Hello Community,

 currently i'm thinking about the best security concept for running a windows machine live on the internet - does anybody have a good (and complete) tutorial which includes everything necessary? (i know about tons of MSDN articles...)

what do you say about my "very-simple-but-hopefully-secure" plan: i'm looking forward to close all in- and outgoing ports, except 80 for HTTP and VPN (don't know the number just right now). then for administration issues i will open a VPN connection and use TerminalClient to do administration to the machine. good idea?

regards!

 

Hello,

Not bad plan, stop all the services which you will not use, install a good firewall and make a regular backup.

The best security is not to prevent all the attacks, but to give you a sufficient time to react.

Regards

Hello,

thank you for comment.

I mean, i'm definitely no "pro-user" in this area, but this is the best idea i came accross with my "half knowledge", since it sounds most logical to me.

What would be the best way to "block" everything from my machine? The server's IP-table configuration?

Regarding the firewall: i'm not sure, but...isn't this the job of my provider to install my maschine behind the firewall of their company?

 

Reards 

Hello,

Type in command prompt "netstat -a" and check which net services are on, and which ports are open.

Yes, talk with your hosting provider, your machine should be behind firewall.

Regards

ciao,

 lets say, i'm running IIS and SQLserver on the same machine ( a "one maschine installation", so to say); can't i just block any out- & ingoing traffic via IP-tables, except HTTP and VPN? as said, i'm no pro-admin, but i think this should work and doing it this way, i don't have to care about unused services, i thought?

 

Hello,

For more info you could check here - http://support.microsoft.com/kb/816792.

And do not forget to make a regular backup-s.

Regards

 Depending on how you are hosting your server, you may have the opportunity of adding a second machine. If so, put Smoothwall Linux on it as dedicated firewall. Of course if your server is a 4-cpu multicore, then run Server 2008, install the hypervsor, have one guest 2008 Svr to run IIS, another guest OS for SQL Server and yet another for your Firewall!

 

hi,

 i have to question on this, again:

wouldn't it be sufficient to just enable Routing&Remote Access Service, let it block all ports except HTTP (plus perhaps SMTP) and VPN? Then i can use RemoteDesktop over this VPN connection, and everything should be fine?

Do you have experiences with this type of configuration?

Regards

 

 >wouldn't it be sufficient to just enable Routing&Remote Access Service, let it block all ports except HTTP (plus perhaps SMTP) and VPN? Then I can use RemoteDesktop over this VPN connection, and everything should be fine?

This is certainly better than nothing.

>Do you have experiences with this type of configuration?
No

I suggest you raise a new thread asking about the adequecy of a RRAS solution.

Hi there,

Are you going to host your server in-house or are you going to acquire a dedicated server from a host? If you get a dedicated server from a host, you can actually purchase additional Firewall software to protect your server. The Windows default-installed firewall application might not be sophisticated enough to meet your requirements and therefore, I would recommend you to get an external firewall software, such as KVM.

johngrinder:

wouldn't it be sufficient to just enable Routing&Remote Access Service,

RRAS is not a firewall.  You're also running another unnecessary service on the box when you do this.  An external hardware firewall that does stateful packet inspection is what you want.  For more Windows security help, try the Technet forums and the Windows Server support sites.  For IIS security, you want www.iis.net, same login as here.

Jeff

jeff@zina.com:

RRAS is not a firewall.  You're also running another unnecessary service on the box when you do this.  An external hardware firewall that does stateful packet inspection is what you want.

 

Thank you Jeff, for clarifying RRAS

Keep in mind that all security is a trade off with functionality and convenience.  It's easier for you to manage the server through a VPN, but less secure than requiring physical access.  If you're 1,500 miles from the server though, the added security isn't very convenient.  As long as you're comfortablewith the added risk, in this case extremely minimal, then the convenience wins out.  For an absolutely secure server you need to wipe all the information off it, shred the hard drives, then melt the entire thing into a smoldering ingot, bury it in the backyard and pour a patio over the hole.  But that's not very convenient either.  :)

Jeff

Hi Jeff,

great to hear from you again!

Regarding RRAS: i know it is not what a security expert might call a "firewall", it just has a packet filter and this is (wrong) called "basic firewall" in the windows dialog text... What i still don't understand is the difference between the RRAS-packetfilter and the packetfilter one can figure within the networkconnections-tab?

I did some research regarding Windows security, i found this very interesting article (i think most of you already know it?):

"Windows Firewall Lacking", http://www.securityfocus.com/columnists/307

Unfortunately, this article gives no information which "windows-build-in" security tactics are better/worse ... since my box is hosted at a company of one of my (ex)collegues, i think i will ask him if he can put it behind a linux-based firewall since this make the most sense to me, currently.

 

:EDIT/

and i found the "Windows 2003 Server Security Guide" on this link: http://www.microsoft.com/downloads/details.aspx?familyid=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en, but this book is only about useraccount security, services etc....

 

 >I think I will ask him if he can put it behind a linux-based firewall since this make the most sense to me,

Smoothwall from www.smoothwall.org is a linux system specifically for use as a Firewall  As it has only the services for the firewall, there is minimal scope for it to be hacked.