Re: What needs to talk to my systems?

Thank you very much for the helpful suggestions. I'd definitely monitor for
weeks if not more. I believe I understand what you're suggesting and agree.
Actually I also came up with an idea on how I might be able to do the type
of monitoring I was asking about. Windows firewall has a logging mechanism.
I suspect that if I set the firewall to "off" but turned the logging on for
successful connections, that might help. Thoughts?

-P

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:Oljr8mK4GHA.696@xxxxxxxxxxxxxxxxxxxxxxx
"TwistedPair" <twistedpair@xxxxxxxx> wrote in message
news:%23H%23pDqE4GHA.4820@xxxxxxxxxxxxxxxxxxxxxxx
All,
Is there a way to run something on a server that continuously monitors
which computers talk to it and compile a list of those computers over
time? Example: I'd like to lock down a list of computers, however I want
to be sure that I know what is accessing those machines. Once I get that
list, I take it to people who would know for sure which ones are okay,
and which ones aren't, and I can lock stuff down appropriately. I am
mostly concerned about connections that require domain authentication,
although other types of traffic would be nice as well. The point is to
lock stuff down, but not to the extent that it denies legitimate traffic.

-P


I think there is one big problem in your interesting approach.
How long do you watch before configuring the minimal net exposure?

I have a workstation joined to your domain. I work 70 hour weeks,
but still have not had need to access the DFS root directly, or to access
the employee info shared off the HR employee services server (been too
busy). Now, I try and cannot. What's with that?

Network exposure minimization is more often done prescriptively.
This machine is supposed to allow A, B, and C. For each of those
there is an "allowed to", and an "also requires". The "also requires"
would often be such as "authentication communications with DC of
all account domain in the forest". One of the "supposed to allow"s
needs to be "allow proper behaviors as member server in domain"
but most are things like "allow tcp 80/443 to internal IPs and VPN"

Roger



.

Relevant Pages

  • Re: please help with very simple (I hope) question
    ... had all networks to all networks was because I wanted to see if I could ... monitored computers to the ISA server, ... real-time monitor that the request was denied. ...
    (microsoft.public.isa)
  • Re: What needs to talk to my systems?
    ... Is there a way to run something on a server that continuously monitors ... which computers talk to it and compile a list of those computers over ... I'd like to lock down a list of computers, ... How long do you watch before configuring the minimal net exposure? ...
    (microsoft.public.windows.server.security)
  • Re: Question about monitoring in SBS2K3 Prem. vs. SBS2K
    ... The fact that the Server Status snap-in has been ... useless Health Monitor. ... > Microsoft CSS Online Newsgroup Support ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Health Monitor
    ... I see that health monitor is installable from the SBS CD's and it does give ... monitor can be installed on member server and get performance reports. ... we can not install the health monitor on the member ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Extended Server usage Report
    ... Health Monitor and Performance Monitor are different tools. ... Health Monitor is a service in Small Business Server 2000 or Small Business ... help to gather information for reporting. ... Click Server Usage Report and click Edit. ...
    (microsoft.public.windows.server.sbs)