windows server 2003 firewall question

By jimmyt302
in Microsoft (Windows)

 Share

Recommended Posts

Proficient

jimmyt302

Posted
Posted

i have a server that is between the internet and my LAN. I was able to set up NAT and DHCP just fine. But I still have concerns about the "basic firewall" in routing and remote access. I tried to install Symantec Enterprise Firewall but it wouldn't install because my server is also the domain controller.

1.) is the basic firewall in routing and remote acess any good? does it really do the job or do i need more?

2.) i was wondering what my options are in respect to getting a very good firewall to work on my domain controller. i am thinking ISA 2000, but wasn't sure.

thanks for any help

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

You have your DC directly connected to the public net??

Dude - what the F_CK are you thinking?? Please tell me you are newb playing with your "FREE" version of 2k3 - or just some IT wannabe, cuz if your in the IT field as a career, you really need to be shot! ;)

Rising Star

ThaOddie

Posted
Posted (edited)
  [jon said:
,Jun 25 2004, 14:01] My DC is also directly connected to the public net?

In the situation you discribed...YES

Never ever use your DC as a firewall (at least not when it is connected directly to the internet). Why not?? Well if "they" find a way to hack your firewall they also have immediately have control over your domain as they can control your DC... try setting up something like this:

internet--->router--->firewall--->switch/hub--->LAN

Edited by ThaOddie
Rising Star

ThaOddie

Posted
Posted
  BudMan said:
You have your DC directly connected to the public net??

Dude - what the F_CK are you thinking?? Please tell me you are newb playing with your "FREE" version of 2k3 - or just some IT wannabe, cuz if your in the IT field as a career, you really need to be shot! ;)

Why do people always flame a person when he or she does something "wrong"??? Why not give this person some useful advice how he/she can prevent making the same mistake next time!!

When you ride your bike for the first time did you not fell on your face????

Grand Master

+BudMan MVC

Posted
  • MVC
Posted
  [jon said:
,Jun 25 2004, 07:01] My DC is also directly connected to the public net?

So do you want a prize?? How much common sense does it require to understand you would not want to put the server that auth's all your user accounts, stores all their passwords, etc... all of your GP settings, etc... directly connected to the public net?

Rising Star

ThaOddie

Posted
Posted
  BudMan said:
So do you want a prize?? How much common sense does it require to understand you would not want to put the server that auth's all your user accounts, stores all their passwords, etc... all of your GP settings, etc... directly connected to the public net?

You must be one hell of an IT-er with ALL that knowledge!!!!!

Grand Master

+BudMan MVC

Posted
  • MVC
Posted
  ThaOddie said:
You must be one hell of an IT-er with ALL that knowledge!!!!!

why yes I am - thanks for noticing :) You might want check your sense of humor - it seems you must of lost along the way.

Rising Star

ThaOddie

Posted
Posted
  BudMan said:
why yes I am - thanks for noticing :) You might want check your sense of humor - it seems you must of lost along the way.

So when you started out as an IT-er. Did you have all the knowledge all at once??

Did you not had to learn certain things or find out yourself??

I'm a system administrator myself so no I don't have a sence of humor!!

Grand Master

configure Veteran

Posted
  • Veteran
Posted
  ThaOddie said:
You must be one hell of an IT-er with ALL that knowledge!!!!!

You know.. he is right though. Don't *ever* leave a DC exposed to the public network :/

ThaOddie, I'm sure that BudMan is just playing around so don't take it seriously :)

Rising Star

ThaOddie

Posted
Posted
  configure said:
You know.. he is right though. Don't *ever* leave a DC exposed to the public network :/

ThaOddie, I'm sure that BudMan is just playing around so don't take it seriously :)

I know he's right...but instead of flaming the guy, he could just give him some good advice on to do it the right way. Well at least that's my opinion.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted
  ThaOddie said:
So when you started out as an IT-er. Did you have all the knowledge all at once??

Did you not had to learn certain things or find out yourself??

I'm a system administrator myself so no I don't have a sence of humor!!

I never said anything about knowing everything - where exactly did I say that?

Yes, my post might have been a harsh way to attempt to point out you should NOT use your DC as your firewall, etc..

  Quote
Offcourse not you nimwit...it's just as bogus as your download link biggrin.gif biggrin.gif

But really how is what I posted any different than your response to someone asking why a link doesn't work? ;)

Seem's quite harsh to me - the poor guy most likely spent all day looking up what nimwit means - and then feeling bad about, etc.. ;)

So when your kid attempts to put a fork into a AC outlet - I guess you would nicely explain to the 6 month old the correct use of the fork, and that inserting into the outlet can have harmful results, etc.. That fine and dandy for you - but some of us like to SMACK the fork out of the kids hand, and yell NO, BAD, etc..

To each their own ;)

Rising Star

ThaOddie

Posted
Posted
  BudMan said:
I never said anything about knowing everything - where exactly did I say that?

Yes, my post might have been a harsh way to attempt to point out you should NOT use your DC as your firewall, etc..

But really how is what I posted any different than your response to someone asking why a link doesn't work? ;)

Seem's quite harsh to me - the poor guy most likely spent all day looking up what nimwit means - and then feeling bad about, etc.. ;)

So when your kid attempts to put a fork into a AC outlet  - I guess you would nicely explain to the 6 month old the correct use of the fork, and that inserting into the outlet can have harmful results, etc..  That fine and dandy for you - but some of us like to SMACK the fork out of the kids hand, and yell NO, BAD, etc..

