If you're really serious about reducing your attack serface, you should
consider running Windows Server 2003, which has many services turned off by
default and is much more secure out of the box. However, some changes (e.g.
splitting the remote registry service from the server service) were made to
allow this to happen.
Search for the Windows 2000 Security Hardening Guide on the Microsoft web
site. At a minimum, disable the messenger and alerter services. Also,
consider using IPSec with block rules or TCP/IP filtering on the boxes, in
addition to your perimeter firewall.
It is also vital to keep up to date with security patches. Also, consider
using ISA Server to publish the web site and pre-authenticate the users.
That way, you don't expose the web server at all until you know who the user
is.
I may be out of date here (in fact, it's quite likely), but I didn't think
nfuse was a security product. At one time, there was a product called
Citrix Secure Gateway. Again, that may have changed. With nfuse, you still
have to expose ports on your Citrix server to the Internet, and while you
may be tempted to think that just because Citrix isn't a Microsoft product,
it's automatically secure, don't be. I don't know if ISA Server can help
you out here by reducing the exposure.
Regards
Oli
