Re: What needs to talk to my systems?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 25 Sep 2006 23:09:50 -0700
I believe the firewall only logs when enabled (both the firewall and its
logging)
"TwistedPair" <twistedpair@xxxxxxxx> wrote in message
news:%23o5GzzN4GHA.4392@xxxxxxxxxxxxxxxxxxxxxxx
Thank you very much for the helpful suggestions. I'd definitely monitor
for weeks if not more. I believe I understand what you're suggesting and
agree. Actually I also came up with an idea on how I might be able to do
the type of monitoring I was asking about. Windows firewall has a logging
mechanism. I suspect that if I set the firewall to "off" but turned the
logging on for successful connections, that might help. Thoughts?
-P
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:Oljr8mK4GHA.696@xxxxxxxxxxxxxxxxxxxxxxx
"TwistedPair" <twistedpair@xxxxxxxx> wrote in message
news:%23H%23pDqE4GHA.4820@xxxxxxxxxxxxxxxxxxxxxxx
All,
Is there a way to run something on a server that continuously monitors
which computers talk to it and compile a list of those computers over
time? Example: I'd like to lock down a list of computers, however I want
to be sure that I know what is accessing those machines. Once I get
that list, I take it to people who would know for sure which ones are
okay, and which ones aren't, and I can lock stuff down appropriately. I
am mostly concerned about connections that require domain
authentication, although other types of traffic would be nice as well.
The point is to lock stuff down, but not to the extent that it denies
legitimate traffic.
-P
I think there is one big problem in your interesting approach.
How long do you watch before configuring the minimal net exposure?
I have a workstation joined to your domain. I work 70 hour weeks,
but still have not had need to access the DFS root directly, or to access
the employee info shared off the HR employee services server (been too
busy). Now, I try and cannot. What's with that?
Network exposure minimization is more often done prescriptively.
This machine is supposed to allow A, B, and C. For each of those
there is an "allowed to", and an "also requires". The "also requires"
would often be such as "authentication communications with DC of
all account domain in the forest". One of the "supposed to allow"s
needs to be "allow proper behaviors as member server in domain"
but most are things like "allow tcp 80/443 to internal IPs and VPN"
Roger
.
- References:
- What needs to talk to my systems?
- From: TwistedPair
- Re: What needs to talk to my systems?
- From: Roger Abell [MVP]
- Re: What needs to talk to my systems?
- From: TwistedPair
- What needs to talk to my systems?
- Prev by Date: Home directory permissions. What to set?
- Next by Date: Re: Access Denied after changing Servers
- Previous by thread: Re: What needs to talk to my systems?
- Next by thread: Digital signature, USB tokens and terminal services
- Index(es):
Relevant Pages
|
