I suspect that this port may be needed in order for them to respond as members of the domain. (My recommendation would be that they don't need to be domain members, but let's assume you don't have that option for some reason.)
Second, while users invariably call it "outside the firewall", a DMZ should actually be inside a perimeter firewall -- just separated from the trusted internal network (by an additional access control point) because it accepts outside-originated traffic. Third, you can use the IPSEC configuration to block specific ports, such as 135.... David Gillett > -----Original Message----- > From: VNV Jeep [mailto:[EMAIL PROTECTED] > Sent: June 6, 2003 10:05 > To: [EMAIL PROTECTED] > Subject: Securing a Win2k DNS server outside firewall... > > > Hi All... > > I have 2 Windows 2000 DNS servers sitting on the outside of > our firewall. > They're vanilla installs of Win2k server, both running as > member servers, > locked down as much as possible, running a primary & secondary DNS > configuration. When running a port scan against these > servers, one of the > only things that tends to worry me is that they both answer > to port 135 RPC. > I've tried to figure out a way to prevent that port from > being available, > but all I could find as far as answers go is that I'd need to > run a firewall > to block it. I did try running a small firewall on the > servers, but ran > into issues since DNS tends to use a myriad of dynamic ports > when answering > queries... Does anyone have any good ideas on how to lock > down a Win2k > server like this so that the only thing available as far as > services go is > DNS, and the replication thereof? > > Thanks in advance for your advice... > > Take care, > Mike > > _________________________________________________________________ > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. > http://join.msn.com/?page=features/virus > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
