• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Configuring 2k3 server

Recommended Posts

anderground    0

well, that pctools firewall doesnt make any problem, and built-in win firewall on the server doesnt have outbound controll..

and it showed pretty bad results on every fw test, actually almost as if theres no fw at all.

how did you know it was ports 67 and 68 and not that it was UDP vs TCP?

im afraid i havent understood this question :huh:

Share this post


Link to post
Share on other sites
+BudMan    3,446

"win firewall on the server doesnt have outbound controll"

So -- :rolleyes: Why should a server need outbound application control?? For that matter what would a client need of it??

What are you running that you would need to prevent it from accessing the network??? This logic is flawed from the get go.. Hint #1 if you don't want something using the network, dont run it! ;) For the life of me I can not think of one legit instance you would need to prevent something from accessing the network but still trust it enough to run it anyway. What tests did the built in firewall show bad results on?

If you don't want users running something on their clients, then prevent that -- if you don't want them using specific protocols outside of your network - then prevent that at the gateway, etc. Or prevent it on the machines with inbound controls blocking the traffic on the port it uses.

its clear the pctools firewall is making a problem -- since your dhcp server is not working ;)

My question about udp and tcp is where did you find out that dhcp uses ports 67 and 68 but did not learn that it uses UDP not TCP??

Also as sc302 pointed out -- why should your server or even client need any software firewall - since your on a private secured network?? Do you have hostile machines that enter your network? Does your server leave your network often and join hostile networks?? I can see a software firewall on a laptop that leaves your secured network and may join some other network where you would want to allow say file sharing access on your network, but block it when off your network.

Share this post


Link to post
Share on other sites
sc302    1,722

I don't think you fully grasp what it is that you are trying to do. Let me break it down by asking you simple questions....

What is it exactly that you are trying to block?

What are you trying to stop from happening?

What is your reasoning for thinking that you need a software firewall on a network?

I can assure you with all of the problems and troubleshooting envolved with getting apps to work, software firewalls are not enabled on any of my networks.

Share this post


Link to post
Share on other sites
+BudMan    3,446

Im all ears in to what his answers are to those questions!!

Since the answers to the first 2 basic questions you NEED to understand to correctly configure a software firewall in the first place ;)

He seems clear he needs outbound control in his firewall -- to prevent WHAT exactly?? What software is running on your server that you do not want to be able to talk on the network - and need some 3rd party tool to block it?? If you can not name one -- then you have no need of outbound control... So I am waiting to hear what this software is.

Share this post


Link to post
Share on other sites
anderground    0

well i dont think my server (as any other computer in the world) will be immune to malicious software.

if my client for example gets infected with a trojan and has no software firewall, win firewall on the server wouldnt be able to stop such a traffic.

edit:

i dont think my client firewall makes any problem.

it is turned on all the time, but if win server fw is turned on (without adding udp dhcp exclusions) theres no dhcp service.

if i turn win fw off, dhcp is there.

i tried to turn pctools fw off, but it had no influence on dhcp (dhcp again works if win fw is turned off, and dont work if win fw is turned on)

Share this post


Link to post
Share on other sites
sc302    1,722

lolololololololol

did i mention

lolololololololol

in case i forgot to mention

lolololololololol

in other words, what you are trying to do is nearly impossible. Certain ports need to communicate on your network, a software firewall is going to block ports from opening on your pc (that is a given), what is going to stop software from communicating on necessary ports for normal network communication? Nothing. Nothing at all.

You don't want to get infected, don't go out to sites that will get you infected. You don't know how to stop yourself or the users on your site, get familiar with proxies and/or content filters.

All software firewalls do is stop communication on all ports but approved ports/ip subnets/etc. They are not designed to stop you from infecting your computer with stupid. Ok you infect your computer, don't you think you should fix the infected computer instead of giving it access to the network in a limp mode? You download a word macro virus, do you think a software firewall is going to protect your files from that? You download a worm, do you think your software firewall is going to protect you from that? Sure maybe a common spyware app won't be able to get out, but your machine is still infected with that spyware crap. Do you know how many times my servers have been infected with viruses in my years of not having a software firewall installed, none (not even when conflicker was roaming around my networks, not even when blaster was running around). Do you think spyware that some pc's get infected with migrate to other pcs on the network, no they dont.

Here is my biggest piece of advise to you:

Do not use the server as a pc. Do not use the server to casually browse the internet. Do not use the server to "get apps" (you know damn well what I mean). The server is a tool to add/remove accounts, setup shares, get updates with, and go to legitimate server/IT related sites. A production server is not your desktop, your pc to do anything that you want on, or a pc to "test apps" with.

I sometimes wish that MS never made the interface so windows like as it is too tempting to do what you want on it and go where ever you would like. I think that is why in 2008 server that it is optional to have the gui installed, so that it can be this (a server that is just there to serve not work on as a workstation).

