Re: Open ports?
From: AP (ap76@email.com)
Date: 01/30/03
- Next message: Karl Levinson [x y] mvp: "Re: When will microsoft show IP adress instead of netbios names"
- Previous message: Jeff Cochran: "Re: setting up Win ME"
- In reply to: Rick Kingslan [MVP 2000/NT]: "Re: Open ports?"
- Next in thread: Robert Moir: "Re: Open ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "AP" <ap76@email.com> Date: Thu, 30 Jan 2003 13:27:22 -0000
Rick,
I appreciate your input.
Then a new server will be the best way forward running exchange/iis, like u
mentioned.
Hopefully when I reach that stage, I'll be running a tight ship.
Kind Regards
"Rick Kingslan [MVP 2000/NT]" <rkingsla.cox.net@127.0.0.1> wrote in message
news:u5LiU96xCHA.2916@TK2MSFTNGP09...
> AP,
>
> I agree. You can't install Exchange without IIS. Many components are
> pre-req's.
>
> And, Karl, too - is right. Expecting a secure DC with IIS and Exchange on
> the same box is just not a realistic expectation. If you want security
for
> your DCs, have nothing other than authentication services (and those
> functions required by and expected from Domain Controllers) on the
machine.
> IIS and Exchange must go on a second box.
>
> That, or reduce your expectation for security. there is no middle ground
in
> this.
> --
> Rick Kingslan MCSE, MCSA, MCT
> Microsoft MVP - Windows 2000/NT
> Beta ID #108394
>
>
> "AP" <ap76@email.com> wrote in message
news:u6Zcn#4xCHA.2620@TK2MSFTNGP10...
> > Karl,
> >
> > Initially, Win2k-Server was installed without IIS and SP2 installed,
> active
> > directory, dns was all setup and then I tried installing exchange, but
the
> > setup refused to install until IIS was installed.
> > Hence having IIS on the DC.
> >
> > "Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
> > news:ugmFg$EuCHA.1844@TK2MSFTNGP09...
> > > My goodness. This server isn't going to be as secure as possible.
Your
> > > domain controller should ideally not be visible from the internet, and
> it
> > > shouldn't be running IIS. IIS and Exchange should usually be run
alone
> on
> > a
> > > server if at all possible, for security and performance [and I believe
> > > Microsoft recommends not installing OWA on the same server that is
> running
> > > Exchange]. Running PcAnywhere on it is also a potential
vulnerability.
> > >
> > > While you can certainly choose to run all this stuff on one computer
if
> > you
> > > wish, combining all of these gives your Domain Controller all the
> > > vulnerabilities of IIS, and your IIS server all the vulnerabilities of
a
> > > domain controller. You have to keep them all patched, because a bug
in
> > > either one grants pretty much automatic access to everything else on
the
> > > machine and probably your whole network.
> > >
> > > You may want to consider using two firewalls or a firewall with three
> NICs
> > > or two firewalls where one has three NICs in order to create a DMZ, to
> > > protect your internal network from the server in case the server is
> > cracked.
> > > However, if this is your domain controller, putting a firewall between
> it
> > > and the internal network is probably not going to be too effective and
> > might
> > > be troublesome. There are free firewalls, like Sentry, IP Cop, etc.
> etc.
> > >
> > > Also, setting up your own firewall and learning as you go is a good
way
> to
> > > make a mistake and get hacked. You really want to know TCP/IP and how
> to
> > do
> > > firewalls first, and there's a lot to know. When adding ports, you
need
> > to
> > > know whether it's TCP or UDP, whether the connection will look like
> > > client:1025 --> server:25 or client:25 --> server:1025, know the
> direction
> > > of the communication, know whether your brand of firewall is stateful
or
> > > requires you to set up separate rules to permit the replies back out,
> etc.
> > > I don't really advise using the native TCP/IP or IPSec filtering as a
> > > firewall unless you're already an expert, since there's no logging or
> > > alerting or intrusion detection to help you out.
> > >
> > > Anyhow, if you choose to do this yourself anyways and do it on one
> server,
> > > see here:
> > >
> > > http://securityadmin.info/faq.htm#harden
> > > http://securityadmin.info/faq.htm#firewall
> > > http://securityadmin.info/faq.htm#ipsec
> > > http://securityadmin.info/faq.htm#6.9 [If you need to do Windows
> domain
> > > through a firewall, you'll want to do this to assign static RPC ports]
> > >
> > >
> > > "AP" <ap76@email.com> wrote in message
> > news:e6WINJAuCHA.2496@TK2MSFTNGP10...
> > > > I am concerned about our server which we configuring atm.
> > > > It's going to be a Domain Controller using Windows 2000 Server +
> > Exchange
> > > > 2000.
> > > >
> > > > What do I need to do to secure the server so no hackers/intruders
> > > compromise
> > > > the server and abuse it's installed services like iis/mail/etc.
> > > >
> > > > I was thinking of using the tcp/ip rules to only allow ports that I
> add.
> > > >
> > > > What ports would I add?
> > > >
> > > > Considering that this server is a domain controller running IIS 5
and
> is
> > a
> > > > mail server, but also will have VPN capabilities and PcAnywhere will
> run
> > > on
> > > > it.
> > > >
> > > > Many thx.
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Karl Levinson [x y] mvp: "Re: When will microsoft show IP adress instead of netbios names"
- Previous message: Jeff Cochran: "Re: setting up Win ME"
- In reply to: Rick Kingslan [MVP 2000/NT]: "Re: Open ports?"
- Next in thread: Robert Moir: "Re: Open ports?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
