Post #68,882
12/14/02 12:05:01 PM
|
Windows 2000 and IIS 5.0 security
I have a server up at [link|http://www.normad.com|normad.com] behind a DSL router, but I have a few ports open. POP3/SMTP, WWW, VNC, 4096, Proxy, etc. Any ideas on locking down these ports so it won't be vulnerable? I need to get the best security settings for these services that are available.
Please don't tell me to reformat and run Linux, for some reason Liux does not run on the hardware I am using for my server. It aborts with an abnormal error, and I have been over this before.
For an Alternative Nearly To Imitate IWETHEY please visit [link|http://pub75.ezboard.com/bantiiwethey|Board]
providing an alternative to IWETHEY since December 2002
|
Post #68,884
12/14/02 12:18:39 PM
|
Here's the deal.
Windows 2000 Server has primitive at best packet filtering. It's not a firewall and packet filtering on the local box is not really to be relied upon.
All you can do is say "accept traffic on this port" or "don't accept traffic on this port" for either UDP or TCP. No rules, nothing like iptables.
In order to approach any degree of security, you'll need to configure a third Windows 2000 Server computer as a router and use packet filtering on that, or else install MS Internet Security & Acceleration Server (ISA Server).
Of course, all this is very expensive. But hey - you want to run Windows, you get to buy the licences.
Personally, and what I'd do in a work situation, is run a real firewall with something like Firewall-1 or Guardian. Homebrew firewalls are well and good, but there's no way I'd bet my network on Windows IP filtering.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #68,888
12/14/02 12:52:59 PM
|
But there is third party softare for Windows 2000
why should I be limited to Microsoft's ISA, when I could use Winroute or something else at a much lower price? How about open source solutions? Don't any open sourced firewall solutions exist for Windows 2000?
You are almost making it sound like my only options are to buy that mega expensive ISA, and remember, I am out of work and not earning an income.
Not like I have a choice anyway, I already have the W2K Server license and Linux don't work on my hardware. Plus I cannot afford hardware that Linux will run on, for being out of a job. So I work with what I have.
For an Alternative Nearly To Imitate IWETHEY please visit [link|http://pub75.ezboard.com/bantiiwethey|Board]
providing an alternative to IWETHEY since December 2002
|
Post #68,890
12/14/02 1:06:21 PM
|
Re: But there is third party softare for Windows 2000
why should I be limited to Microsoft's ISA, when I could use Winroute or something else at a much lower price? How about open source solutions? Don't any open sourced firewall solutions exist for Windows 2000? I have a low opinion of WinRoute. I'm not aware of any open source firewall solutions. You are almost making it sound like my only options are to buy that mega expensive ISA, and remember, I am out of work and not earning an income. I know you are out of work and do not have an income right now. That is why I'm trying very hard to not say "just bloody get Linux working already". If you want to do Windows, you are going to have to accept the limitations that come of using legacy software. All firewall software for Windows that is worth its salt is very expensive. Them's the breaks, sorry. Not like I have a choice anyway, I already have the W2K Server license and Linux don't work on my hardware. Plus I cannot afford hardware that Linux will run on, for being out of a job. So I work with what I have. Your best bet is probably to save up a few dollars and obtain something like a [link|http://search.ebay.com/search/search.dll?cgiurl=http%3A%2F%2Fcgi.ebay.com%2Fws%2F&krd=1&from=R8&MfcISAPICommand=GetResult&ht=1&SortProperty=MetaEndSort&query=rt314|NetGear RT314 off eBay] - I got mine for 80 quid second hand a couple of years ago, and they're REALLY cheap now. Perhaps an Xmas pressie? What this wins you is a packet-filtering firewall in hardware with NAT and port-forwarding. It's also got a 4-port switch built in. Verra nice. This route is probably going to cost you less in time and money than trying to make Windows something it can't be - a low-cost firewall.
Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
|
Post #68,904
12/14/02 3:54:09 PM
|
Second the box, and another possibility
I second trying to pick up a magic box. In addition to the one Peter mentioned, there's similar devices by Linksys, D-Link, and a few others. Cheap, easy to setup and maintain, and much safer then exposing Windows to the 'net. Basically you plug it in, plug your DSL router into the WAN port and your PC(s) into the LAN port(s), and point your pc's browser to the devices IP address and set it up.
Another option: Do you have an old 486 or better PC laying around? I have a P100/32meg/400megHD box with 2 NICs running headless with [link|http://www.smoothwall.org|smoothwall] running on it. Functions similar to the boxes mentioned above including the nifty web-based interface. It also gives you the ability to run the Squid web cache/proxy, Snort, and does very extensive logging. Cost is nothing but the all-but-junk hardware.
-----
Steve
|
Post #68,910
12/14/02 7:20:01 PM
|
Re: But there is third party softare for Windows 2000
I have a low opinion of WinRoute.
Completely unjustified. Winroute is a nearly perfect piece of software for a Windows gateway. It is lean and mean and extremely functional. A machine can be made a ghost to probing, and all the computers behind it. It does not hog the processor(s), it has blazing performance, and a simple but functional administration interface. For the fun of it, it has its own DHCP server and mail server. The former allows faultless synchronization of the NAT table. The latter could be used specifically to route administrative information from machine to machine.
-drl
|
Post #68,951
12/15/02 3:22:17 AM
|
Re: Windows 2000 and IIS 5.0 security
Gah as we spoke, someone hacked into my web server and changed the main page. They claimed on the page that they were [link|http://profiles.yahoo.com/istryfe|iStryfe] and that they owned my box. I need some security settings or software PDQ! Help!
Good thing I don't keep important files, except the web files on the web server box running Windows 2000. Really odd is that Knoppix CDR disks boot off of it, but the Red Hat 7.X and 8.0 disks boot, but give me an abnormal error message after trying to install the OS. Any ideas? I'd like to go Linux, but even Linux boxes get hacked [link|http://wwww.affinitybbs.com|Like this one] which CK Kid aka Wickie runs.
Any ideas?
For an Alternative Nearly To Imitate IWETHEY please visit [link|http://pub75.ezboard.com/bantiiwethey|Board]
providing an alternative to IWETHEY since December 2002
|
Post #68,997
12/15/02 3:05:51 PM
|
Installation problems and hardware glitches
Condolences.
orion wrote:
Good thing I don't keep important files, except the web files on the web server box running Windows 2000. Really odd is that Knoppix CDR disks boot off of it, but the Red Hat 7.X and 8.0 disks boot, but give me an abnormal error message after trying to install the OS.
You need to be a great deal more specific than that, before you can get useful help. (Surely, you've been around these forums long enough to know that you need to fully quote the error message, at the bare minimum!) Few people are even going to try to help you if they have to guess the nature of the symptom. I'm going to take a shot at this nonetheless -- once only.
Under the assumption that the error concerned the hard drive, the nature of the problem would then be either (1) high-level logical content (formatting and partition table), (2) low-level formatting, or (3) physical. Yes, you could conceivably have any of the above and still run some Microsoft OS (except that any physical problems would have to be localised-only).
Back up the "Web files" (and anything else you don't want to lose) to elsewhere. Then, boot a Knoppix or LNX-BBC CD, or a Tom's Root-Boot, or some other maintenance disk. Type "dd if=/dev/zero of=/dev/hda bs=512 count=1". Be aware that this will overwrite your first hard drive's sector zero containing boot code and partition table with all zeroes. Effectively, this wipes the drive (to a first approximation). Make sure you're sure you're OK with that result, before issuing the command. Suggestion: Also use that maintenance disk to set up Linux data and swap partitions in your partition table. They're more reliable than are the partitioners in Linux distribution installers such as Red Hat's.
At this point, you might want to try a Linux installation again. You've not eliminated all hard drive-related causes of installation failure, but dodgy partition tables, leftover damage from boot-sector viruses, and defective leftover filesystems ("partitions") have been eliminated from consideration. Suggestion: When you have the Linux installer make filesystems in the partition-table entries you established in the prior paragraph, select "Check for bad blocks." This tests individual sectors for readability, and maps out ones that fail to test OK.