Share this post


Link to post
Share on other sites
majortom1981    241

Your best bet to protect your server is having a wsus server installed and use group policy to lock your users down. Also make sure you have an antivirus running . No software firewall needed on the machines.

Share this post


Link to post
Share on other sites
anderground    0

Certain ports need to communicate on your network, a software firewall is going to block ports from opening on your pc (that is a given), what is going to stop software from communicating on necessary ports for normal network communication? Nothing. Nothing at all.

i think any decent firewall is able to recognize local traffic, so i hope internal network communication wont be stopped.

even if so ill put the exception in fw.

You don't want to get infected, don't go out to sites that will get you infected.

i couldn't be sitting above 20 people in 3 different locations in the same time. i cant restrict them of surfing all kind of sites and downloading all kind of files.

1. its their job

2. i would get into a conflict with them (i was already)

They are not designed to stop you from infecting your computer with stupid.

of course i know it, but software firewall saved my ass several times by not allowing a trojan to multiply damage by downloading more malware to the machine. sometimes that could be a difference between just removing a trojan or formatting the whole drive.

Ok you infect your computer, don't you think you should fix the infected computer instead of giving it access to the network in a limp mode?
of course, but fw gives me the time to discover the problem and to remove trojan with minimum damage.
You download a word macro virus, do you think a software firewall is going to protect your files from that? You download a worm, do you think your software firewall is going to protect you from that?

no i dont expect of fw to be av. im talking just about trojans which are to my knowledge the most spread malware today.

Do not use the server as a pc. Do not use the server to casually browse the internet. Do not use the server to "get apps" (you know damn well what I mean). The server is a tool to add/remove accounts, setup shares, get updates with, and go to legitimate server/IT related sites. A production server is not your desktop, your pc to do anything that you want on, or a pc to "test apps" with.

absolutely understood.

i dont intend to use server for any of those purposes.

i just want some extra protection for client machines.

Share this post


Link to post
Share on other sites
majortom1981    241

i think any decent firewall is able to recognize local traffic, so i hope internal network communication wont be stopped.

even if so ill put the exception in fw.

i couldn't be sitting above 20 people in 3 different locations in the same time. i cant restrict them of surfing all kind of sites and downloading all kind of files.

1. its their job

2. i would get into a conflict with them (i was already)

of course i know it, but software firewall saved my ass several times by not allowing a trojan to multiply damage by downloading more malware to the machine. sometimes that could be a difference between just removing a trojan or formatting the whole drive.

of course, but fw gives me the time to discover the problem and to remove trojan with minimum damage.

no i dont expect of fw to be av. im talking just about trojans which are to my knowledge the most spread malware today.

absolutely understood.

i dont intend to use server for any of those purposes.

i just want some extra protection for client machines.

You dont want an outbound Firewall on your server. Its a pain in the but finding all the ports that a domain controller uses. Some services dont have one port but a range of parts that that server uses randomly . If you really want to do it go ahead but its not worth it.

Share this post


Link to post
Share on other sites
anderground    0

anyway, i dont understand why you strike client fw, even though it didnt cause this problem. :rolleyes:

i established that the problem was with built-in fw on 2k3.

You dont want an outbound Firewall on your server.

well i havent said i want an outbound fw on the server.

i have win fw on it.

im planning to have outbound fw's on the clients (for mentioned reasons).

Share this post


Link to post
Share on other sites
anderground    0

on more thing (question)

according to some fw test sites (matousec, pcflank etc) ports can be opened, closed and stealth.

now the built-in xp firewall got the worst grades even for inbound protection (if i remember correctly it just closes ports not making them stealth)

Share this post


Link to post
Share on other sites
+BudMan    3,446

What rule did you setup on the windows firewall??

When you setup the exception on the windows firewall for dhcp - what did you setup as the scope? You need to all of all computer, even internet -- since when a client asks for an ip its going to be coming from 0.0.0.0 not an IP on current network.

http://technet.microsoft.com/en-us/library/cc755393%28WS.10%29.aspx

When you create a Windows Firewall exception for the DHCP protocol on a DHCP server, you must set the scope for the exception to Any computer including those on the Internet. If you leave it set to My network (subnet) only, all inbound DHCP Discover packets from client computers are dropped because the IP address of the packet is 0.0.0.0, which is not recognized by the computer as being part of the local subnet. This causes the DHCP process to fail and clients do not receive IP addresses.

I just not in the mood to get into that whole stealth nonsense -- but your server is BEHIND A NAT ROUTER!!! So to the internet all your ports will be "stealth" :rolleyes: unless you have created forwards.

Share this post


Link to post
Share on other sites
anderground    0

When you create a Windows Firewall exception for the DHCP protocol on a DHCP server, you must set the scope for the exception to Any computer including those on the Internet.

already done, for all 4 dhcp exceptions (67,68 tcp + 67,68 udp) ;)

post-240644-12738071157438.jpg

Share this post


Link to post
Share on other sites
sc302    1,722

i think any decent firewall is able to recognize local traffic, so i hope internal network communication wont be stopped.even if so ill put the exception in fw.

