Well there seem to be a lot of misperceptions around this stuff:
* A decently configured server can run perfectly without -any- firewall
* A normal firewall will not protect you against a well-executed distributed denial of service (ddos) attack.
* Running everything with default info is a really bad idea, but you shouldn't trust on only that as your sole security precausion. Security through obscurity -can- work but it's generally a bad idea to use it as your only type of protection
* The custom cert server was never meant to run in a live enviroment, I would suggest that you actually browse through the source yourself and you will see a lot of unfinished stuff, you don't need to blame pushedx for that last exploit, it's all your fault if you would have just read the comments
* The files are not really designed with security in mind, I can point to more than 20 different things that are just dumb with the vsro files security setup. especially with smc and the gw server.
* If you don't know how to secure a server yourself, even on the most basic server DONT TRY TO OPEN ONE - this is the best advice I can give you. Unless you actually have somebody in your team who can do it, or if you have hired somebody to do it for you (full time, not initial hardening).
* SECURE YOUR MSSQL SERVER AND REALLY, LEARN HOW TO USE SERVICES CORRECTLY
* You shouldn't rely on services as this, It's not bad as initial security hardening, but seriously, don't try to run a server if you can't secure your data. It's not only your property that is at risk, also your users data (keep that in mind!)
I guess I said enough already, I have looked around at some private servers, and I haven't seen -one- that is actually secured decently.
I guess natural selection will follow, the best and most secured will survive, while the others will die out