I have to set up a Windows 2003 Small Business Server to work as a Subversion repository and possibly as an E-Mail server later.
The machine is a virtual one, hosted with a hosting company, and freshly initialized.
I used the Security Configuration Wizard to deactivate all server roles. After I install Subversion, I will open the necessary ports for the service; in addition, obviously, RDP will stay open so I can remote control the machine.
Automatic updates are activated, and I will set up E-Mail notification every time somebody logs on to the server.
I'm a programmer and not a professional systems administrator, so I would like to know whether you would regard this a sane and secure setup for a (publicly available) box to host sensitive code and/or E-Mail on.
Is there anything in addition I should do to make the machine secure?
Is there anything I can do on a long-term basis to keep the machine secure, apart from monitoring the event log (as far as I can make sense out of it), and seeing that any hotfixes are installed properly?
Windows Small Business Server is great value for the money: you get Exchange, SharePoint, Remote Web Workplace, etc. for a very low price point, which is perfect for small offices.
However, SBS would probably be the last server I'd suggest for a purpose-built SVN server, regardless of email or not. I would feel much better hosting SVN on a UNIX-like OS (Linux/BSD in your distro of choice) with something like Postfix for mail. Not only should it be less expensive in hosting fees (no Windows license/CALs to buy for example), but you can radically reduce the footprint (and therefore attack vectors) with something like FreeBSD by only installing the Ports packages required to support your two requirements; ditto for a Server version of Linux (Ubuntu, Debian, CentOS, RHEL, etc.) vs. what you can with SBS without difficulty.
Another option would be to run with a dedicated private SVN hosting company; I've heard good things about http://beanstalkapp.com/.
Similarly, for email (and some collaborative features as well like shared calendaring and private Google Docs), you could go with Google Apps for My Domain -- free/standard version supports up to 5 users.
If you're content with SBS 2003/Windows, I've think you've done a decent job as it sits now. Couple of other things:
enable Failure Auditing in the event logs so that you see when login failures happen, not just successes; you can google how to do this.
Create a new administrator user called "somebodyelse" or whatever and disable the built-in\administrator user (check to make sure no services are running with it though first and change accordingly). This way, anyone authenticating will need to know the username as well as the password.
Enable NTLMv2 only; LanManager hashes are trivial to break.
Use passphrases instead of passwords
Use Remote Web Workplace, not RDP directly, to your SBS Server; I'd also limit the IP addresses that can access Remote Web Workplace (443, 4125) with your firewall; same goes for SVN, if possible.
Check out Microsoft's docs on Windows Hardening at TechNet; there's checklist you can complete and you can also run the Baseline Security Analyzer as well: http://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=en