RE: Securing a Win2k DNS server outside firewall...

From: Manuel Fernandes (manuelf_at_mailblocks.com)
Date: 06/07/03

  • Next message: bhavani.suresh: "RE: Is Citrix safe?" 
    Date: Fri, 6 Jun 2003 16:12:10 -0700
To: "'VNV Jeep'" <vnvjeep@hotmail.com>, <security-basics@securityfocus.com>

    Cheap, quick and dirty solution. Have you considered just implementing port
    filtering on the TCP/IP on the machine itself. Just open the desired ports
    (i.e. DNS/HTTP/LDAP) and block the rest!

    Read more:
    http://www.jsiinc.com/SUBL/tip5700/rh5799.htm

    I would work towards a DMZ someday.

    Manuel

    -----Original Message-----
    From: VNV Jeep [mailto:vnvjeep@hotmail.com]
    Sent: Friday, June 06, 2003 11:31 AM
    To: Bob.Bermingham@idc-mcs.com; security-basics@securityfocus.com

    Thanks for the message back, Bob...

    >I'm pretty sure that if you unbind File and Print sharing and client
    >for Microsoft Networks from the network adapter, it will stop
    >responding to RPC requests. If you're only using the boxes for DNS, it
    >shouldn't cause any problems.

    Unfortunately that isn't the case. I have everything disabled with the
    exception if TCP/IP in the nic properties. I had the same thought that you
    did back when I set these up... no dice.

    I was even thinking of disabling the RPC service, but apparently the DNS
    service relies on it... so I guess I'm forced to keep it running.

    Other suggestions I've received (thanks to all who responded sofar):
    - Block 135 from the router to this particular IP
    - Use IPsec/GP for 135.
    - Stick the DNS boxes in a DMZ.

    Take care,
    Mike

    _________________________________________________________________
    The new MSN 8: advanced junk mail protection and 2 months FREE*
    http://join.msn.com/?page=features/junkmail

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

  • Next message: bhavani.suresh: "RE: Is Citrix safe?"

    Relevant Pages

    • Re: DNS, NETBIOS, DHCP and WINS
      ... NetBIOS is a protocol used to communicate between two Microsoft ... NetBIOS can work without TCP/IP installed on a small ... NetBIOS or NetBT is needed to do Microsoft Network File and Printer ... DNS will give you the IP address of a machine given its TCP/IP domain ...
      (microsoft.public.win2000.networking)
    • Re: Cannot Log on to SBS2003 with Win9x clients tho DHCP leases IP
      ... Please uncheck that TCP/IP ... Can you also post the ipconfig/all from a client please? ... I added the Local Network IP to the DNS of the DS-NIC TCP/IP ... > used by other computers to locate this server as a domain controller (if ...
      (microsoft.public.windows.server.sbs)
    • Re: Remote Web Workplace question .... help?
      ... TCP/IP, properties. ... fill in your server IP in the ... DNS field. ... "cadder" schreef in bericht ...
      (microsoft.public.windows.server.sbs)
    • Re: Odd Event message
      ... Configure a reverse lookup zone and/or remove your ISP's DNS from TCP/IP ...
      (microsoft.public.win2000.dns)
    • Quantcast