Rick, > I would have to disagree with HC's comments on this. > > First, there should always be some sort of > protection between your LAN and > the Internet.
I fully agree with this. However, that's not how I interpretted the OP's statements. To me, it sounds as if he wants to load a personal firewall system onto a web server...both the firewall and web server would be running on the same physical hardware. I agree that a security mechanism of some type is necessary between the Internet and a LAN. > Second, if you start shutting down services on the > W2K machine, then you are > restricting access from within the LAN, making > Administration and updating > the system much harder, as it cannot be dont > remotely. If you follow this > path, and turn off all the services you can think > of, and miss one, then you are open to an attack. Again, I answered the question from an entirely different perspective. The OP made no mention of a LAN, only: "anyone can recommend software firewall for win2k adv. server ? it is planed to be used as web server" No mention of a LAN. However, I think my point still stands...if you're running a web server, just a web server, and you want to protect it, 'tis better to shut off servers than to leave them running and install a firewall. W/ no services running, there is nothing to attack. W/ regards to missing one, tools like netstat and fport will show you very quickly whether you have something bound to a port or not. > With a physical firewall, you > specify what to allow, > not what to disallow, making it much harder to miss > something critical. Actually, I'm not sure that would be all that much more effective than my suggestion. After all, if you're going to miss the fact that you've got a running service, how would you expect that same person to have the knowledge to explicitly permit or deny other services. > Most, if not all, firewalls have an explicit deny > all statement that covers > you in the event that you forget something in you > access lists. Yes, they do...but this will also effectively disable necessary/needed services when not employed correctly. Further, all of this stuff about firewalls is completely ineffective when port 80 is allowed through, and the web server isn't correctly configured. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
