December 28th, 2001, 10:32 PM
stand alone servers.
Im starting this thread to get some information on starting a stand-alone server. I do know the basics to starting one but would like to hear about the security side. Also wanted to hear about pro and cons of running a stand alone server and post your knowledge on stand alone servers. Thank you.
December 29th, 2001, 03:19 AM
A couple of questions that should help you get some intelligent answers to this....
What services are you trying to serve? WWW, FTP, file and print???
What OS are you interested in?
Are you talking about a stand alone NT or 2000 server(i.e. not in a domain)?
OR are you talking about something else entirely, and I missed it?
December 29th, 2001, 10:04 AM
Sorry about that I was talking about a windows 2000 computer not in a domain but in a workgroup enviroment. I hope that clears things up a bit.
December 29th, 2001, 11:06 AM
hmm so ur trying to say that you have a windows 2000 server.. in a work group.. not in a domain.. so mainly no one is connected to it.. right??
well if thats the case.. security is preety much high considering no one is linked to your server..
being in the workgroup they can only see that your computer is in the network but they cannot do anything about it. although they can get your ip address and other details of your server but the security isnt at risk compared if it is in a domain.
if your server is in a domain.. someone may legaly login with an account which you created on your server for your domain users and snoop inside your server (depending on what rights you gave that user) and acutally might compromise the security..
though a server without a domain is useless since it cannot communicate properly with other users/computers. putting it in a domain makes computers comunicate with it properly and efficiently which most crackers use to their advantage.
but when setting up domains you can monitor and know who and when someone accessed your network/server, which is also a good thing. in your domain you can effciently set up a proper security since you would know who and what you are dealing with.
its like a country.. think of the domain as a government under martial law.. you have the ruler (which is the server) who dictates what happens in the network , telling you who you are and what you can or cannot do..
with it.. he as power and control.. without it he is juz like any ordinary d00d accross the street..
presidents are prone to inside job attacks, assasinations, corruption.. but the normal d00d isnt..
but the normal d00d can also be killed, robbed etc... etc...
the ruler w/ a govt has high security.. and so as high security issues..
a normal d00d.. can make his own security, like putting alarm in houses, bringing self defence weapons with him or learning martial arts all of those are donen by him for him... but he can still be a sitting duck to any other d00d who wants to shoot him...
December 29th, 2001, 05:07 PM
Will people be able to access this machine from the internet?
Keeping a win2k system patched up to date is absolutely critical if you are allowing outside users access to the machine.
You want to make especially certain that you have updated to win2k SP2, and make sure that you have installed the IIS cumulative patch from August 15(is there a later one, maybe, dont remember.... might have seen one from December 13, but maybe that is IE patch...) you can find that cumulative patch here
Also, you may want to consider IIS Lockdown from the Microsoft Download site, or perhaps URL Scan also from the MS download site.
also there are lots of other vulnerabilities, outside of the IIS vulnerabilities, and it is very dificult(for me anyway) to keep up with which patches I have and which I need, etc.. etc... luckily MS has given us something called hfnetchk(an MS Provided Hot Fix/patch checker)which goes out to the MS site, and gets a list of available patches, then compares your machine to that list and lets you know which ones are missing.
you can find that here...
Once you have this, play with it for a bit, it is possible to set it up to email you the results of the check, if you can get that working, you may want set it up with Task Scheduler to run once a week or so, just to give yourself a bit of cushion in case you stop paying attention to the latest patches.
Of course, turn off any www or ftp etc... services that you do not want or need.
Renaming the administrator account to something else is also a good idea.
Of course also choose good passwords...
um, I am probably about to babble, so I will stop.
December 29th, 2001, 05:34 PM
Interesting metaphor S0nic! A stand alone server should be treated the same as any other node on the network as well as the DC. The main reason behind this is that it offers a backdoor for an intruder to gain a foot hold. The idea of having to comprimize only the domain controller in order to do any damage is somewhat true as far as privilidge rights etc... go. But, a hacker could gain control of a less secured box and use that as a levy to work his way up. Think of it as some "dood" holding the poor bastard in Sonic's story ransom and demanding to see the president....then shoots the president. You should use a stand alone server if you are running it to compliment the dc or if you don't really have services that require user to authenticate to that system. I would agree that a domain is a better decision for any type of corporate work because of the security that is involved. But if this is a home network and you are wanting users to be able to use the server for data storage or whatnot....just keep it as a workgroup and set the server to be part of that workgroup. By doing this you are pretty much trusting everybody in the group but can afford this because they are friends, roommates, etc... You can setup permissions on the shares to make sure they only have access to what you want them too. Do not share out your entire drive of course. If this is going to be a gateway or if you plain on multihoming it or whatnot for your internet connection.....I would suggest rethinking your stratagy and follow the advise posted above. There are a million different tweaks you can do to a 2000 box in order to make it secure but first fix the holes in the os with the patches. Then worry about services. Well....hope this helps.
January 4th, 2002, 05:24 PM
S0nic..... you get my award for metaphor of the week!!
as far as the actual question goes... I've noticed everybody went off in a 2k direction here. so I'll refrain from going that way. (but then again, maybe the road less travels just doesnt go anywhere interesting anyways)
Ghost.... you've got to figure out what services your going to be using first (unplanned networks usually yield poor results at best) Look into what the environment is going to be as well, are there any WAN links?? not necesarily to the server but will that servers network be accessible through a WAN link? What about remote access, anybody dialing/tunneling/pcanywhere/telnetting in?? Do you need web or mail services or is it just going to provide simple fileservices?? Look into things like Samba or NFS, decide which works best for you, and the security itself will come through proactively patching and updating as often as possible, keeping your user accounts and permissions clean, and establishing good monitoring and backup procedures.
January 4th, 2002, 05:48 PM
You don't need a domain controller to access a Win2k server or workstation from a workgroup. All you have to do is manage users on the stand alone server or workstation just like you would on a Windows NT 4 or 3.51 machine. It is not more secure just because there isn't a domain controller, it's probably less secure as it is harder to change passwords on a regular basis. I maintain a network with over 30 servers and workstations running mostly Win2k pro or server and couple of NT4 or Win 98 machines.
The network was built without a domain controller for two reasons. One, it took an inordinate amount of time to log onto the network when using the domain controller as compared to without the domain controller. Two, it was felt that a domain controller was a single point of failure for the network. Yes, we could have setup a secondary domain controller but we still didn't like first problem. Yes, it's more work but we don't change people often (no new hires or fires in the last 12 months).
January 4th, 2002, 06:02 PM
I feel there might be a slight misconception here:
A server not part of a domain (ie in a workgroup) isn't any more vulnerable than a domain member server, the only* difference is that all authentication of network users is done locally, ie with the server's user list (SAM) instead of the one maintained by the domain controller. This by itself does not represent a security risk, it only means, as any other host in a workgroup, that each host must have it's own user list maintained independently, and that if you want users to be able to use network ressources you have to recreate identical accounts (so each user doesn't have to remember multiple logons) on each host.
*Of course you don't have the administration features (like group policies) either in that case...
January 4th, 2002, 06:04 PM
Oups! didn't see stuart's reply before posting! We pretty much say the same...