Steve,
Thanks for the great info, I do have access to the firewall and I have
used
ipsec policies previously, I also run Languard to check against
vulnerabilities, my major attacks are coming from the basic MS ports
and
how
to isolate these ports without removing basic services, also we need to
maintin management, my thought here is to allow management access to
two
subnets (server room and vpn subnets), however systems like domain
controllers I will have to leave open (of course I have these locked
down)
to
the community, I guess the answer here is to evaluate each system for
the
specific needs and isolate based on that info.
Regards,
Bob Smith
:
If you have access to the firewall, you might be able to configure
what
IP
addresses can and can not access your network/servers and on what
ports
using what protocols. If you can not access the firewall you can use
ipsec
filtering policy on your computers which is a policy that uses rules
with
permit and block filter actions to act as a built in packet filtering
firewall. Ipsec policies are best when trying to configure for a
subnet
range or a small range of IP addresses as you can not specify IP
addresses
"ranges" in an ipsec policy. You can also create an ipsec rule
"blacklist"
to add the IP address of attackers to block their access. Software
firewalls
such as the ones from Sygate could be another option. Depending on
your
network layout [operating system, domain, etc] you may be able to
implement
ipsec negotiation security to block access from non domain computers
or
domain computers that are not configured with at least a matching
ipsec
client/respond policy. Ipsec can also use certificates for computer
authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec
aware.
Ipsec negotiation polices also need to exempt domain controllers for
traffic
between domain members and domain controllers. The links below are
about
ipsec.
http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
Disable file and print sharing on any computers that do not need to
offer
shares and do not need to be managed remotely via Computer Management
or
command line tools that rely on the ports you mentioned. You also may
be
able to take advantage of the user rights for "logon locally and deny
logon
locally" to restrict what users can access a computer, though that
will
not
stop users from trying to make attempts to guess passwords. Such user
rights
and ipsec policies can be managed via Group Policy for consistent
application and ease of administration to larger number of computers.
A
managed switch may be another option as they offer options such as mac
filtering and port isolation [HP Procurve] to further restrict access
to
your network. Mac filtering can be spoofed but it would be another
barrier
to access and will deter most curious attackers. 802.1X switches are
a
better access restricting option but they are not foolproof either and
require compatible operating systems, a Certificate Authority to issue
computer certificates, and an IAS server on the network. Also run the
Microsoft Baseline Security Analyzer on your computers to check for
basic
vulnerabilities such as weak passwords, missing patches, and unneeded
services.--- Steve
http://www.microsoft.com/technet/security/tools/mbsahome.mspx ---
MBSA.
Due to the large number of attacks against Windows Server we would
like
to
block windows systems from the larger community (Large college) to
prevent
systems from getting attack, does anyone have any help, suggestions,
info
for
blocking ms port (135, 137, 139, & 445) from the community.
Thanks in advance,
Bob Smith
