Re: Isolate systems

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 02/08/05


Date: Mon, 7 Feb 2005 23:28:09 -0600

If you have access to the firewall, you might be able to configure what IP
addresses can and can not access your network/servers and on what ports
using what protocols. If you can not access the firewall you can use ipsec
filtering policy on your computers which is a policy that uses rules with
permit and block filter actions to act as a built in packet filtering
firewall. Ipsec policies are best when trying to configure for a subnet
range or a small range of IP addresses as you can not specify IP addresses
"ranges" in an ipsec policy. You can also create an ipsec rule "blacklist"
to add the IP address of attackers to block their access. Software firewalls
such as the ones from Sygate could be another option. Depending on your
network layout [operating system, domain, etc] you may be able to implement
ipsec negotiation security to block access from non domain computers or
domain computers that are not configured with at least a matching ipsec
client/respond policy. Ipsec can also use certificates for computer
authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec aware.
Ipsec negotiation polices also need to exempt domain controllers for traffic
between domain members and domain controllers. The links below are about
ipsec.

http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

Disable file and print sharing on any computers that do not need to offer
shares and do not need to be managed remotely via Computer Management or
command line tools that rely on the ports you mentioned. You also may be
able to take advantage of the user rights for "logon locally and deny logon
locally" to restrict what users can access a computer, though that will not
stop users from trying to make attempts to guess passwords. Such user rights
and ipsec policies can be managed via Group Policy for consistent
application and ease of administration to larger number of computers. A
managed switch may be another option as they offer options such as mac
filtering and port isolation [HP Procurve] to further restrict access to
your network. Mac filtering can be spoofed but it would be another barrier
to access and will deter most curious attackers. 802.1X switches are a
better access restricting option but they are not foolproof either and
require compatible operating systems, a Certificate Authority to issue
computer certificates, and an IAS server on the network. Also run the
Microsoft Baseline Security Analyzer on your computers to check for basic
vulnerabilities such as weak passwords, missing patches, and unneeded
services.--- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA.

"Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
news:4349381E-1D4F-44B7-A6E5-6347C2EF5E49@microsoft.com...
> Due to the large number of attacks against Windows Server we would like to
> block windows systems from the larger community (Large college) to prevent
> systems from getting attack, does anyone have any help, suggestions, info
> for
> blocking ms port (135, 137, 139, & 445) from the community.
>
> Thanks in advance,
> Bob Smith



Relevant Pages

  • Re: Simple Printer Sharing/Networking Question
    ... And all 3 desktop computers are running Windows XP Pro ... We have turned on sharing for the network printers (in association with this ... caused by 1) a misconfigured firewall or overlooked firewall (including ...
    (microsoft.public.windowsxp.network_web)
  • Re: Networks : Workgroups and Domains. How Do I Use Them?
    ... in My Network Places, it may take some time for a network resource to show up. ... all of the computers must be on the same subnet. ... it depends on whether you have Simple File Sharing enabled or disabled. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Sharing a printer
    ... Here are general network troubleshooting steps. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ... On the assumption that you in fact do have a router that connects to the Internet and that your computers then connect to the router, then if you think that you have one IP for multiple computers then you probably are using a website tool such as http://whatismyip.com/ That shows the your public IP address -- the one that the rest of the world sees. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Home Network with Vista & XP
    ... The 3 computers are: 1 laptop running XP Pro, 1 laptop running Vista Home Premium, and 1 desktop running XP Home. ... the vista laptop can see all terminals on the work group but the xp terminals cannot see the vista terminal in the network. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Networks : Workgroups and Domains. How Do I Use Them?
    ... I think the problem is from my lack of understanding whether these machines are together as a workgroup or domain. ... If I want to configure solely for a workgroup network, then I would think I do not need to provide a domain name, and vice versa for a domain network. ... It's not clear whether any of your computers is running Windows 2000 *Server.* If not, you don't have a "domain" and shouldn't be using domain names. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
    (microsoft.public.windowsxp.network_web)