Re: port blocking on Windows 2000/2003 servers
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/23/04
- Next message: Steven L Umbach: "Re: Event viewer Login and logoff"
- Previous message: Steven L Umbach: "Re: Restrict Logon Location"
- In reply to: Phil McNeill: "port blocking on Windows 2000/2003 servers"
- Next in thread: Phil McNeill: "Re: port blocking on Windows 2000/2003 servers"
- Reply: Phil McNeill: "Re: port blocking on Windows 2000/2003 servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Nov 2004 13:40:12 -0600
The Windows 2003 Security guide does exactly what you want and starts with a
baseline security configuration and goes from there with chapters based on
server role. It recommends the use of an ipsec "filtering" policy to secure
ports on servers. If you implement an ipsec "negotiation" policy be aware
that domain controllers must be exempt from the ipsec policy with domain
members by their IP address as they are the kerberos distribution centers or
else all kinds of problems can ensue. FYI I would not recommend applying
security templates to a production computer - be sure to test out first and
best practice would be to import them into a domain or Organizational Unit
Group Policy, other than default ones, to implement which will make it easy
to disable the GPO with the template. Ipsec policy can not be applied via a
security template. The Windows 2003 Security Guide is available at the link
below. Note that W2003 security templates will not be totally compatible
with W2K servers as many of the security options do not exist on W2K and
results will be unpredictable at best. Best practice would be to place the
different operating systems in different OU's and apply appropriate security
templates to each. --- Steve
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
http://tinyurl.com/dkbu -- free download.
"Phil McNeill" <philmcneill@NOSPAM4MEhydroottawa.com> wrote in message
news:udzJRZX0EHA.632@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> I am looking for recommendations on what would be the best thing to use to
> lock down all unneeded ports on Windows 2000 Server and Windows Server
> 2003 servers. Basically, we are looking at implementing policy that will
> have us not only ensuring all unneeded services are disabled, but ensuring
> some kind of packet filtering is in place on each individual server that
> will block all port access except those specifically defined as allowed.
> We will likely want to get as granular as specifying which servers/clients
> can talk to which other servers/clients.
>
> 1. How many other people out there are doing this, and how onerous of a
> task is it to implement/manage?
>
> 2. What's the best thing to be using to do it with? IPSEC policies, or
> do I want some kind of software firewalls on each server?
>
> Thanks for any and all tips/advice.
>
> Phil
>
- Next message: Steven L Umbach: "Re: Event viewer Login and logoff"
- Previous message: Steven L Umbach: "Re: Restrict Logon Location"
- In reply to: Phil McNeill: "port blocking on Windows 2000/2003 servers"
- Next in thread: Phil McNeill: "Re: port blocking on Windows 2000/2003 servers"
- Reply: Phil McNeill: "Re: port blocking on Windows 2000/2003 servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
