Post #40,646
5/30/02 10:11:42 PM
|
Locking down a Windows 2000 Server
Any ideas or tips to do this? Any freeware or open source programs to help secure it (Firewalls, Proxies, etc?)
I just set up my W2K Server to the Internet, and I want to make sure that it is not a target to crackers.
So far:
#1 Removed C$ and D$ shares
#2 Disabled Guest account
#3 Remove access to group "Everyone" on the permisions
#4 Turned on Logging
#5 Updated to latest MS service packs and updates
Anything I've missed? Please don't say convert the server to Linux, I need to show off my ASP and W2K Server skills. I might got to Terminal Server later on and maybe rent out accounts?
I am free now, to choose my own destiny.
|
Post #40,654
5/30/02 11:26:46 PM
|
Put it behind a firewall.
I presume you've already done this, as you were talking about making it visible via your DSL router elsewhere.
Wade.
"Ah. One of the difficult questions."
|
Post #40,657
5/30/02 11:42:43 PM
|
Turn off
Packet responder... Make it a listener on the public interface... Unless it is a server needing to actually SERVE packets you should turn off ANY response. Unfortuneately it is a Registry entry that doesn't exist till you want to create it.
greg, curley95@attbi.com -- REMEMBER ED CURRY!!!
|
Post #40,721
5/31/02 12:21:45 PM
|
Oh man....
...I thought from the title you were gonna say "Tun off the power"...which is the only real way to secure an MS OS;-)
You were born...and so you're free...so Happy Birthday! Laurie Anderson
[link|mailto:bepatient@aol.com|BePatient]
|
Post #40,822
6/1/02 12:52:17 AM
|
Hehehe... thought crossed my mind... thought better of it!!
greg, curley95@attbi.com -- REMEMBER ED CURRY!!!
|
Post #40,764
5/31/02 4:33:14 PM
|
Packet Responder
What registry entry do I used to turn this off?
I am free now, to choose my own destiny.
|
Post #40,820
6/1/02 12:50:17 AM
|
If ya don't know...
Just get the MicroSoft Baseline Security Analyzer... For all the Bad things said about it... it DOES have some good uses. Just ignore it saying you don;t have patches applied that you know you do. Just be careful, it will make your machine unreachable. But it will still be able to reach others. That bit me in the Butt with the New WebJetAdmin piece of Crap HP is jamming down our throats, no loopback response either... EWWWWW. It's an all or nothing thing.
Just be fore-warned you will not be able to SERVE anything from it. That means no FTP service, no IIS service, NO Sharing.. No Ping response, No anything except being a client.
Not for the faint of heart... Anyways it takes about 12 registry settings to completely lock the packet responder up.
greg, curley95@attbi.com -- REMEMBER ED CURRY!!!
|
Post #40,855
6/1/02 4:19:23 PM
|
Well I want Web Services
I just want to block all the other crap from the server. I've been trying to get Sygate to work properly, easy to use my big toe!
I am free now, to choose my own destiny.
|
Post #40,885
6/1/02 11:24:46 PM
|
And now for something special...
Take a look [link|http://www.fwbuilder.org|HERE].
I know this is Linux based but I know the product works and makes it easy to get things to function the way you want.
You just gotta understand firewall rule progression... or order of processing or rememebr first rules that fits wins.
Only real requirement... Linux with the 2.4x kernel and IPTABLES v1.2.4 or later for debugging and logging to work properly.
Good Luck. Ask advice is free, err... well at least dirty looks are still free.
greg, curley95@attbi.com -- REMEMBER ED CURRY!!!
|
Post #40,684
5/31/02 7:20:01 AM
|
I'd start here
[link|http://www.tucows.com/firewall95.html|Tucows]
The [link|http://www.tucows.com/preview/213160.html|Sygate] offering looks interesting, and is free for personal use.
~~~)-Steven----
"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."
General George S. Patton
|
