Re: Open ports?
From: Rick Kingslan [MVP 2000/NT] (rkingsla.cox.net@127.0.0.1)
Date: 01/29/03
- Next message: Q: "Re: TCP/IP Filtering - can't browse Internet"
- Previous message: rc: "Re: Restrict login to 1 account"
- In reply to: AP: "Re: Open ports?"
- Next in thread: AP: "Re: Open ports?"
- Reply: AP: "Re: Open ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Rick Kingslan [MVP 2000/NT]" <rkingsla.cox.net@127.0.0.1> Date: Wed, 29 Jan 2003 09:59:16 -0600
AP,
I agree. You can't install Exchange without IIS. Many components are
pre-req's.
And, Karl, too - is right. Expecting a secure DC with IIS and Exchange on
the same box is just not a realistic expectation. If you want security for
your DCs, have nothing other than authentication services (and those
functions required by and expected from Domain Controllers) on the machine.
IIS and Exchange must go on a second box.
That, or reduce your expectation for security. there is no middle ground in
this.
-- Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Windows 2000/NT Beta ID #108394 "AP" <ap76@email.com> wrote in message news:u6Zcn#4xCHA.2620@TK2MSFTNGP10... > Karl, > > Initially, Win2k-Server was installed without IIS and SP2 installed, active > directory, dns was all setup and then I tried installing exchange, but the > setup refused to install until IIS was installed. > Hence having IIS on the DC. > > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message > news:ugmFg$EuCHA.1844@TK2MSFTNGP09... > > My goodness. This server isn't going to be as secure as possible. Your > > domain controller should ideally not be visible from the internet, and it > > shouldn't be running IIS. IIS and Exchange should usually be run alone on > a > > server if at all possible, for security and performance [and I believe > > Microsoft recommends not installing OWA on the same server that is running > > Exchange]. Running PcAnywhere on it is also a potential vulnerability. > > > > While you can certainly choose to run all this stuff on one computer if > you > > wish, combining all of these gives your Domain Controller all the > > vulnerabilities of IIS, and your IIS server all the vulnerabilities of a > > domain controller. You have to keep them all patched, because a bug in > > either one grants pretty much automatic access to everything else on the > > machine and probably your whole network. > > > > You may want to consider using two firewalls or a firewall with three NICs > > or two firewalls where one has three NICs in order to create a DMZ, to > > protect your internal network from the server in case the server is > cracked. > > However, if this is your domain controller, putting a firewall between it > > and the internal network is probably not going to be too effective and > might > > be troublesome. There are free firewalls, like Sentry, IP Cop, etc. etc. > > > > Also, setting up your own firewall and learning as you go is a good way to > > make a mistake and get hacked. You really want to know TCP/IP and how to > do > > firewalls first, and there's a lot to know. When adding ports, you need > to > > know whether it's TCP or UDP, whether the connection will look like > > client:1025 --> server:25 or client:25 --> server:1025, know the direction > > of the communication, know whether your brand of firewall is stateful or > > requires you to set up separate rules to permit the replies back out, etc. > > I don't really advise using the native TCP/IP or IPSec filtering as a > > firewall unless you're already an expert, since there's no logging or > > alerting or intrusion detection to help you out. > > > > Anyhow, if you choose to do this yourself anyways and do it on one server, > > see here: > > > > http://securityadmin.info/faq.htm#harden > > http://securityadmin.info/faq.htm#firewall > > http://securityadmin.info/faq.htm#ipsec > > http://securityadmin.info/faq.htm#6.9 [If you need to do Windows domain > > through a firewall, you'll want to do this to assign static RPC ports] > > > > > > "AP" <ap76@email.com> wrote in message > news:e6WINJAuCHA.2496@TK2MSFTNGP10... > > > I am concerned about our server which we configuring atm. > > > It's going to be a Domain Controller using Windows 2000 Server + > Exchange > > > 2000. > > > > > > What do I need to do to secure the server so no hackers/intruders > > compromise > > > the server and abuse it's installed services like iis/mail/etc. > > > > > > I was thinking of using the tcp/ip rules to only allow ports that I add. > > > > > > What ports would I add? > > > > > > Considering that this server is a domain controller running IIS 5 and is > a > > > mail server, but also will have VPN capabilities and PcAnywhere will run > > on > > > it. > > > > > > Many thx. > > > > > > > > > > > >
- Next message: Q: "Re: TCP/IP Filtering - can't browse Internet"
- Previous message: rc: "Re: Restrict login to 1 account"
- In reply to: AP: "Re: Open ports?"
- Next in thread: AP: "Re: Open ports?"
- Reply: AP: "Re: Open ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