To each their own ;)

About that link the guy posted...He posted a bad link on purpose!!! So that's why I called him a nimwit...

and comparing a 6year old trying to plug a fork in an outlet with someone playing around with W2k3 firewall?????? come one please!!!

But this is starting to turn into a useless discussion instead of helping this guy in the first place.......so from me to you...OUT

Experienced

Billprozac

Posted
Posted

Often, DC's are exposed to the public internet especially when using Windows SBS. It doesn't mean that it is a good idea, but it happens. As far as installing ISA, it is not recommended to install on a DC (except when using SBS, of course). Simply put, at least have a NAT firewall like a router between your DC and the world. You can then install software firewall on the DC to further protect it.

Proficient

jimmyt302

Posted
  • Author
Posted

i am really disapointed with neowin after reading this tread

1.) no one is born knowing this server stuff, you have to learn it one way or anouther. and it's turly a shame that a few of you flame people for a simple question. these poeple are killing neowin

2.) stop thinking i am using "free" versions, i got a version of SBS from MICROSFOT in the mail, so there.

3.) i am just setting up my home network with only 5 computers

4.) and NO i'm not an IT PRO because i acutlly want a job when i get out of college, ha, i'm going to be a chemical engineer. i just do this computer stuff for fun and a hobby, and all of you pseudo-it pros that just hang out on neowin to make fun of people, need to get a life, seriously

but thanks for all the real replys everyone

Experienced

Billprozac

Posted
Posted

No problem, you just have to ignore some of the trigger happy flamers. Any ways, is this SBS 2000 or SBS 2003? If 2003, is it the standard or the premium(I think they call the beter one premium). I only ask because the standard does not come with ISA, but I think the other does.

Experienced

StevenNT

Posted
Posted

So much of MS being security conscious if they release SBS 2003 and they expect SBS users stick with pilling Exchange, ISA and maybe SQL on one box.

Bad idea I say and must put a severe load on the Server

Experienced

Billprozac

Posted
Posted

Actually, I have set many an SBS 2000 box, and they run great. For organizations with less than ~30 users, the machine runs well. You just have to put it on a halfway decent box and it will be OK. We used Dual Xeon 2.4 w/1GB ram and a 72GB RAID5 array (3x36GB) and the machine run like a champ. Of course most small businesses just use the Exchange, File Sharing, and ISA, but for them, why have three boxes (and thus three licenses for Windows) when you can do it all for one. Plus it is very cheap all things considered.

Grand Master

configure Veteran

Posted
  • Veteran
Posted
  Jun 26 2004 said:
i am really disapointed with neowin after reading this tread

1.) no one is born knowing this server stuff, you have to learn it one way or anouther. and it's turly a shame that a few of you flame people for a simple question. these poeple are killing neowin

2.) stop thinking i am using "free" versions, i got a version of SBS from MICROSFOT in the mail, so there.

3.) i am just setting up my home network with only 5 computers

4.) and NO i'm not an IT PRO because i acutlly want a job when i get out of college, ha, i'm going to be a chemical engineer. i just do this computer stuff for fun and a hobby, and all of you pseudo-it pros that just hang out on neowin to make fun of people, need to get a life, seriously

but thanks for all the real replys everyone

I'm sorry how this turned out, perhaps I should have moderate it better but hey, at least we've got something useful out of it, right? :)

Grand Master

configure Veteran

Posted
  • Veteran
Posted

Furthermore, the firewall in Routing and Remote Access can provide you with basic inbound/outbound packet filtering, which might be enough in a small business environment. If you are considering to purchase ISA 2000, I would suggest that you should check out ISA 2004, I have been to one of the seminar about it and it seems very promising (specially with the packet analyzing feature) :)

http://www.microsoft.com/isaserver/beta/default.asp

Grand Master

+BudMan MVC

Posted
  • MVC
Posted
  Jun 25 2004 said:
i am really disapointed with neowin after reading this tread

Great - that makes 2 of us - I was really disappointed after you started it ;)

You want to know what is killing neowin? It's the constant repeat questions, day after day - the same thing, over and over and over again!! How about doing a simple search? Here is 6 pages of discussion on 2k3 and firewalls - https://www.neowin.net/forum/index.php?show...hl=firewall+2k3

Took a whole 2 seconds to find -- let me see your using using 2k3, and want to know about firewalls - put the 2 words together!

There are many more threads on the subject! And you know what else - billions upon billions of pages worth of information on the net, if you can not seem to find the exact info your looking for on neowin, after reading through the threads you can find on the subject. Or better yet - if you could not find the info your looking, atleast ask the question in a way that will help others looking for information on the subject as well. Add to the existing discussion - expand on a point made in other threads, ask for people to go into more detail about whatever, etc... Don't jusk repeat the same question over and over again.

Another thing killing it is when people do not get the kiss your as_ hold your hand - doesn't your hair look nice too day response. They get all upset, and need counseling, and want mommy to kiss their booboo.

Dude you got called on doing a stupid thing / asking a stupid question - yes when it has been asked a thousand times before, and your too lazy or stupid to find the answer - its a stupid question!

And guess what - yes you are using a "FREE" freaking copy - you said you got in the mail from MS. You did not say you ordered it, or paid for it any way - guess what that = "FREE". Did I say you pirated a copy?? No I said I sure hope you were someone playing with a "FREE" copy - which you are, and not someone doing IT for a living. So stating the truth is now flaming??? :)

And BTW - was your "want a job" some attempt at a jab -- that people who work in IT don't have a real job??? Was it?? - so your killing neowin now too??? Some of us that actually do this for living might take offense!! Not everyone here is a "pseudo-it pros" -- some of actually do have a real job in the IT field ;)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.