windows server 2003 firewall question

[jimmyt302]

i have a server that is between the internet and my LAN. I was able to set up NAT and DHCP just fine. But I still have concerns about the "basic firewall" in routing and remote access. I tried to install Symantec Enterprise Firewall but it wouldn't install because my server is also the domain controller.

1.) is the basic firewall in routing and remote acess any good? does it really do the job or do i need more?

2.) i was wondering what my options are in respect to getting a very good firewall to work on my domain controller. i am thinking ISA 2000, but wasn't sure.

thanks for any help

[[jon]]

1) the file in Routing and Remote Access does the trick just fine

2) I'd recommend a hardware firewall in that case, don't ask me which one because I just dont know :)

[+BudMan MVC]

You have your DC directly connected to the public net??

Dude - what the F_CK are you thinking?? Please tell me you are newb playing with your "FREE" version of 2k3 - or just some IT wannabe, cuz if your in the IT field as a career, you really need to be shot! ;)

[[jon]]

My DC is also directly connected to the public net?

[ThaOddie]

  [jon said:

,Jun 25 2004, 14:01] My DC is also directly connected to the public net?

In the situation you discribed...YES

Never ever use your DC as a firewall (at least not when it is connected directly to the internet). Why not?? Well if "they" find a way to hack your firewall they also have immediately have control over your domain as they can control your DC... try setting up something like this:

internet--->router--->firewall--->switch/hub--->LAN

Edited June 25, 2004 by ThaOddie

[ThaOddie]

  BudMan said:

You have your DC directly connected to the public net??

Dude - what the F_CK are you thinking?? Please tell me you are newb playing with your "FREE" version of 2k3 - or just some IT wannabe, cuz if your in the IT field as a career, you really need to be shot! ;)

Why do people always flame a person when he or she does something "wrong"??? Why not give this person some useful advice how he/she can prevent making the same mistake next time!!

When you ride your bike for the first time did you not fell on your face????

[+BudMan MVC]

  [jon said:

,Jun 25 2004, 07:01] My DC is also directly connected to the public net?

So do you want a prize?? How much common sense does it require to understand you would not want to put the server that auth's all your user accounts, stores all their passwords, etc... all of your GP settings, etc... directly connected to the public net?

[ThaOddie]

  BudMan said:

So do you want a prize?? How much common sense does it require to understand you would not want to put the server that auth's all your user accounts, stores all their passwords, etc... all of your GP settings, etc... directly connected to the public net?

You must be one hell of an IT-er with ALL that knowledge!!!!!

[+BudMan MVC]

  ThaOddie said:

You must be one hell of an IT-er with ALL that knowledge!!!!!

why yes I am - thanks for noticing :) You might want check your sense of humor - it seems you must of lost along the way.

[ThaOddie]

  BudMan said:

why yes I am - thanks for noticing :) You might want check your sense of humor - it seems you must of lost along the way.

So when you started out as an IT-er. Did you have all the knowledge all at once??

Did you not had to learn certain things or find out yourself??

I'm a system administrator myself so no I don't have a sence of humor!!

[configure Veteran]

  ThaOddie said:

You must be one hell of an IT-er with ALL that knowledge!!!!!

You know.. he is right though. Don't *ever* leave a DC exposed to the public network :/

ThaOddie, I'm sure that BudMan is just playing around so don't take it seriously :)

[ThaOddie]

  configure said:

You know.. he is right though. Don't *ever* leave a DC exposed to the public network :/

ThaOddie, I'm sure that BudMan is just playing around so don't take it seriously :)

I know he's right...but instead of flaming the guy, he could just give him some good advice on to do it the right way. Well at least that's my opinion.

[+BudMan MVC]

  ThaOddie said:

So when you started out as an IT-er. Did you have all the knowledge all at once??

Did you not had to learn certain things or find out yourself??

I'm a system administrator myself so no I don't have a sence of humor!!

I never said anything about knowing everything - where exactly did I say that?

Yes, my post might have been a harsh way to attempt to point out you should NOT use your DC as your firewall, etc..

  Quote

Offcourse not you nimwit...it's just as bogus as your download link biggrin.gif biggrin.gif

But really how is what I posted any different than your response to someone asking why a link doesn't work? ;)

Seem's quite harsh to me - the poor guy most likely spent all day looking up what nimwit means - and then feeling bad about, etc.. ;)

So when your kid attempts to put a fork into a AC outlet - I guess you would nicely explain to the 6 month old the correct use of the fork, and that inserting into the outlet can have harmful results, etc.. That fine and dandy for you - but some of us like to SMACK the fork out of the kids hand, and yell NO, BAD, etc..

To each their own ;)

[configure Veteran]

Lets just move pass this and stick to the topic, shall we?

[ThaOddie]

  BudMan said:

I never said anything about knowing everything - where exactly did I say that?

Yes, my post might have been a harsh way to attempt to point out you should NOT use your DC as your firewall, etc..

But really how is what I posted any different than your response to someone asking why a link doesn't work? ;)

Seem's quite harsh to me - the poor guy most likely spent all day looking up what nimwit means - and then feeling bad about, etc.. ;)

So when your kid attempts to put a fork into a AC outlet  - I guess you would nicely explain to the 6 month old the correct use of the fork, and that inserting into the outlet can have harmful results, etc..  That fine and dandy for you - but some of us like to SMACK the fork out of the kids hand, and yell NO, BAD, etc..

To each their own ;)

About that link the guy posted...He posted a bad link on purpose!!! So that's why I called him a nimwit...

and comparing a 6year old trying to plug a fork in an outlet with someone playing around with W2k3 firewall?????? come one please!!!

