|
Posted by PJ6 on November 24, 2007, 12:00 pm
Please log in for more thread options
While I've been in the industry many years, I've never really been an admin,
and I'm new to security. I just got a dedicated server with 2003 server
intalled on it, and was wondering how dangerous is it to have a properly
configured (by someone who knows what they're doing) server facing the
internet without a hardware firewall.
Paul
|
|
Posted by Al Dunbar on November 24, 2007, 6:55 pm
Please log in for more thread options
> While I've been in the industry many years, I've never really been an
> admin, and I'm new to security. I just got a dedicated server with 2003
> server intalled on it, and was wondering how dangerous is it to have a
> properly configured (by someone who knows what they're doing) server
> facing the internet without a hardware firewall.
By properly configured, do you mean properly configured from the point of
view of security, or from the point of view of having it facing the
internet? By "someone who knows what they're doing" do you mean someone
competent enough to answer the question you asked, or someone just competent
enough to install w2k3 to get it running?
/Al
|
|
Posted by Leythos on November 24, 2007, 8:17 pm
Please log in for more thread options says...
> While I've been in the industry many years, I've never really been an admin,
> and I'm new to security. I just got a dedicated server with 2003 server
> intalled on it, and was wondering how dangerous is it to have a properly
> configured (by someone who knows what they're doing) server facing the
> internet without a hardware firewall.
Paul, I design secure networks, military, medical, etc... I've never had
a single compromised computer/network in all my years while the network
was under my control. At no point, ever, would I consider putting q
Windows Server live on the network without a firewall appliance, unless
it was a dedicated, stand alone, ISA 2004 server that had NO AD
connection to anything else, even then I would still want some firewall
connected to it.
If someone tells you, even a MS Security Expert, that they can configure
a Windows Server properly, for direct connect to the internet, and still
have that same server do anything productive, you need to run as fast as
possible in the other direction and never take advise from them.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
|
|
Posted by PJ6 on November 25, 2007, 2:08 pm
Please log in for more thread options > Paul, I design secure networks, military, medical, etc... I've never had
> a single compromised computer/network in all my years while the network
> was under my control. At no point, ever, would I consider putting q
> Windows Server live on the network without a firewall appliance, unless
> it was a dedicated, stand alone, ISA 2004 server that had NO AD
> connection to anything else, even then I would still want some firewall
> connected to it.
>
> If someone tells you, even a MS Security Expert, that they can configure
> a Windows Server properly, for direct connect to the internet, and still
> have that same server do anything productive, you need to run as fast as
> possible in the other direction and never take advise from them.
Well. The man advising me is a good friend, and I also tend to be able to
spot incompetence a mile away. He's well paid in his field and has many
years of experience; I'm quite sure there would be a big argument if you two
entered into a discussion on this subject.
That being said, I know I'm not qualified at all to make such assessments
myself - I am mostly a developer - and so will heed your advice and take the
more cautious path, even if it's more expensive. Another $90/month! Just one
site, and it's turning into a good car payment.
Thanks,
Paul
|
|
Posted by Roger Abell [MVP] on November 26, 2007, 12:25 am
Please log in for more thread options >> Paul, I design secure networks, military, medical, etc... I've never had
>> a single compromised computer/network in all my years while the network
>> was under my control. At no point, ever, would I consider putting q
>> Windows Server live on the network without a firewall appliance, unless
>> it was a dedicated, stand alone, ISA 2004 server that had NO AD
>> connection to anything else, even then I would still want some firewall
>> connected to it.
>>
>> If someone tells you, even a MS Security Expert, that they can configure
>> a Windows Server properly, for direct connect to the internet, and still
>> have that same server do anything productive, you need to run as fast as
>> possible in the other direction and never take advise from them.
>
> Well. The man advising me is a good friend, and I also tend to be able to
> spot incompetence a mile away. He's well paid in his field and has many
> years of experience; I'm quite sure there would be a big argument if you
> two entered into a discussion on this subject.
>
> That being said, I know I'm not qualified at all to make such assessments
> myself - I am mostly a developer - and so will heed your advice and take
> the more cautious path, even if it's more expensive. Another $90/month!
> Just one site, and it's turning into a good car payment.
>
> Thanks,
> Paul
Paul,
I have to run W2k3 and W2k3r2 in instances outside of all hardware
network screening (i.e. bare on the internet), and as may be of interest
to you some running things that attract probing like IIS 6.
There are some simple things you can do to harden W2k3.
To date I have not had one penetrated. Do the common sense stuff:
service minimization, network protocol minimization, IPsec filtering
to define completely what is allowed (and none else), hard/long
pass phrases. Check the MS hardening guide if you want to go even
further, in your case things recommended for a bastion host.
As I said in my other post this thread, I would not recommend that
one run any machine bare on the internet (Windows or otherwise)
if one has a choice. But on the other hand I do say it is certainly
possible to do so.
If you search around on the MS website you may find the case study
of the annual webserver crack/hack contests where for a few years
(I do not recall hearing of recent contest) the IIS team placed IIS
servers into the contest which they configured mostly only by use
of IPsec filtering. The Tomcats got hacked but the IISs did not.
If you can find the writeups from those the guys outlined what it
is that they did in configuring their machines.
Roger
|
| Similar Threads | Posted | | Antivirus+Firewall for Windows Server 2003 | May 25, 2006, 9:59 am |
| Firewall of Windows 2003 | October 2, 2005, 1:31 am |
| Windows 2003 firewall | November 22, 2005, 12:09 pm |
| Is Windows 2003 firewall safe? | March 23, 2006, 8:28 am |
| Saving a Windows 2003 Firewall Configuration? | December 15, 2006, 11:28 pm |
| Simple question regarding Windows 2003 Firewall | April 1, 2007, 11:35 pm |
| Windows 2003 built-in firewall prevents AD from synching across DCs | December 8, 2005, 11:24 am |
| Super Tips - Free Windows Server Firewall with Brute Force Detecti | September 2, 2005, 5:25 pm |
| Windows 2008 CA can't issue to Windows 2003 server | June 25, 2008, 11:53 am |
| Windows server 2003 security. How to protect against 100's of invalid logons to the server?? | August 12, 2005, 5:29 pm |
|
XML Sitemap