Re: port blocking on Windows 2000/2003 servers
From: Phil McNeill (philmcneill_at_NOSPAM4MEhydroottawa.com)
Date: 11/23/04
- Previous message: Steven L Umbach: "Re: Event viewer Login and logoff"
- In reply to: Steven L Umbach: "Re: port blocking on Windows 2000/2003 servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Nov 2004 16:17:57 -0500
Thanks very much Steve! I'll have a look.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:Oc15$QZ0EHA.3588@TK2MSFTNGP14.phx.gbl...
> The Windows 2003 Security guide does exactly what you want and starts with
> a baseline security configuration and goes from there with chapters based
> on server role. It recommends the use of an ipsec "filtering" policy to
> secure ports on servers. If you implement an ipsec "negotiation" policy be
> aware that domain controllers must be exempt from the ipsec policy with
> domain members by their IP address as they are the kerberos distribution
> centers or else all kinds of problems can ensue. FYI I would not recommend
> applying security templates to a production computer - be sure to test out
> first and best practice would be to import them into a domain or
> Organizational Unit Group Policy, other than default ones, to implement
> which will make it easy to disable the GPO with the template. Ipsec policy
> can not be applied via a security template. The Windows 2003 Security
> Guide is available at the link below. Note that W2003 security templates
> will not be totally compatible with W2K servers as many of the security
> options do not exist on W2K and results will be unpredictable at best.
> Best practice would be to place the different operating systems in
> different OU's and apply appropriate security templates to each. --- Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
> http://tinyurl.com/dkbu -- free download.
>
> "Phil McNeill" <philmcneill@NOSPAM4MEhydroottawa.com> wrote in message
> news:udzJRZX0EHA.632@TK2MSFTNGP10.phx.gbl...
>> Hi,
>>
>> I am looking for recommendations on what would be the best thing to use
>> to lock down all unneeded ports on Windows 2000 Server and Windows Server
>> 2003 servers. Basically, we are looking at implementing policy that will
>> have us not only ensuring all unneeded services are disabled, but
>> ensuring some kind of packet filtering is in place on each individual
>> server that will block all port access except those specifically defined
>> as allowed. We will likely want to get as granular as specifying which
>> servers/clients can talk to which other servers/clients.
>>
>> 1. How many other people out there are doing this, and how onerous of a
>> task is it to implement/manage?
>>
>> 2. What's the best thing to be using to do it with? IPSEC policies, or
>> do I want some kind of software firewalls on each server?
>>
>> Thanks for any and all tips/advice.
>>
>> Phil
>>
>
>
- Previous message: Steven L Umbach: "Re: Event viewer Login and logoff"
- In reply to: Steven L Umbach: "Re: port blocking on Windows 2000/2003 servers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
