Security Basics mailing list archives

RE: Securing a Win2k DNS server outside firewall...

From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 6 Jun 2003 11:01:03 -0700

  I suspect that this port may be needed in order for them to
respond as members of the domain.  (My recommendation would be
that they don't need to be domain members, but let's assume you
don't have that option for some reason.)

  Second, while users invariably call it "outside the firewall", a
DMZ should actually be inside a perimeter firewall -- just separated
from the trusted internal network (by an additional access control 
point) because it accepts outside-originated traffic.

  Third, you can use the IPSEC configuration to block specific ports,
such as 135....

David Gillett

-----Original Message-----
From: VNV Jeep [mailto:vnvjeep () hotmail com]
Sent: June 6, 2003 10:05
To: security-basics () securityfocus com
Subject: Securing a Win2k DNS server outside firewall...

Hi All...

I have 2 Windows 2000 DNS servers sitting on the outside of 
our firewall.  
They're vanilla installs of Win2k server, both running as 
member servers, 
locked down as much as possible, running a primary & secondary DNS 
configuration.  When running a port scan against these 
servers, one of the 
only things that tends to worry me is that they both answer 
to port 135 RPC. 
  I've tried to figure out a way to prevent that port from 
being available, 
but all I could find as far as answers go is that I'd need to 
run a firewall 
to block it.  I did try running a small firewall on the 
servers, but ran 
into issues since DNS tends to use a myriad of dynamic ports 
when answering 
queries... Does anyone have any good ideas on how to lock 
down a Win2k 
server like this so that the only thing available as far as 
services go is 
DNS, and the replication thereof?

Thanks in advance for your advice...

Take care,
Mike

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus

--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... David Gillett (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... Richard Parry (Jun 06)
- Re: Securing a Win2k DNS server outside firewall... beartman (Jun 06)
  - RE: Securing a Win2k DNS server outside firewall... dave (Jun 06)
- <Possible follow-ups>
- RE: Securing a Win2k DNS server outside firewall... Bermingham, Bob (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
  - RE: Securing a Win2k DNS server outside firewall... Manuel Fernandes (Jun 09)
- RE: Securing a Win2k DNS server outside firewall... Minneker, Andrew L. (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... Pascal Rossillon (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... type_o (Jun 09)