Click here to get back home

Lockdown on 2nd NIC card on WIN2003 Server
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Lockdown on 2nd NIC card on WIN2003 Server crouch_dave 03-06-2006
Posted by crouch_dave on March 6, 2006, 3:01 pm
Please log in for more thread options
 I 'm a programmer so my sys admin knowledge is limited so forgive me if
this is a simple question.
Customer has a WIN 2003 Server with 2 NIC cards.
1st NIC is connected to an industrial control system network.
2nd NIC is connected to the "plant" or normal comapany network.
The goal is to lockdown the second nick card to allow connection only
to/from a single fixed IP address over a single port to communicate
with and app on the other computer. The app only reads files from a
specific directory on the 2003 machine.
Question: is this possible and if so could someone direct me towards
the appropriate doc or in on how to accomplish this? It looks like
there is a "security wizard" as part of 2003 SP1 one but I don't know
where to start on this one.
Any help would be greatly appreciated.
Thanks


Posted by Roger Abell [MVP] on March 7, 2006, 12:45 am
Please log in for more thread options
 SCW would be useful, but to a non-admin running it and stearing
through the tree of decisions it wants might be, well, discouraging.
What you could use is IPsec by assigning a policy that does nothing
with nic 1, but with nic 2 has one rule to block everything, and then
another to allow the one desired IP or the one desired IP for the
needed protocol/port.
Try google on IPsec in Windows as there are a number of writeups,
and there is a newsgroup here on msnews specifically for IPsec.
Just keep in mind that industry IPsec is intended to cause security
associations to be formed between the two network endpoints and
by these insure integrity of the packet exchange or privacy of the
packet stream payload. In order to do this, the implementation of
IPsec needs to identify what can try to form associations.
What I was suggesting is to use IPsec in a filter mode, not to form
associations, but just to reject/accept packets.
As the machine is W2k3 you could try doing everything with the
builtin firewall, but you would need to do so carefully as it can be
a little too easy to allow exceptions that you did not thing should
happen.
>I 'm a programmer so my sys admin knowledge is limited so forgive me if
> this is a simple question.
> Customer has a WIN 2003 Server with 2 NIC cards.
> 1st NIC is connected to an industrial control system network.
> 2nd NIC is connected to the "plant" or normal comapany network.
> The goal is to lockdown the second nick card to allow connection only
> to/from a single fixed IP address over a single port to communicate
> with and app on the other computer. The app only reads files from a
> specific directory on the 2003 machine.
> Question: is this possible and if so could someone direct me towards
> the appropriate doc or in on how to accomplish this? It looks like
> there is a "security wizard" as part of 2003 SP1 one but I don't know
> where to start on this one.
> Any help would be greatly appreciated.
> Thanks
>



Posted by ShadeTree on March 7, 2006, 9:00 am
Please log in for more thread options
Roger, thanks for the advice. Looks like I've got some more googling to
do!
At least now I know what to lok for.


Similar ThreadsPosted
Smart card reader and card supplier in Australia May 5, 2008, 10:37 pm
IIS lockdown December 10, 2005, 9:16 am
NTFS Lockdown December 5, 2005, 1:37 pm
Lockdown/Hardening Tool March 21, 2006, 3:53 pm
SMart card problem with ISA server 2004 August 18, 2005, 8:38 am
Win2003 Server - 10,000 Entries ! February 9, 2006, 11:28 pm
IPSec tunnels win2003 server January 4, 2006, 8:01 am
How to setup Win2003 as a proxy server ? October 13, 2006, 3:32 pm
Folder permissions on Win2003 server February 13, 2007, 1:21 pm
Win2003 Server automated password changes. What about Mac clients March 7, 2008, 12:32 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap