Security Basics mailing list archives

RE: Securing a Win2k DNS server outside firewall...

From: "Manuel Fernandes" <manuelf () mailblocks com>
Date: Fri, 6 Jun 2003 16:12:10 -0700

Cheap, quick and dirty solution. Have you considered just implementing port
filtering on the TCP/IP on the machine itself. Just open the desired ports
(i.e. DNS/HTTP/LDAP) and block the rest! 

Read more:
http://www.jsiinc.com/SUBL/tip5700/rh5799.htm

I would work towards a DMZ someday.

Manuel

-----Original Message-----
From: VNV Jeep [mailto:vnvjeep () hotmail com] 
Sent: Friday, June 06, 2003 11:31 AM
To: Bob.Bermingham () idc-mcs com; security-basics () securityfocus com

Thanks for the message back, Bob...

I'm pretty sure that if you unbind File and Print sharing and client 
for Microsoft Networks from the network adapter, it will stop 
responding to RPC requests. If you're only using the boxes for DNS, it 
shouldn't cause any problems.


Unfortunately that isn't the case.  I have everything disabled with the
exception if TCP/IP in the nic properties.  I had the same thought that you
did back when I set these up... no dice.

I was even thinking of disabling the RPC service, but apparently the DNS
service relies on it... so I guess I'm forced to keep it running.

Other suggestions I've received (thanks to all who responded sofar):
- Block 135 from the router to this particular IP
- Use IPsec/GP for 135.
- Stick the DNS boxes in a DMZ.

Take care,
Mike

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... David Gillett (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... Richard Parry (Jun 06)
- Re: Securing a Win2k DNS server outside firewall... beartman (Jun 06)
  - RE: Securing a Win2k DNS server outside firewall... dave (Jun 06)
- <Possible follow-ups>
- RE: Securing a Win2k DNS server outside firewall... Bermingham, Bob (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
  - RE: Securing a Win2k DNS server outside firewall... Manuel Fernandes (Jun 09)
- RE: Securing a Win2k DNS server outside firewall... Minneker, Andrew L. (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... Pascal Rossillon (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... type_o (Jun 09)