Re: Security for Win2003 Servers

From: NewComer (NewComer_at_discussions.microsoft.com)
Date: 11/25/04 

Date: Thu, 25 Nov 2004 10:37:02 -0800

My servers will not setup as Domain or Domain Member only normal server (Can
I setup this way?).To my understanding, the Proxy Server should install with
ISA in Win2K but do not know whether Win2003 Server need to install ISA or
is bastion replaced ISA server.

Proxy server
1. Does ISA need to install in win2003 Proxy server or Bastion has replace
ISA server? or Proxy need both ISA and Bastion.

Web/App server
1. Will I need Legacy Client - MemberServer Baseline.inf, if my web/app
server is not a Domain member, Domain controller, just normal stand alone
server.

Base on my setup,in your opion what will you use the security template or
policy for server as stated below. Please advices

Proxy server
1.
2.
3.

Web/Appl Server
1.
2.
3.

"Roger Abell [MVP]" wrote:

> It seems you have found the W2k3 hardening guide, which is good.
> I do not understand you choices for the IIS box. In is in the DMZ,
> so normally this means you would want to use as much of the bastion
> guidance as possible. Even if it is a domain member, I do not understand
> the choice of the legacy template. When MS placed an exposed IIS 6 on
> the network for the open hack contest, they did very little beyond common
> sense config to that W2k3 and then added IPsec in filter mode (allow no
> traffic, except allow inbound tcp 80/443 - in your case also allow specific
> port+ip as needed for time, dns, mgmt, app tier)
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "NewComer" <NewComer@discussions.microsoft.com> wrote in message
> news:7B8FFD3D-B68F-4C68-BB4E-62D9610A53FE@microsoft.com...
> > Hi,
> >
> > I am planning to setup two Win2003 Servers. One Proxy (in DMZ zone) the
> > other is Web/Appl Server.Both of the Servers will not setup as Domain
> > Controller. Below is my query.
> >
> > 1. What security or policy template should I put on both servers?(e.g IIS,
> > ISA)
> > 2. How do I harden the OS?
> >
> > I have come out some policy as stated below but not sure is it correct.
> > Need
> > advice.
> >
> > Proxy Server
> > High Security- Bastion Host.inf
> > ISA
> >
> > Web/App Server
> > Legacy Client - MemberServer Baseline.inf
> > Enterprise Client - IISServer.inf
> >
> > Best regrads,
> > NewComer
> >
>
>
>

Relevant Pages

  • Re: SBS2003 Prem with member Web server
    ... What needs to be understood is *why* exactly the OP wants it to be a domain member? ... Jim Harrison [ISA SE] ... Yes - adding a public server to your domain increases your domain attack ... Charlie mentions placing the web server external to ISA as ...
    (microsoft.public.windows.server.sbs)
  • RE: Sercond ISA on SBS Member Server
    ... ISA on a SBS member server. ... Without a good backup, it's difficult to have the server ... - This is often used for ISA server configuration recovery. ...
    (microsoft.public.windows.server.sbs)
  • RE: Internet Usage Reports
    ... There is no other application on the SBS server box that can monitor ... internet activities as your needs rather than ISA server. ... Microsoft Internet Security and Acceleration Server 2004 is the ... Microsoft is providing this information as a convenience to you. ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW Timing
    ... If you have installed ISA, ... Expand the server node and highlight ''Monitoring''. ... In the following website you can find many useful resources related to SBS ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Nagging Autorization issue for Companyweb after ISA04 install
    ... Check the companyweb CNAME entry in the DNS Server. ... Does the situation occur when you access companyweb from the ISA ... > 'Microsoft Firewall' service. ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)