windows server 2003 firewall question


Recommended Posts

i have a server that is between the internet and my LAN. I was able to set up NAT and DHCP just fine. But I still have concerns about the "basic firewall" in routing and remote access. I tried to install Symantec Enterprise Firewall but it wouldn't install because my server is also the domain controller.

1.) is the basic firewall in routing and remote acess any good? does it really do the job or do i need more?

2.) i was wondering what my options are in respect to getting a very good firewall to work on my domain controller. i am thinking ISA 2000, but wasn't sure.

thanks for any help

You have your DC directly connected to the public net??

Dude - what the F_CK are you thinking?? Please tell me you are newb playing with your "FREE" version of 2k3 - or just some IT wannabe, cuz if your in the IT field as a career, you really need to be shot! ;)

  [jon said:
,Jun 25 2004, 14:01] My DC is also directly connected to the public net?

In the situation you discribed...YES

Never ever use your DC as a firewall (at least not when it is connected directly to the internet). Why not?? Well if "they" find a way to hack your firewall they also have immediately have control over your domain as they can control your DC... try setting up something like this:

internet--->router--->firewall--->switch/hub--->LAN

Edited by ThaOddie
  BudMan said:
You have your DC directly connected to the public net??

Dude - what the F_CK are you thinking?? Please tell me you are newb playing with your "FREE" version of 2k3 - or just some IT wannabe, cuz if your in the IT field as a career, you really need to be shot! ;)

Why do people always flame a person when he or she does something "wrong"??? Why not give this person some useful advice how he/she can prevent making the same mistake next time!!

When you ride your bike for the first time did you not fell on your face????

  [jon said:
,Jun 25 2004, 07:01] My DC is also directly connected to the public net?

So do you want a prize?? How much common sense does it require to understand you would not want to put the server that auth's all your user accounts, stores all their passwords, etc... all of your GP settings, etc... directly connected to the public net?

  BudMan said:
So do you want a prize?? How much common sense does it require to understand you would not want to put the server that auth's all your user accounts, stores all their passwords, etc... all of your GP settings, etc... directly connected to the public net?

You must be one hell of an IT-er with ALL that knowledge!!!!!

  ThaOddie said:
You must be one hell of an IT-er with ALL that knowledge!!!!!

why yes I am - thanks for noticing :) You might want check your sense of humor - it seems you must of lost along the way.

  BudMan said:
why yes I am - thanks for noticing :) You might want check your sense of humor - it seems you must of lost along the way.

So when you started out as an IT-er. Did you have all the knowledge all at once??

Did you not had to learn certain things or find out yourself??

I'm a system administrator myself so no I don't have a sence of humor!!

  ThaOddie said:
You must be one hell of an IT-er with ALL that knowledge!!!!!

You know.. he is right though. Don't *ever* leave a DC exposed to the public network :/

ThaOddie, I'm sure that BudMan is just playing around so don't take it seriously :)

  configure said:
You know.. he is right though. Don't *ever* leave a DC exposed to the public network :/

ThaOddie, I'm sure that BudMan is just playing around so don't take it seriously :)

I know he's right...but instead of flaming the guy, he could just give him some good advice on to do it the right way. Well at least that's my opinion.

  ThaOddie said:
So when you started out as an IT-er. Did you have all the knowledge all at once??

Did you not had to learn certain things or find out yourself??

I'm a system administrator myself so no I don't have a sence of humor!!

I never said anything about knowing everything - where exactly did I say that?

Yes, my post might have been a harsh way to attempt to point out you should NOT use your DC as your firewall, etc..

  Quote
Offcourse not you nimwit...it's just as bogus as your download link biggrin.gif biggrin.gif

But really how is what I posted any different than your response to someone asking why a link doesn't work? ;)

Seem's quite harsh to me - the poor guy most likely spent all day looking up what nimwit means - and then feeling bad about, etc.. ;)

So when your kid attempts to put a fork into a AC outlet - I guess you would nicely explain to the 6 month old the correct use of the fork, and that inserting into the outlet can have harmful results, etc.. That fine and dandy for you - but some of us like to SMACK the fork out of the kids hand, and yell NO, BAD, etc..

