If anything puts fear into a security expert, it is looking at the number of services running on a typical small business server. Most security experts (especially experts who are not well-versed in the needs and risks of small businesses) are very concerned about the attack surface exposed by all these services, and the cumulative effect of the lack of isolation. I once counted the number of servers one would need if one followed best practices as 12 servers in total. Obviously, this number of servers is not feasible for typical small organizations. Figure 15-5 shows eight sample roles that many multi-role servers perform. These include file, e-mail, database, Web, Active Directory, print, ...