Re: IPsec - locking down Windows 2003

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/24/04

• Next message: S. Pidgorny : "Re: Stolen server with Windows 2003"
• Previous message: Michael A. Covington: "Re: Stolen server with Windows 2003"
• In reply to: Lee Atkinson: "IPsec - locking down Windows 2003"
• Next in thread: Lee Atkinson: "Re: IPsec - locking down Windows 2003"
• Reply: Lee Atkinson: "Re: IPsec - locking down Windows 2003"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 23 Mar 2004 23:21:26 -0700

I would not care what port they originate from, but that they
are inbound to port 80 of IPs bound to web content.
You may want to examine whether you really do want to
have all of the rules mirrored as you have outlined.
Example. Block all is mirrored whereas block all inbound
unmirrored is sufficient. You also have not mentioned rules
to allow such as NTP 123, SMTP, DNS, . . .

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Lee Atkinson" <leeatkinsonlincs@hotmail.com> wrote in message
news:ab5f9e77.0403220520.6cb4516@posting.google.com...
> Hi - I want to lock down a Windows 2003 server using IPsec. Basic
> setup is to have two filters and rules:
>   - mirrored, all traffic from any address to my address - deny
>   - mirrroed, all TCP traffic from any address to my address, port 80
> - allow
>
> This workd fine, then to allow to connect to websites on the server
> itself, i set the filter and rule:
>   - mirrored, all traffic from my ip address to any address, port 80 -
> allow
>
> This all works, but would this allow people to connect to the server
> from their port 80?
>
> Many thanks

---

• Next message: S. Pidgorny : "Re: Stolen server with Windows 2003"
• Previous message: Michael A. Covington: "Re: Stolen server with Windows 2003"
• In reply to: Lee Atkinson: "IPsec - locking down Windows 2003"
• Next in thread: Lee Atkinson: "Re: IPsec - locking down Windows 2003"
• Reply: Lee Atkinson: "Re: IPsec - locking down Windows 2003"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Some technical errors ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ... (Security-Basics) Re: Direction paradigm? n00b question ... originating from ISA machine directed at x port on remote machine")? ... Server Access Rule uses an "outbound" protocol definition but the ... "inbound" traffic to me. ... (microsoft.public.isa) Getting ftp working on my SBS2000 server ... policy, click policy filters. ... to remote fixed port 20; ... Also recommend isolating ISA as the ... problem by bypassing linux server temporarily and testing. ... (microsoft.public.windows.server.sbs) Re: IPSec on multihomed Exchange Server ... Email works fine as long as I leave the server totally naked of all ... by installing IPSec filters. ... Me to 192.168.22.* and 192.168.23.* for any port. ... let's use tcp 25 and exclude pop/imap issues. ... (microsoft.public.security) Re: SRV RRs support in Internet Explorer? ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ... (microsoft.public.win2000.dns)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2004-03