To each their own ;)

  BudMan said:
I never said anything about knowing everything - where exactly did I say that?

Yes, my post might have been a harsh way to attempt to point out you should NOT use your DC as your firewall, etc..

But really how is what I posted any different than your response to someone asking why a link doesn't work? ;)

Seem's quite harsh to me - the poor guy most likely spent all day looking up what nimwit means - and then feeling bad about, etc.. ;)

So when your kid attempts to put a fork into a AC outlet  - I guess you would nicely explain to the 6 month old the correct use of the fork, and that inserting into the outlet can have harmful results, etc..  That fine and dandy for you - but some of us like to SMACK the fork out of the kids hand, and yell NO, BAD, etc..

To each their own ;)

About that link the guy posted...He posted a bad link on purpose!!! So that's why I called him a nimwit...

and comparing a 6year old trying to plug a fork in an outlet with someone playing around with W2k3 firewall?????? come one please!!!

But this is starting to turn into a useless discussion instead of helping this guy in the first place.......so from me to you...OUT

Often, DC's are exposed to the public internet especially when using Windows SBS. It doesn't mean that it is a good idea, but it happens. As far as installing ISA, it is not recommended to install on a DC (except when using SBS, of course). Simply put, at least have a NAT firewall like a router between your DC and the world. You can then install software firewall on the DC to further protect it.

i am really disapointed with neowin after reading this tread

1.) no one is born knowing this server stuff, you have to learn it one way or anouther. and it's turly a shame that a few of you flame people for a simple question. these poeple are killing neowin

2.) stop thinking i am using "free" versions, i got a version of SBS from MICROSFOT in the mail, so there.

3.) i am just setting up my home network with only 5 computers

4.) and NO i'm not an IT PRO because i acutlly want a job when i get out of college, ha, i'm going to be a chemical engineer. i just do this computer stuff for fun and a hobby, and all of you pseudo-it pros that just hang out on neowin to make fun of people, need to get a life, seriously

but thanks for all the real replys everyone

No problem, you just have to ignore some of the trigger happy flamers. Any ways, is this SBS 2000 or SBS 2003? If 2003, is it the standard or the premium(I think they call the beter one premium). I only ask because the standard does not come with ISA, but I think the other does.

So much of MS being security conscious if they release SBS 2003 and they expect SBS users stick with pilling Exchange, ISA and maybe SQL on one box.

Bad idea I say and must put a severe load on the Server

Actually, I have set many an SBS 2000 box, and they run great. For organizations with less than ~30 users, the machine runs well. You just have to put it on a halfway decent box and it will be OK. We used Dual Xeon 2.4 w/1GB ram and a 72GB RAID5 array (3x36GB) and the machine run like a champ. Of course most small businesses just use the Exchange, File Sharing, and ISA, but for them, why have three boxes (and thus three licenses for Windows) when you can do it all for one. Plus it is very cheap all things considered.

  Jun 26 2004 said:
i am really disapointed with neowin after reading this tread

1.) no one is born knowing this server stuff, you have to learn it one way or anouther. and it's turly a shame that a few of you flame people for a simple question. these poeple are killing neowin

2.) stop thinking i am using "free" versions, i got a version of SBS from MICROSFOT in the mail, so there.

