Re: Securing a Win2k DNS server outside firewall...

beartman_at_thoughtworks.com
Date: 06/06/03

  • Next message: philip97s: "Looking for inputs about readnotify" 
    Date: Fri, 6 Jun 2003 14:47:41 -0500

    If it's a Win2K box....

    In the Network properties of the NIC, double click TCP/IP, then click
    advanced.

    Under the WINS tab, select the Disable NetBIOS over TCP/IP. That should
    do the trick.

    "VNV Jeep" <vnvjeep@hotmail.com>
    06/06/2003 12:05 PM

    To
    security-basics@securityfocus.com
    cc

    Subject
    Securing a Win2k DNS server outside firewall...

    Hi All...

    I have 2 Windows 2000 DNS servers sitting on the outside of our firewall.
    They're vanilla installs of Win2k server, both running as member servers,
    locked down as much as possible, running a primary & secondary DNS
    configuration. When running a port scan against these servers, one of the
    only things that tends to worry me is that they both answer to port 135
    RPC.
    I've tried to figure out a way to prevent that port from being available,
    but all I could find as far as answers go is that I'd need to run a
    firewall
    to block it. I did try running a small firewall on the servers, but ran
    into issues since DNS tends to use a myriad of dynamic ports when
    answering
    queries... Does anyone have any good ideas on how to lock down a Win2k
    server like this so that the only thing available as far as services go is
    DNS, and the replication thereof?

    Thanks in advance for your advice...

    Take care,
    Mike

    _________________________________________________________________
    MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
    http://join.msn.com/?page=features/virus

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: philip97s: "Looking for inputs about readnotify"

    Relevant Pages

    • Re: RE: application for an employment
      ... Using a web server is NOT a port scan - in any manner. ... To alleviate some ignorance regarding the DNS process and public servers. ... This is NOT if anyone can connect to port 53 and use them. ...
      (Security-Basics)
    • RE: [Full-Disclosure] DNS query???
      ... There is no mystery about DNS servers using port 53 to send queries to ... This is how DNS works on a Windows box. ... it to the newsgroup I pointed you to and ask them for help. ...
      (Full-Disclosure)
    • Re: 2K3 Server - 2 NICS, 1 External, 1 Internal.. Heres my problem...
      ... of the IP, but included everything else (IP, DNS). ... IIS NIC Card - 100mb ... maybe I just left the DNS servers out. ... This NIC is plugged Directly into the back of Port 1 of my 4 Port DSL ...
      (microsoft.public.windows.server.networking)
    • RE: Securing a Win2k DNS server outside firewall...
      ... Microsoft Networks from the network adapter, ... Securing a Win2k DNS server outside firewall... ... I have 2 Windows 2000 DNS servers sitting on the outside of our ... only things that tends to worry me is that they both answer to port 135 ...
      (Security-Basics)
    • Re: port 53, please help!
      ... >> firewall log that UDP is allowed both ways. ... >> port 53 as blocked. ... >9.3.2a Enable Smart DNS ... to only trusted servers, the latter is far more important. ...
      (comp.security.firewalls)