But this is starting to turn into a useless discussion instead of helping this guy in the first place.......so from me to you...OUT

[Billprozac]

Often, DC's are exposed to the public internet especially when using Windows SBS. It doesn't mean that it is a good idea, but it happens. As far as installing ISA, it is not recommended to install on a DC (except when using SBS, of course). Simply put, at least have a NAT firewall like a router between your DC and the world. You can then install software firewall on the DC to further protect it.

[jimmyt302]

i am really disapointed with neowin after reading this tread

1.) no one is born knowing this server stuff, you have to learn it one way or anouther. and it's turly a shame that a few of you flame people for a simple question. these poeple are killing neowin

2.) stop thinking i am using "free" versions, i got a version of SBS from MICROSFOT in the mail, so there.

3.) i am just setting up my home network with only 5 computers

4.) and NO i'm not an IT PRO because i acutlly want a job when i get out of college, ha, i'm going to be a chemical engineer. i just do this computer stuff for fun and a hobby, and all of you pseudo-it pros that just hang out on neowin to make fun of people, need to get a life, seriously

but thanks for all the real replys everyone

[Billprozac]

No problem, you just have to ignore some of the trigger happy flamers. Any ways, is this SBS 2000 or SBS 2003? If 2003, is it the standard or the premium(I think they call the beter one premium). I only ask because the standard does not come with ISA, but I think the other does.

[StevenNT]

So much of MS being security conscious if they release SBS 2003 and they expect SBS users stick with pilling Exchange, ISA and maybe SQL on one box.

Bad idea I say and must put a severe load on the Server

[Billprozac]

Actually, I have set many an SBS 2000 box, and they run great. For organizations with less than ~30 users, the machine runs well. You just have to put it on a halfway decent box and it will be OK. We used Dual Xeon 2.4 w/1GB ram and a 72GB RAID5 array (3x36GB) and the machine run like a champ. Of course most small businesses just use the Exchange, File Sharing, and ISA, but for them, why have three boxes (and thus three licenses for Windows) when you can do it all for one. Plus it is very cheap all things considered.

[configure Veteran]

  Jun 26 2004 said:

i am really disapointed with neowin after reading this tread

1.) no one is born knowing this server stuff, you have to learn it one way or anouther. and it's turly a shame that a few of you flame people for a simple question. these poeple are killing neowin

2.) stop thinking i am using "free" versions, i got a version of SBS from MICROSFOT in the mail, so there.

3.) i am just setting up my home network with only 5 computers

4.) and NO i'm not an IT PRO because i acutlly want a job when i get out of college, ha, i'm going to be a chemical engineer. i just do this computer stuff for fun and a hobby, and all of you pseudo-it pros that just hang out on neowin to make fun of people, need to get a life, seriously

but thanks for all the real replys everyone

I'm sorry how this turned out, perhaps I should have moderate it better but hey, at least we've got something useful out of it, right? :)

[configure Veteran]

Furthermore, the firewall in Routing and Remote Access can provide you with basic inbound/outbound packet filtering, which might be enough in a small business environment. If you are considering to purchase ISA 2000, I would suggest that you should check out ISA 2004, I have been to one of the seminar about it and it seems very promising (specially with the packet analyzing feature) :)

http://www.microsoft.com/isaserver/beta/default.asp

[+BudMan MVC]

  Jun 25 2004 said:

i am really disapointed with neowin after reading this tread

Great - that makes 2 of us - I was really disappointed after you started it ;)

You want to know what is killing neowin? It's the constant repeat questions, day after day - the same thing, over and over and over again!! How about doing a simple search? Here is 6 pages of discussion on 2k3 and firewalls - https://www.neowin.net/forum/index.php?show...hl=firewall+2k3

Took a whole 2 seconds to find -- let me see your using using 2k3, and want to know about firewalls - put the 2 words together!

There are many more threads on the subject! And you know what else - billions upon billions of pages worth of information on the net, if you can not seem to find the exact info your looking for on neowin, after reading through the threads you can find on the subject. Or better yet - if you could not find the info your looking, atleast ask the question in a way that will help others looking for information on the subject as well. Add to the existing discussion - expand on a point made in other threads, ask for people to go into more detail about whatever, etc... Don't jusk repeat the same question over and over again.

Another thing killing it is when people do not get the kiss your as_ hold your hand - doesn't your hair look nice too day response. They get all upset, and need counseling, and want mommy to kiss their booboo.

Dude you got called on doing a stupid thing / asking a stupid question - yes when it has been asked a thousand times before, and your too lazy or stupid to find the answer - its a stupid question!

And guess what - yes you are using a "FREE" freaking copy - you said you got in the mail from MS. You did not say you ordered it, or paid for it any way - guess what that = "FREE". Did I say you pirated a copy?? No I said I sure hope you were someone playing with a "FREE" copy - which you are, and not someone doing IT for a living. So stating the truth is now flaming??? :)

And BTW - was your "want a job" some attempt at a jab -- that people who work in IT don't have a real job??? Was it?? - so your killing neowin now too??? Some of us that actually do this for living might take offense!! Not everyone here is a "pseudo-it pros" -- some of actually do have a real job in the IT field ;)

[configure Veteran]

Lets not go there. We are discussing firewalls on 2k3 (again) so leave the OT alone. Seriously...

[+BudMan MVC]

  configure said:

firewalls on 2k3 (again)

:D - hehehhehe, if you would of bolded the "again" it would of been perfect ;)