Re: Open ports?
From: AP (ap76@email.com)
Date: 01/29/03
- Next message: Tan Fang Wai: "Re: Internet Cookies"
- Previous message: Andy Lock: "Workstation Lock-Down"
- In reply to: Karl Levinson [x y] mvp: "Re: Open ports?"
- Next in thread: Rick Kingslan [MVP 2000/NT]: "Re: Open ports?"
- Reply: Rick Kingslan [MVP 2000/NT]: "Re: Open ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "AP" <ap76@email.com> Date: Wed, 29 Jan 2003 12:15:43 -0000
Karl,
Initially, Win2k-Server was installed without IIS and SP2 installed, active
directory, dns was all setup and then I tried installing exchange, but the
setup refused to install until IIS was installed.
Hence having IIS on the DC.
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:ugmFg$EuCHA.1844@TK2MSFTNGP09...
> My goodness. This server isn't going to be as secure as possible. Your
> domain controller should ideally not be visible from the internet, and it
> shouldn't be running IIS. IIS and Exchange should usually be run alone on
a
> server if at all possible, for security and performance [and I believe
> Microsoft recommends not installing OWA on the same server that is running
> Exchange]. Running PcAnywhere on it is also a potential vulnerability.
>
> While you can certainly choose to run all this stuff on one computer if
you
> wish, combining all of these gives your Domain Controller all the
> vulnerabilities of IIS, and your IIS server all the vulnerabilities of a
> domain controller. You have to keep them all patched, because a bug in
> either one grants pretty much automatic access to everything else on the
> machine and probably your whole network.
>
> You may want to consider using two firewalls or a firewall with three NICs
> or two firewalls where one has three NICs in order to create a DMZ, to
> protect your internal network from the server in case the server is
cracked.
> However, if this is your domain controller, putting a firewall between it
> and the internal network is probably not going to be too effective and
might
> be troublesome. There are free firewalls, like Sentry, IP Cop, etc. etc.
>
> Also, setting up your own firewall and learning as you go is a good way to
> make a mistake and get hacked. You really want to know TCP/IP and how to
do
> firewalls first, and there's a lot to know. When adding ports, you need
to
> know whether it's TCP or UDP, whether the connection will look like
> client:1025 --> server:25 or client:25 --> server:1025, know the direction
> of the communication, know whether your brand of firewall is stateful or
> requires you to set up separate rules to permit the replies back out, etc.
> I don't really advise using the native TCP/IP or IPSec filtering as a
> firewall unless you're already an expert, since there's no logging or
> alerting or intrusion detection to help you out.
>
> Anyhow, if you choose to do this yourself anyways and do it on one server,
> see here:
>
> http://securityadmin.info/faq.htm#harden
> http://securityadmin.info/faq.htm#firewall
> http://securityadmin.info/faq.htm#ipsec
> http://securityadmin.info/faq.htm#6.9 [If you need to do Windows domain
> through a firewall, you'll want to do this to assign static RPC ports]
>
>
> "AP" <ap76@email.com> wrote in message
news:e6WINJAuCHA.2496@TK2MSFTNGP10...
> > I am concerned about our server which we configuring atm.
> > It's going to be a Domain Controller using Windows 2000 Server +
Exchange
> > 2000.
> >
> > What do I need to do to secure the server so no hackers/intruders
> compromise
> > the server and abuse it's installed services like iis/mail/etc.
> >
> > I was thinking of using the tcp/ip rules to only allow ports that I add.
> >
> > What ports would I add?
> >
> > Considering that this server is a domain controller running IIS 5 and is
a
> > mail server, but also will have VPN capabilities and PcAnywhere will run
> on
> > it.
> >
> > Many thx.
> >
> >
>
>
- Next message: Tan Fang Wai: "Re: Internet Cookies"
- Previous message: Andy Lock: "Workstation Lock-Down"
- In reply to: Karl Levinson [x y] mvp: "Re: Open ports?"
- Next in thread: Rick Kingslan [MVP 2000/NT]: "Re: Open ports?"
- Reply: Rick Kingslan [MVP 2000/NT]: "Re: Open ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
