Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows Server2008 Firewall Recommendations 3

Status
Not open for further replies.
zoeythecat

zoeythecat

Technical User
May 2, 2002
1,666
US
Hi All,

We have a Windows2003 native domain. I recently installed Windows2008 server as a member server in the domain. I had issues pinging (I realize I could make this a firewall exception)from other servers to this server. I turned off the firewall and all is well. We of course our behind a firewall already so do I really need this turned on?

I look forward to any opinions on this.

Thanks
 
Sort by date Sort by votes
Absolutely. You have a firewall on your network that separates your network from the Internet. That's good, because there are a lot of threats that can come in from the Internet. However, every modern Windows-based PC and server also has a software firewall built into the OS (and many security/antivirus suites include them as well). Why? Because the Internet isn't your only attack vector. What happens if someone comes into your business with a laptop that is infected with something? Once they plug into your network (or log on via wireless) you're essentially wide open to whatever they have on their laptop. All it takes is for a malicious worm or virus to get onto one system on your network and it can quickly spread to everything in your network. However, if you are using the software firewall that is built into Windows then you can block a significant portion of the traffic that can be used to attack your systems.

For example, at a former employer we kept all of the servers on a different subnet from all of the desktops/laptops/wireless LANs. We configured software firewalls on all of the client devices to block all traffic from the client device subnets. There wasn't any need in our case for our end-users' PCs to be communicating directly with each other anyway, and after they were locked down we could prevent a virus from spreading if a single machine was compromised. Then we configured the servers to only allow connections on ports that were required for services that they offered. In other words, the ports used for CIFS file shares were only open on file servers, not DCs, Exchange servers, etc. Ports used for FTP were only open on servers than ran FTP services, and so on. We went even further by restricting inter-server communication. For example, while all of the client PCs needed to talk to the Exchange server and the file/print server, the Exchange server and the file/print server didn't need to talk to each other, so that traffic would be blocked.

It takes a fair amount of effort to identify the ports and services that are required for every application, but once you know what you need you can configure a group policy to apply that config to all of your PCs and servers automatically, and it is well worth it. While I worked for that company we would occasionally have single, isolated malware infections (like most businesses) but we never once had an outbreak where the malware spread to a second machine from the first.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator
 
Upvote 0 Downvote
Kmcferrin,

Great post. I do have it turned off for now. This will be our exhange2007 server eventually, so I will have to figure out what services I need to set as exceptions.

Thx
 
Upvote 0 Downvote
Use the Security Configuration Wizard (SCW). I wrote a multipart series on SCW on Exchange 2007 that starts here:
And recently wrote a follow up at that covers some issues with 2008 and the SCW for Exchange 2007.

The SCW can really help tighten up a servers attack surface.

And a star for kmcferrin for the great answer.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Upvote 0 Downvote
kmcferrin said:
In other words, the ports used for CIFS file shares were only open on file servers, not DCs, Exchange servers, etc.
Click to expand...

What? Did you guys not use Group Policy or login scripts? Clients need read access to sysvol shares for those features.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
471
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
605
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
394
antonio_dsanchez
antonio_dsanchez
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
845
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
505
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top