EMERGENCY?: Windows Xp attacking Windows 2000 Server?

[dynamoo]

Yes, my thoughts are why firewall the server? The firewall should be at the network perimeter. Firewalling the server is going to create all sorts of odd results because the relationship between a domain server and clients is complex and will involve a lot of ports being used.

To me, the holy trinity of security is up-to-date patches + anti-virus + firewall at the edge of the network.

I guess we're talking about a corporate environment here and not something nasty like a college?

[warl0ck7]

lsass uses local ports and not remote ones so froget the side note quiestion .

[steve.milner]

Originally posted here by dynamoo
Yes, my thoughts are why firewall the server? The firewall should be at the network perimeter. Firewalling the server is going to create all sorts of odd results because the relationship between a domain server and clients is complex and will involve a lot of ports being used.

To me, the holy trinity of security is up-to-date patches + anti-virus + firewall at the edge of the network.

I guess we're talking about a corporate environment here and not something nasty like a college?

There are many reasons to firewall the server as well as firewalling the perimiter.

If you have a large network that could be used by malicious employees to gain access to ther server.

You wouldn't want to leave a payroll server, for example, unprotected from the intranet.

Remember that allmost all acts of computer misuse are performed by a company's own employees.

Internal protections are very important

[Tiger Shark]

Steve: Unless I misunderstand the chap he has the data for these users machines on that server. Thus they are allowed access. If there is data on there that is not for public use such as the payroll you mentioned then that whole department should probably be separated from the rest of the network in another way such as a rotuer or other firewall.

[steve.milner]

Tiger Shark:

I don't think you have misunderstood the chap.

I was trying to point out to dynamoo that there are valid reasons for firewalls at other places than the perimiter.

And if you physically isolate the payroll staff you isolate them from the benefits of the rest of the network, but it's all a matter of how you approach security within the perimiter.

There are as many approaches as there are experts on the matter.

So if I've caused any confusion - my apologies - I know I've not helped the chap out at all.

[Tiger Shark]

Steve: NP.... Confusion is the normal state in my world.....

You can isolate the payroll staff for example behind a $60 Linksys router/firewall and they can still receive the full benefit of the rest of the network but their resources would be invisible to the "unwashed masses".

I think we need a little more information regarding ileva's config before anyone can give a sensible answer.....

[ilevakam316]

WinXP has some odd behavier. If it tries to access a normal file share it will also try to use WebDAV. These are the port 80 and 443 connections you are seeing. Hook up a sniffer to make sure. You will notice WinXP doing an OPTIONS /filename when it tries to access a share. This seems to be by design. Go figure.

Edit: This seems to be caused by the WebClient Service on XP. Try and disable this service and recheck. The WebClient service will try to use WebDAV to access the file/share before it will use smb.

Can you give me any more information on WEbDav, and this WEbclient Service, if so that WOULD BE GREAT. I think you have hit the nail on the head, and I am so releaved, but not 100 percent confident YET.


Also, I have a firewall on my server because our hardware firewall is AWOL, and we need some secuirty ASAP, so we put blackice on. My dept. Ip range is put on the baclk ice as allowed users BUT not trusted. So they can access their files without being blocked, but stillmonitors activty.


Thanks ALOT GUYS!!

[Tiger Shark]

Ileva: Yeah.... Having the primary Firewall out to lunch is a bit of a bummer. If I understand you correctly the perimeter firewall is down but you have maintained public access for whatever reason and firewalled the server to protect it. In this case I would be _very_ concerned about the workstations. There's nothing quite like bringing the Primary Firewall back online only to find that someone is already behind it on a workstation.

[ilevakam316]

Well the workstations also have 'Personal Firewalls' for Small Buisnesses, so hopefully they are okay. It seems that the reintroduction of the Firewall will not be a quick process, they are predictings months to a year...

not something nasty like a college
- Ehk, This is a department at a University, hence all the bueracracy and the lack of time spent on secuirty.


Thanks again.

[SirDice]

Originally posted here by ilevakam316
Can you give me any more information on WEbDav, and this WEbclient Service, if so that WOULD BE GREAT. I think you have hit the nail on the head, and I am so releaved, but not 100 percent confident YET.

I couldn't find anything really informative. But i've noticed this behaviour at home on my Little Freebsd server (with samba and apache). I did find this:

http://www.theeldergeek.com/webclient.htm
And this usenet posting kinda triggered the relation with WebClient.