Results 1 to 5 of 5

Thread: Windows server best practice - Allow Internet access?

  1. #1
    Junior Member
    Join Date
    Feb 2015
    Posts
    1

    Windows server best practice - Allow Internet access?

    I'm looking for best practices documentation that addresses Internet access from internal servers. What's considered the best practice? Allow ports 80 and 443 through the firewall from internal servers (not Internet facing), or block? Best practice would have servers updated/patched from local server within their internal network segment. I found documentation on TechNet that covers domain controllers, but nothing that mentions everything else. TechNet at least says domain controllers should have no access through the firewall to the Internet. My concern now is the other servers installed on the inside. Not the Internet facing servers installed within the DMZ, but servers installed on the inside supporting internal operations only. Does anyone know where I can find documentation from a well-known source?

  2. #2
    Junior Member
    Join Date
    May 2024
    Posts
    6
    For best practices, restrict outbound traffic from internal servers to only what's necessary for their function. Implement default deny policies, least privilege access, network segmentation, proxy or gateway filtering, logging and monitoring, patch management, and access control lists (ACLs). Consult industry standards and guidelines from sources like CIS, NIST, and vendor documentation.

  3. #3
    Administrator Steve R Jones's Avatar
    Join Date
    Apr 2011
    Location
    USA
    Posts
    402
    Note that this thread was posted -> February 7th, 2015

  4. #4
    Junior Member
    Join Date
    Aug 2024
    Posts
    4
    You're right, internet access for internal servers is a key security consideration. Here's the gist:

    Block by default: Best practice is to follow a "default deny" approach. Block all outbound internet traffic for internal servers unless it's absolutely necessary.
    Least privilege: Only allow specific ports (like 80/443 for updates) if a server needs internet access. This minimizes the attack surface.
    Local updates preferred: Patching from a local update server within your network is ideal, reducing reliance on internet sources.
    Check out resources from CIS (Center for Internet Security) or NIST (National Institute of Standards and Technology) for in-depth best practices. They offer great documentation on securing internal servers.

  5. #5
    Junior Member
    Join Date
    Jan 2024
    Posts
    7
    Best practice for internal servers not facing the internet is generally to block internet access and restrict ports 80 and 443 through the firewall. This minimizes exposure to potential threats. Instead, updates and patches should be managed through a local WSUS (Windows Server Update Services) or similar solution within the internal network. While TechNet provides guidance on domain controllers, for other internal servers, look for security hardening guides from reputable sources like the Center for Internet Security (CIS) or Microsoft?s security best practices documentation.

Similar Threads

  1. Why is my Windows Explorer always trying to access the Internet?
    By allis2000 in forum Newbie Security Questions
    Replies: 14
    Last Post: August 5th, 2004, 07:25 AM
  2. Server to practice hacking/cracking abilities
    By KidAdmin in forum Miscellaneous Security Discussions
    Replies: 16
    Last Post: March 2nd, 2003, 06:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •