April 12th, 2003, 11:18 AM
Securing system with 2 NICs's
can anyone help me securing a system (windows NT/2000 Server) with two NIC's attached to two different networks. please let me know the steps to be taken. I have disable IP forwarding.
Thank u in advance.
April 12th, 2003, 11:47 AM
Can you specify the operating system? You say NT / 2000 - which is it?
can anyone help me securing a system (windows NT/2000 Server)
Also can you give more detail about the use or goal of this system? Do you intend to use it as a router, firewall or for Internet Connection Sharing (ICS)?
Why is it connected to the two networks?
If you can give more detail about how you intend to use the machine and why its connected to both networks it would help with providing advice on locking it down.
April 13th, 2003, 02:46 AM
While I am still digging, I am not coming up with a great deal of info so far on dual-homed security for Windows 2000. It seems that you may be able to configure IPSec security policy to block traffic on one or both cards.
There are a variety of things you should do and steps you can take to try to ensure that never the twain shall meet.
I'll continue looking, but I wanted to also suggest that even if you get everything right, it is still inately insecure to have the server connected to both networks-especially running IIS and Windows 2000. I am not a Microsoft basher, but it presents a pretty good target generally if you don't stay current on the patches.
I might suggest disconnecting from the internal network and setting up a VPN or FTP connection for your users to upload their data. You can find various ways that you can connect to the server to upload info without being on the same network. If you do that your internal network will not be exposed through this machine.
April 13th, 2003, 12:19 PM
Each NIC on a W32 machine has its own services bound to it. One thing you may want to do is see if you want it to behave as a router, as W32 machines have this ability. You can also unbind NETBIOS and other services on either interface. You can also remove or add specific W32 services such as printer sharing, file sharing, etc. Go into the TCP IP settings for each NIC card and then go into advanced settings and you will see all of this. If you are strapped for cash, you can configure the built in TCP/IP "firewall" feature on each NIC card but this service is *very* limited. You can also utilize IPSec on a W2K server and write some very basic allow/deny rules via the command line, but again, there are limitations to this. I know there are docs on this site that go into great detail on how to add/remove services (bound to NICs) and what these services do.
If I were you, I'd evaluate the tasks that this machine will be performing and then lock it down to suit those needs. Be sure to review the running services on the machine as these apply to the server more so than each NIC card. More over, look at ACLs, system accounts, local security policies, patch levels, versions of running software on the server, accounting, etc. Setting up your NIC cards is just one small thing on a long list of things that must be done when configuring a server.
One last thing you should do is scan the server with ISS, Nessus, NetRecon or some other scanner of your liking. This will give you an idea of just how good a job you have done.
Anyway, this is my qucik and dirty answer to your question based on the NFO that you provided.
Hope this helps.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
April 14th, 2003, 01:12 PM
I'm using Windows 2000 Server it not used as router or firewall. one nic is connected for external users (outsiders) and other to our enterprise network. People in enterprise network uploads the data and external users access that (IIS- web pages). is there any risk of external users entering our enterpise wide area network.
April 14th, 2003, 01:21 PM
The short answer is yes.
is there any risk of external users entering our enterpise wide area network
I believe that part of the point of what thehorse13 wrote wasn't to say that you want to use the server AS a router or firewall per se, but that configuring the NIC's using those settings will help you lock it down. You may not be using the server as a firewall but you can configure the firewall, IPSec and other settings to help ensure that traffic doesn't get from one NIC to the other.
Like thehorse13 said you have to consider all aspects of security in the server- not just the NIC configuration. Take a look at his post and see if you have any questions on how to proceed.