karan79
join:2004-08-02
Los Angeles, CA | reply to karan79
Re: Windows 2000 server
Thnx for the info guys...you have been most helpful!! |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to karan79
said by karan79  :Whats the best way to secure a windows 2000 server. Its acting as a web server. Make your first stop the NSA Guidelines. There is some good information in those resources.
--
cat knowledge | grep understanding |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to karan79
In my opinion, you need an external firewall for -any- web server. I feel that host-based firewalls (a sort of one of which is built in to Windows 2000, actually) are good, and all that.. but that a dedicated firewall appliance/server is a must for every single gateway to the Internet.
That said, Windows 2000 has built in two methods to permit only certain IPs to access a web site.
First, the built-in IPSec filtering can be used to prevent communications to certain ports/IPs on the server from certain IPs/networks, or allow ONLY from certain IPs/Networks (once you get a default block policy in)
Second, any web server software itself can be configured to permit connections only from certain networks/IPs, as well (including IIS and Apache, one of which you almost certainly will be using, I'm guessing).
However, on a side-note, I will re-iterate the importance of having a separate firewall protecting this system, as well. That could be an additional software-based one (though consumer-level products don't often easily work with server-level operating systems - purposefully), or a separate hardware firewall. The problem is, even if you protect your one site how you want, you still have lots of other things exposed on that server which need to be protected by a firewall. The built-in IPSec functionality can be used to help, but there are known ways around that.
--
Windows, Mac, Linux, BSD - just use the right tool for the right job... end the OS Politics!
Real politics is much more interesting! www.georgewbush.com |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to karan79
Without knowing what web server software you're using...
This could be done with Kerio 2.1.5 (see Kerio-Tiny forum or my sig for link) using the Custom Address Group. Make a rule to allow access to local port 80 from the addresses listed in the Custom group, then make a second rule to deny access to local port 80 from anywhere. This second rule should be placed after the first rule, obviously.
If you wanted to do this extenerally you would need something much more flexible than a cheap Linky. 
Either way will work, though. There are advantages and disadvantages to each approach.
--
TCPA - Treacherous Computing
Kerio 2.1.5 - Best damn firewall
Licenses should be per user, Ditch Norton! Get F-Prot! |
|
karan79
join:2004-08-02
Los Angeles, CA
| Whats the best way to secure a windows 2000 server. Its acting as a web server. I want to set it up in a way that only certain IP addresses can log into it i.e. the page that comes up when type »windows_server_ip/xyz.html is only allowed to be viewed if you belong to the specified IPs.
Do i need an external firewall? If so any suggestions.
thnx |
|
