-
February 8th, 2015, 05:00 AM
#1
Junior Member
Windows server best practice - Allow Internet access?
I'm looking for best practices documentation that addresses Internet access from internal servers. What's considered the best practice? Allow ports 80 and 443 through the firewall from internal servers (not Internet facing), or block? Best practice would have servers updated/patched from local server within their internal network segment. I found documentation on TechNet that covers domain controllers, but nothing that mentions everything else. TechNet at least says domain controllers should have no access through the firewall to the Internet. My concern now is the other servers installed on the inside. Not the Internet facing servers installed within the DMZ, but servers installed on the inside supporting internal operations only. Does anyone know where I can find documentation from a well-known source?
-
May 13th, 2024, 06:54 AM
#2
Junior Member
For best practices, restrict outbound traffic from internal servers to only what's necessary for their function. Implement default deny policies, least privilege access, network segmentation, proxy or gateway filtering, logging and monitoring, patch management, and access control lists (ACLs). Consult industry standards and guidelines from sources like CIS, NIST, and vendor documentation.
-
May 13th, 2024, 07:07 AM
#3
Note that this thread was posted -> February 7th, 2015
-
August 23rd, 2024, 03:56 PM
#4
Junior Member
You're right, internet access for internal servers is a key security consideration. Here's the gist:
Block by default: Best practice is to follow a "default deny" approach. Block all outbound internet traffic for internal servers unless it's absolutely necessary.
Least privilege: Only allow specific ports (like 80/443 for updates) if a server needs internet access. This minimizes the attack surface.
Local updates preferred: Patching from a local update server within your network is ideal, reducing reliance on internet sources.
Check out resources from CIS (Center for Internet Security) or NIST (National Institute of Standards and Technology) for in-depth best practices. They offer great documentation on securing internal servers.
-
August 25th, 2024, 09:15 AM
#5
Junior Member
Best practice for internal servers not facing the internet is generally to block internet access and restrict ports 80 and 443 through the firewall. This minimizes exposure to potential threats. Instead, updates and patches should be managed through a local WSUS (Windows Server Update Services) or similar solution within the internal network. While TechNet provides guidance on domain controllers, for other internal servers, look for security hardening guides from reputable sources like the Center for Internet Security (CIS) or Microsoft?s security best practices documentation.
Similar Threads
-
By allis2000 in forum Newbie Security Questions
Replies: 14
Last Post: August 5th, 2004, 07:25 AM
-
By KidAdmin in forum Miscellaneous Security Discussions
Replies: 16
Last Post: March 2nd, 2003, 06:56 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|