Hi Mike, You can lock down a Windows 2000 server without stopping any services and making important changes in its configuration.
You have to use the local security policy administrative tool : in IP security policy for local computer, right-click Secure Server and attribute it. Like this, you will stop any traffic from any source ( except the server himself ). I think that, by default, in this configuration, the only traffic allowed is the ping. If you want to remove it too : double-click "Secure Server" and select ICMP. Modify the properties and set "ask security" for filtering action for all ICMP Traffic. Like this, you will start with a full locked box like it should always be ( maybe Windows 2003 ;-). Now, just open DNS traffic flow as you want. To allow external request to your DNS, right-click secure server and select properties, add a new rule without tunneling for all network connections, using Kerberos, add a new filter called "53 DNS IN" or whatever, add any source address and set destination address to your own for TCP any incoming port to your 53 port. Go back to the security rule wizard, select your rule and authorize it. Do the same for the other DNS and after that, set a rule on both of them to allow them to communicate together freely, using the tunneling parameter. Like this, they will replicate. As far as I understand, your DNS servers are members of an active directory domain and not stand-alone servers. So they should have to communicate to the internal network from the DMZ ( or maybe you have an active directory domain in your DMZ ? ). If they need to communicate with your internal network, you need to set rules on them for a lot of port and open this ports in your firewall too. http://support.microsoft.com/default.aspx?scid=kb;en-us;179442 If they need to communicate in their own domain in the DMZ, just set tunneling with all Domain Controlers. If they are stand-alone servers, the tunneling between Primary and Secondary DNS server is enough, and anyway, it's a good idea to build them as "bastion" in case you need to operate them for a time without server security enforced. http://www.microsoft.com/serviceproviders/webhosting/security.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp I hope this helps you and sorry for my little english and stories about click and double-click and right-click, but you know the windows way of life ;-) Pascal Rossillon. -----Message d'origine----- De : VNV Jeep [mailto:[EMAIL PROTECTED] Envoyé : vendredi 6 juin 2003 19:05 À : [EMAIL PROTECTED] Objet : Securing a Win2k DNS server outside firewall... Hi All... I have 2 Windows 2000 DNS servers sitting on the outside of our firewall. They're vanilla installs of Win2k server, both running as member servers, locked down as much as possible, running a primary & secondary DNS configuration. When running a port scan against these servers, one of the only things that tends to worry me is that they both answer to port 135 RPC. I've tried to figure out a way to prevent that port from being available, but all I could find as far as answers go is that I'd need to run a firewall to block it. I did try running a small firewall on the servers, but ran into issues since DNS tends to use a myriad of dynamic ports when answering queries... Does anyone have any good ideas on how to lock down a Win2k server like this so that the only thing available as far as services go is DNS, and the replication thereof? Thanks in advance for your advice... Take care, Mike _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------