not install a signed certificate from a trusted CA. The unsigned certificate provides encrypted connections to the server, but network security will be enhanced if you purchase and install a signed certificate from a trusted CA.

Apply SQL Server 2000 service packs to each instance of SQL Server 2000 or SQL Server 2000 Desktop Engine (MSDE) running on the server.

When you install a service pack for Microsoft® SQL Server™ 2000 or MSDE, the service pack installs for a particular instance (or each installation of SQL Server or MSDE). You must complete the service pack Setup and specify which instance to apply the service pack to with each SQL Server service pack you install. It is recommended that you immediately install updates as they become available.

• It is not necessary to install MSDE Service Pack 3a to the MSSQL$SHAREPOINT and MSSQL$SBSMONITORING instances of MSDE that were installed during Windows Small Business Server 2003 Setup.

For more information about SQL Server service packs, see the Microsoft SQL Server Web site (http://go.microsoft.com/fwlink/?LinkID=1823).

If you installed additional instances of SQL Server 2000 Desktop Engine (MSDE 2000), it is recommended that you install MSDE 2000 Service Pack 3a (SP3a) for the additional instances to address additional issues resulting from the Slammer worm.

Windows Small Business Server Setup installs MSDE 2000 SP3a for the instances of MSDE 2000 that were installed by Windows® Small Business Server 2003.

For more information, see "Tools for Combating the Slammer Worm" at the Microsoft SQL Server Web site (http://go.microsoft.com/fwlink/?LinkID=16806). The tools include MSDE 2000 SP3a.