3.) i am just setting up my home network with only 5 computers

4.) and NO i'm not an IT PRO because i acutlly want a job when i get out of college, ha, i'm going to be a chemical engineer. i just do this computer stuff for fun and a hobby, and all of you pseudo-it pros that just hang out on neowin to make fun of people, need to get a life, seriously

but thanks for all the real replys everyone

I'm sorry how this turned out, perhaps I should have moderate it better but hey, at least we've got something useful out of it, right? :)

Furthermore, the firewall in Routing and Remote Access can provide you with basic inbound/outbound packet filtering, which might be enough in a small business environment. If you are considering to purchase ISA 2000, I would suggest that you should check out ISA 2004, I have been to one of the seminar about it and it seems very promising (specially with the packet analyzing feature) :)

http://www.microsoft.com/isaserver/beta/default.asp

  Jun 25 2004 said:
i am really disapointed with neowin after reading this tread

Great - that makes 2 of us - I was really disappointed after you started it ;)

You want to know what is killing neowin? It's the constant repeat questions, day after day - the same thing, over and over and over again!! How about doing a simple search? Here is 6 pages of discussion on 2k3 and firewalls - https://www.neowin.net/forum/index.php?show...hl=firewall+2k3

Took a whole 2 seconds to find -- let me see your using using 2k3, and want to know about firewalls - put the 2 words together!

There are many more threads on the subject! And you know what else - billions upon billions of pages worth of information on the net, if you can not seem to find the exact info your looking for on neowin, after reading through the threads you can find on the subject. Or better yet - if you could not find the info your looking, atleast ask the question in a way that will help others looking for information on the subject as well. Add to the existing discussion - expand on a point made in other threads, ask for people to go into more detail about whatever, etc... Don't jusk repeat the same question over and over again.

Another thing killing it is when people do not get the kiss your as_ hold your hand - doesn't your hair look nice too day response. They get all upset, and need counseling, and want mommy to kiss their booboo.

Dude you got called on doing a stupid thing / asking a stupid question - yes when it has been asked a thousand times before, and your too lazy or stupid to find the answer - its a stupid question!

And guess what - yes you are using a "FREE" freaking copy - you said you got in the mail from MS. You did not say you ordered it, or paid for it any way - guess what that = "FREE". Did I say you pirated a copy?? No I said I sure hope you were someone playing with a "FREE" copy - which you are, and not someone doing IT for a living. So stating the truth is now flaming??? :)

And BTW - was your "want a job" some attempt at a jab -- that people who work in IT don't have a real job??? Was it?? - so your killing neowin now too??? Some of us that actually do this for living might take offense!! Not everyone here is a "pseudo-it pros" -- some of actually do have a real job in the IT field ;)

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • If that were the reason then Edge would be the most popular desktop browser instead of Chrome. If people can skip Edge and manually download/install Chrome, they can do it with Firefox, too.
    • Good Bye and thanks for the fish
    • yeah i did some research and it seems they removed (or didn't carry over) the ability to change desktop icon fonts.....hopefully they bring it back for you soon...and yeah it also seems the ability to change the font has also been removed unless you adjust through registry or win aero.    if you haven't already, maybe trying to "adjust cleartype text" may help you. i tried running through it and noticed there were some bold font styles.   welcome (or bye haha) to windows 2025 btw!  
    • That'll be it for my 2018 Mac mini then. There is, of course, OpenCore Legacy Patcher . . .
    • Support cost cutting and nudging people to upgrade for profit. Pure and simple. Nothing as noble as hardware actually becoming "obsolete" about most of the hardware requirements from Apple, Microsoft, or Android companies either. iMac 2017 with AMD running legacy Core still have native GPU support in macOS 15 and run perfectly fine. Doesn't even need any fancy patching outside of the minimum patching needed to get macOS 15 on the system to bypass Apple system requirements aking to running windows 11 on a PC that doesn't match the arbitrary CPU generation requirements that make you bypass them too. You can usually tell if hardware is truly in the realm of "obsolete" if you are having a hard time finding a major Linux distro that'll install on it.
  • Recent Achievements

    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      487
    2. 2
      +FloatingFatMan
      256
    3. 3
      snowy owl
      243
    4. 4
      ATLien_0
      222
    5. 5
      +Edouard
      191
  • Tell a friend

    Love Neowin? Tell a friend!