RE: Items within XP SP2 and Win2003

From: Eric McCarty (eric_at_lawmpd.com)
Date: 09/28/04

  • Next message: Depp, Dennis M.: "RE: Items within XP SP2 and Win2003"
    Date: Tue, 28 Sep 2004 07:44:11 -0700
    To: "Depp, Dennis M." <deppdm@ornl.gov>, <larobins@bellatlantic.net>, "Joe Doyle" <joe.doyle@promega.com>, <focus-ms@securityfocus.com>
    
    

    Who doesn't have a border firewall? commonly its router - firewall -
    switch. So you propose to do address filtering on your host based
    firewall ?. I suggest rethinking this strategy as IP Address range
    blocking should be done at the border router or firewall long before any
    Network Translations are done or any traffic traverses the local
    network. I can imagine a plethora of ways to get around host based IP
    restrictions, can't get to server1, take over another machine on
    internal network, then get to server1 and likewise.

    Running a host based firewall will not allow an extra layer of security
    if its doing the same thing the border router/firewall is doing.

    In order to browse the internet from the server you will have to add a
    lot of sites to the trusted sites list, and once a site is considered
    trusted it's all over anyway.

    -----Original Message-----
    From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    Sent: Tuesday, September 28, 2004 4:18 AM
    To: Eric McCarty; larobins@bellatlantic.net; Joe Doyle;
    focus-ms@securityfocus.com
    Subject: RE: Items within XP SP2 and Win2003

    Eric,

    A firewall will not only block services, but it will also selectively
    allow services. For example, I might need to run a web server, but I
    only want users from a buisness partner to access this site. I can use
    the firewall to limit access to a specific IP address or subnet. In
    this case, a host based firewall can add another layer of security to a
    system. I do agree that you should not be browsing the internet from a
    server. However, some people will continue to browse the internet from
    servers. The enhancements to IE6 with W2K3 will not affect you or I,
    but they will affect many others.

    Dennis

    > -----Original Message-----
    > From: Eric McCarty [mailto:eric@lawmpd.com]
    > Sent: Monday, September 27, 2004 5:26 PM
    > To: Depp, Dennis M.; larobins@bellatlantic.net; Joe Doyle;
    > focus-ms@securityfocus.com
    > Subject: RE: Items within XP SP2 and Win2003
    >
    > I think this is a contradiction. On a server, you should turn off all
    > services you have no intention of having clients connect to, not setup

    > a firewall to block them. Next you should not be browsing the internet

    > using your server, and if you noticed, the enhanced browser security
    > prevents this for the most part anyway.
    >
    > Eric
    >
    >
    >
    > -----Original Message-----
    > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    > Sent: Monday, September 27, 2004 9:27 AM
    > To: larobins@bellatlantic.net; Joe Doyle; focus-ms@securityfocus.com
    > Subject: RE: Items within XP SP2 and Win2003
    >
    > WRT Windows firewall and IE updates.
    >
    > Dennis
    >
    > > -----Original Message-----
    > > From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    > > Sent: Sunday, September 26, 2004 2:38 AM
    > > To: 'Joe Doyle'; focus-ms@securityfocus.com
    > > Subject: RE: Items within XP SP2 and Win2003
    > >
    > > In what respects?
    > >
    > > Laura
    > >
    > > > -----Original Message-----
    > > > From: Joe Doyle [mailto:joe.doyle@promega.com]
    > > > Sent: Wednesday, September 22, 2004 5:38 PM
    > > > To: focus-ms@securityfocus.com
    > > > Subject: RE: Items within XP SP2 and Win2003
    > > >
    > > >
    > > > Not yet. Windows 2003 Service Pack 1 is supposed to
    > bring it up to
    > > > speed with Windows XP SP2.
    > > >
    > > > Joe
    > > >
    > > > -----Original Message-----
    > > > From: James Bowman [mailto:jim@drexel.edu]
    > > > Sent: Sunday, September 19, 2004 9:11 PM
    > > > To: focus-ms@securityfocus.com
    > > > Subject: Items within XP SP2 and Win2003
    > > >
    > > >
    > > >
    > > > Is their a set of hotfixes needed for 2003 that make it
    > comprable in
    >
    > > > features / overall security posture to XP SP2?
    > > >
    > > >
    > > >
    > > > Although there's probably a bevy of XP SP2 items embedded
    > in 2003, I
    >
    > > > would imagine there's a bunch that's not...
    > > >
    > > >
    > > >
    > > > Thanks
    > > >
    > > > --------------------------------------------------------------
    > > > ----------
    > > > ---
    > > > --------------------------------------------------------------
    > > > ----------
    > > > ---
    > > >
    > > >
    > > >
    > > >
    > > > --------------------------------------------------------------
    > > > -------------
    > > > --------------------------------------------------------------
    > > > -------------
    > > >
    > >
    > >
    > > --------------------------------------------------------------
    > > -------------
    > > --------------------------------------------------------------
    > > -------------
    > >
    > >
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Depp, Dennis M.: "RE: Items within XP SP2 and Win2003"

    Relevant Pages

    • Re: loss of SOME connectivity
      ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
      (microsoft.public.windows.server.sbs)
    • Re: IP Addressing
      ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
      (comp.dcom.sys.cisco)
    • Re: Still cant connect to RWW or OWA remotely
      ... Re-running the CEICW, disabling the firewall, then re-running CEICW again, ... "Cannot find server or DNS Error". ... the DSL router 4-port switch. ... of the two NICs by clicking the Advanced tabs, ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN suggestions requested
      ... > connecting to the Internet through a cheap basic broadband router. ... necessarily mean you have to pop in a firewall, ... also mean only to secure the W2K server. ...
      (comp.security.firewalls)
    • Re: CEICW fails at firewall config
      ... Do you or do you not have ISA 2000 or ISA 2004 installed on the SBS server? ... Do you have 2 NICs in the SBS? ... CEICW fails on firewall configuration every time. ... >>> Call to Creating the protected networks access rule returned ok. ...
      (microsoft.public.windows.server.sbs)