How to Harden Public MS 2K3 DNS?

[Fred Yarbrough]

We are looking at replacing our UNIX Public DNS servers with Microsoft W2K3
DNS servers. these servers will not be doing anything but Static DNS for
our external name space. Does anyone know of an article or paper that talks
about hardening or bastionizing a Windows 2K3 DNS server for public
exposure?


Thanks,
Fred

 

[Carey Frisch [MVP]]

Microsoft® Windows® Security Resource Kit
http://www.microsoft.com/mspress/books/6418.asp

Windows Server 2003 Security Guide
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

Service Management Functions
http://www.microsoft.com/technet/itsolutions/cits/mo/smf/mofsmsmf.mspx

How Microsoft Does IT
http://www.microsoft.com/technet/itsolutions/msit/default.mspx

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

-------------------------------------------------------------------------------------------

:

| We are looking at replacing our UNIX Public DNS servers with Microsoft W2K3
| DNS servers. these servers will not be doing anything but Static DNS for
| our external name space. Does anyone know of an article or paper that talks
| about hardening or bastionizing a Windows 2K3 DNS server for public
| exposure?
|
|
| Thanks,
| Fred

 

[Fred Yarbrough]

Thanks for the reply Carey. I have read most of these documents and was
hoping to find something more detailed. I will probably start with the
Bastion Host Security Template and then tweak it. The NSA has pretty good
documents for DNS hardening but it is for W2K and not for W2K3.



Thanks,
Fred

 

[Deji Akomolafe]

Something like this:
http://www.akomolafe.com/Portals/1/Docs/guide_to_securing_microsoft_windows_2000_dns.pdf
?

--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Ace Fekay [MVP]]

In

Something like this:
http://www.akomolafe.com/Portals/1/Docs/guide_to_securing_microsoft_windows_2000_dns.pdf

Deji,

Nice article. Assuming 2000 and 2003 are similar, if not the same, is there
a new one out for Win2003?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Deji Akomolafe]

Sorry, Ace - been away from keyboard

No, I don't have a 2K3 version yet. I am not aware of the existence of one.
But the fundamental premises will be the same anyway, so one should be able
to port the knowledge from this version over to a 2K3 DNS.

--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Sorry, Ace - been away from keyboard

No, I don't have a 2K3 version yet. I am not aware of the existence
of one. But the fundamental premises will be the same anyway, so one
should be able to port the knowledge from this version over to a 2K3
DNS.

Cool. Since they are very similar, we can use this as a guide, and apply
security common sense for any of the new features that 2003 has over 2000.

I know, someone will probably ask what is 'security common sense' and how do
we apply common sense security concerns to any of the new features, some may
ask? I guess it comes down to security or experience level and understanding
Windows.

Ace