RE: Securing a Win2k DNS server outside firewall...

["dave" <dave () netmedic net>]

IF all it is a DNS server then:


Go to Network Properties;
Properties of the NIC you are protecting;
Leave only TCP/IP selected;
Highlight TCP/IP and Select properties;
Select advanced; 
Select the WINS tab;
Select Disable NetBIOS over TCP/IP;
Select Options;
Select TCP/IP Filtering Properties;
Select Enable TCP/IP Filtering for All Adapters;
  
Select Permit Only in all three boxes;
TCP add 53,1026,1027,1028,1029
UDP add 53,1026,1027,1028,1029
IP Proto add 6

Reboot and that is it.

You can verify it in Regedt32 by looking under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interf
aces\{00000000-0000-0000-0000-000000000000} (the external interface)
RawIPAllowedProtocols:REG_MULTI-SZ:6
TCPAllowedPorts:REG_MULTI-SZ:53,1026,1027,1028,1029 
UDPAllowedPorts:REG_MULTI-SZ:53,1026,1027,1028,1029

Now everyone is going to start bitching about what are the UDP ports for
1026 etc...... the answer is, I do not know but by playing around with this,
it is the configuration I got to work. I have 3 DNS servers running in this
configuration.

Also you can add 20,21 and 80,443 and IIS and FTP can run on them.

Dave


 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net

 

-----Original Message-----
From: beartman () thoughtworks com [mailto:beartman () thoughtworks com] 
Sent: Friday, June 06, 2003 15:48
Cc: security-basics () securityfocus com
Subject: Re: Securing a Win2k DNS server outside firewall...

If it's a Win2K box....

In the Network properties of the NIC, double click TCP/IP, then click 
advanced.

Under the WINS tab, select the Disable NetBIOS over TCP/IP.  That should 
do the trick.




"VNV Jeep" <vnvjeep () hotmail com> 
06/06/2003 12:05 PM

To
security-basics () securityfocus com
cc

Subject
Securing a Win2k DNS server outside firewall...






Hi All...

I have 2 Windows 2000 DNS servers sitting on the outside of our firewall.
They're vanilla installs of Win2k server, both running as member servers,
locked down as much as possible, running a primary & secondary DNS
configuration.  When running a port scan against these servers, one of the
only things that tends to worry me is that they both answer to port 135 
RPC.
I've tried to figure out a way to prevent that port from being available,
but all I could find as far as answers go is that I'd need to run a 
firewall
to block it.  I did try running a small firewall on the servers, but ran
into issues since DNS tends to use a myriad of dynamic ports when 
answering
queries... Does anyone have any good ideas on how to lock down a Win2k
server like this so that the only thing available as far as services go is
DNS, and the replication thereof?

Thanks in advance for your advice...

Take care,
Mike

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus


---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------