If the installer still doesn't like your hard drive (which I assume is IDE), then it might be worthwhile checking your hard drive manufacturer's Web/ftp sites for a "low-level formatting utility" or "pseudo-low-level formatting utility" specific to that make and model of hard drive. These are usually written for MS-DOS, and rewrite the hard drive's low-level timing tracks, often rejuvenating drives that you were prepared to discard as "failing" or "unreliable".
If none of the above fixes your problem, and you still have hard drive-related errors, then it could be a BIOS setting (try reverting to factory defaults, in your CMOS BIOS Setup program), or a slightly defective hard drive, IDE controller, or other motherboard circuitry. If it were an extremely new motherboard, it could even be a chipset whose quirks the installer's Linux kernel can't yet contend with -- but that sounds unlikely in your case.
Again, if you want help, please be [link|http://www.tuxedo.org/~esr/faqs/smart-questions.html|specific]. Thanks.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #69,040
12/15/02 8:07:24 PM
|
Re: Installation problems and hardware glitches
Normal install, formats and partitions correctly, tries to probe the monitor and vide card, and then says "Unknown Monitor" and "Unknown Video Card" and then displays some graphic garbage and then displays the words "Abnormal Error" on a blank screen except with a command prompt.
Are there any log files I can check to make sure that there is more to this error message than just the words "Abnormal Error"? My local Linux friends are too busy to help me right now, and deSitter is out of the question as he is mad at me and ignoring me anyway. My local Linux Experts I know tell me that it is a hardware issue that Linux cannot handle. To try to buy aother machine and a different monitor and try it again. Oh, if I had the cash to do so I would.
For an Alternative Nearly To Imitate IWETHEY please visit [link|http://pub75.ezboard.com/bantiiwethey|the ANTIIWETHEY Board]
providing an alternative to IWETHEY since December 2002
|
Post #69,051
12/15/02 9:13:21 PM
|
Re: Installation problems and hardware glitches
orion wrote:
Normal install, formats and partitions correctly, tries to probe the monitor and vide card, and then says "Unknown Monitor" and "Unknown Video Card" and then displays some graphic garbage and then displays the words "Abnormal Error" on a blank screen except with a command prompt.
1. I wrote: "If you want help, please be specific." You're now talking about a video problem, and yet you aren't posting information about your video hardware. Conclusion: You aren't yet serious about getting help.
My best guess based on your earlier non-description was that there was a hard drive problem. It now turns out that my stab-in-the-dark guess was wrong, and my effort writing all that lengthy analysis was wasted. Oh well: I can't get that time and effort back, but I can avoid making the same mistake twice.
2. If my video hardware were giving Linux installers a hard time, I'd do a text-mode installation first, and then work on getting X11 running after installation had otherwise completed successfully, as a separate problem. E.g., if using the Red Hat Linux installation disks, type "text" at the CD's boot prompt instead of just pressing the Enter key.
As to how to get help with your X11 problem, post-installation, (a) get serious, and (b) move to a more-appropriate forum.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #69,059
12/15/02 10:19:54 PM
12/15/02 10:25:28 PM
|
Try text-mode install?
That might give hime more to 'report'.
Imric's Tips for Living- Paranoia Is a Survival Trait
- Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
- Even though everyone is out to get you, it doesn't matter unless you let them win.
Edited by imric
Dec. 15, 2002, 10:25:28 PM EST
|
Post #69,082
12/16/02 1:19:50 AM
|
Echo effect
imric wrote:
Try text-mode install?
Immediately after I wrote:
If my video hardware were giving Linux installers a hard time, I'd do a text-mode installation first.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #69,095
12/16/02 8:59:00 AM
|
*chuckle*
*chuckle* *chuckle* *chuckle*...
Imric's Tips for Living- Paranoia Is a Survival Trait
- Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
- Even though everyone is out to get you, it doesn't matter unless you let them win.
|
