When our SBS 2003 R2 server was setup (2007) we didn't have any need for access beyond our single local office. As a result, no remote access was setup. This is now changing and I'd like to have access from other locations (home, mobile devices, etc..) Since there was no real security risk at that time, we didn't even use passwords on the clients (I know, I know...) I've since enabled strong passwords for all clients.
Our mail is sent to McAfee for spam filtering then delivered to Exchange. Within the first couple of days during the initial server use, we found several thousand spam messages being bounced off our server, clearly not good and unwanted. As a result, we restricted mail delivery to only McAfee's IP addresses. Problem solved.
Now I'd like to remove those IP restrictions so we can enable the additional access outside the office. My fear, of course, is that we'll get back into the spam game. I could add more IP addresses to the allowed list, but would have to constantly monitor/change them as required since none are static. I currently allow my home and mobile IP access, updating them as required in the allowed list, when they change. I'm doing this just to get the feel of how things work. So, I've got the proper ports allowed in our watchguard firewall.
Questions:
1. Was the initial burst of spam possible because we didn't use passwords?
2. Since we now use strong passwords, would it be safe to remove the IP restrictions?
Thanks for any advice.