Re: Isolate systems

From: Bob Smith (BobSmith_at_discussions.microsoft.com)
Date: 02/08/05 

Date: Tue, 8 Feb 2005 05:13:06 -0800

Steve,

Thanks for the great info, I do have access to the firewall and I have used
ipsec policies previously, I also run Languard to check against
vulnerabilities, my major attacks are coming from the basic MS ports and how
to isolate these ports without removing basic services, also we need to
maintin management, my thought here is to allow management access to two
subnets (server room and vpn subnets), however systems like domain
controllers I will have to leave open (of course I have these locked down) to
the community, I guess the answer here is to evaluate each system for the
specific needs and isolate based on that info.

Regards,
Bob Smith

"Steven L Umbach" wrote:

> If you have access to the firewall, you might be able to configure what IP
> addresses can and can not access your network/servers and on what ports
> using what protocols. If you can not access the firewall you can use ipsec
> filtering policy on your computers which is a policy that uses rules with
> permit and block filter actions to act as a built in packet filtering
> firewall. Ipsec policies are best when trying to configure for a subnet
> range or a small range of IP addresses as you can not specify IP addresses
> "ranges" in an ipsec policy. You can also create an ipsec rule "blacklist"
> to add the IP address of attackers to block their access. Software firewalls
> such as the ones from Sygate could be another option. Depending on your
> network layout [operating system, domain, etc] you may be able to implement
> ipsec negotiation security to block access from non domain computers or
> domain computers that are not configured with at least a matching ipsec
> client/respond policy. Ipsec can also use certificates for computer
> authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec aware.
> Ipsec negotiation polices also need to exempt domain controllers for traffic
> between domain members and domain controllers. The links below are about
> ipsec.
>
> http://www.securityfocus.com/infocus/1559
> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
>
> Disable file and print sharing on any computers that do not need to offer
> shares and do not need to be managed remotely via Computer Management or
> command line tools that rely on the ports you mentioned. You also may be
> able to take advantage of the user rights for "logon locally and deny logon
> locally" to restrict what users can access a computer, though that will not
> stop users from trying to make attempts to guess passwords. Such user rights
> and ipsec policies can be managed via Group Policy for consistent
> application and ease of administration to larger number of computers. A
> managed switch may be another option as they offer options such as mac
> filtering and port isolation [HP Procurve] to further restrict access to
> your network. Mac filtering can be spoofed but it would be another barrier
> to access and will deter most curious attackers. 802.1X switches are a
> better access restricting option but they are not foolproof either and
> require compatible operating systems, a Certificate Authority to issue
> computer certificates, and an IAS server on the network. Also run the
> Microsoft Baseline Security Analyzer on your computers to check for basic
> vulnerabilities such as weak passwords, missing patches, and unneeded
> services.--- Steve
>
> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA.
>
> "Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
> news:4349381E-1D4F-44B7-A6E5-6347C2EF5E49@microsoft.com...
> > Due to the large number of attacks against Windows Server we would like to
> > block windows systems from the larger community (Large college) to prevent
> > systems from getting attack, does anyone have any help, suggestions, info
> > for
> > blocking ms port (135, 137, 139, & 445) from the community.
> >
> > Thanks in advance,
> > Bob Smith
>
>
>

Relevant Pages

  • Re: Isolate systems
    ... some sort of port/protocol/Ip/mac"filtering" via switches, ipsec filtering, ... firewall yourself from outside the network, even if you use a self scan site ... If legitimate users are trying to attack your computers you may have to see ...
    (microsoft.public.win2000.security)
  • Re: XP Firewall Quandry
    ... admin workstations if that would work and possibly even requiring an ipsec ... security association for those exceptions which would not allow computers ... Even the risk of having another network available can be ... enable the Windows Firewall in both domain and standard policy. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Anyone can browse my network
    ... You mention firewall but that will normally only prevent access from the ... internet unless the firewall is used to protect a network segment of your ... network infrastructure or possibly ipsec implementation on the domain. ... before an ipsec session can be created between two computers. ...
    (microsoft.public.security)
  • Re: Isolate systems
    ... If you have access to the firewall, you might be able to configure what IP ... filtering policy on your computers which is a policy that uses rules with ... Ipsec policies are best when trying to configure for a subnet ... network layout you may be able to implement ...
    (microsoft.public.win2000.security)
  • Re: Isolate systems
    ... You also may want to download the " Securing Windows 2000 Server Security ... to use ipsec "filtering" policies to secure domain controllers and other ... >> filtering policy on your computers which is a policy that uses rules with ...
    (microsoft.public.win2000.security)