What's the point of the software firewall then, you are already behind a firewall with your router (or did you not know that).

i couldn't be sitting above 20 people in 3 different locations in the same time. i cant restrict them of surfing all kind of sites and downloading all kind of files.1. its their job2. i would get into a conflict with them (i was already)of course i know it, but software firewall saved my ass several times by not allowing a trojan to multiply damage by downloading more malware to the machine. sometimes that could be a difference between just removing a trojan or formatting the whole drive.

O_o, really??? There are catagories that you can restrict, they don't need to be restricted from everything. The catagory of malware is a good one to restrict. The catagory of spam is a good one to restrict. The catagory of advertisements is a good one to restrict. It isn't their job to be surfing malware infected sites, it isn't their job to be surfing spamming sites, it isn't their job (unless they are in advertising, and you can make a rule for that group if it is an active directory integrated web filter) to be going into advertisements. There are many other categories that you can check or uncheck. You aren't restricting the whole internet, just the known stupid crap. trojans don't jump from machine to machine, they get installed by going to infected sites or clicking in bad mail messages that link to bad sites. Just so much failure to understand right here is increadible.

of course, but fw gives me the time to discover the problem and to remove trojan with minimum damage.no i dont expect of fw to be av. im talking just about trojans which are to my knowledge the most spread malware today.

No it doesn't, the machine is infected causing issues to the end user(s). Properly setting up your network so it limits its exposure is wiser. Having a device that monitors infections and alerts you is better. Having a software firewall is not a fix to the problem.

Here is a live demo to a content filter that is active directory integrated

http://webfilter.barracuda.com/cgi-mod/index.cgi?locale=en_US

username: guest

password: webfilter

goto the block/accept tab. Look at the categories that it can block. These are typical for most webfilters, even the free ones. Under the block/accept tab go to Exceptions. Look at the rules you can set, for instance the top rule gives a user access to look at sports related sites during their lunch hour, Unauthenticated users get blocked internet access, etc it is very very granular. If you noticed the custom categories on the main categories page, hr has a custom category that allows access to monster.com and several other job finding sites. There is so much you can do with this other than blocking everyone from accessing everything on the internet.

This is always a payfor service with any content filter but if you notice on the basic status page of the webfilter, it tells me which pc's are infected with what, and if you pay even closer attention you will see that some of them are communicating on port 80 which you can't block with any firewall or you are blocking all access to the internet because every webpage in the world, at least http, communicates on port 80. While not fool proof, neither is a software firewall as I believe I have pointed out, a content filter is a good tool to have with your fight of trying to keep your network clean. After all, if they can't get to the site to download crapware on their computers it isn't going to get installed on their computers.

A software firewall is never an option in my networks. I have other things in place that do a better job than a software firewall. I don't get cockblocked internally with applications, I don't need to find workarounds for when there is a update pushed to the sofware firewall that stops communication to webmail or downloads (oh yes this has happened to me with those pos programs and a main reason that they don't exist on my networks). I run a remote control app called dameware which gets blocked by the ms firewall, sure I can add an exception for it, but it is easier for me to just disable the stupid crap from the get go so that I can administer the network as I see fit. I don't need stupid crap on pc's telling me that I can't do something because I don't have access, it gets very annoying very quickly. On top of that if you have a really good switch you can block ports on the switch level, you also can also see what the computers are doing vs a dumb switch that just passes traffic along.

Top free ones are pfsense and untangle.

http://www.pfsense.com/

http://www.untangle.com/

Share this post


Link to post
Share on other sites
+BudMan    3,446

What part of dhcp does not use TCP did you not understand??

To be honest you don't even need to allow 68 because that will never be used inbound to the server

Perfect example of saying you need a firewall - and then not even understanding the protocols you want to block or allow. Which is what causes users all the trouble in the first place, not understanding the basics of what a firewall does.. If they did -- then sure they could make great use of them even on a private network.. You could always be more secure and only allow for the "specific" traffic from the "specific" machines you want to allow.. But since your behind a firewall already, and seems you don't understand how to correctly configure even the most basic firewall a software one is going to pretty much suck up cpu and cause you grief and not provide one ounce of actual protection.

67 is used by the client to send to the server as the destination port, 68 will be the source port.. (discovery)

So when the server answers back it will be sourced from 67 going to 68 -- this is outbound and the 2k3 firewall will not block this. (offer)

client then talks back to server again from source 68 to dest 67 to server which will be inbound traffic (request)

Server than talks back to client to 68 outbound from the server from 67 source (ack)

So that rule you posted is pointless, what does the scope say on the 67 udp exception?

Share this post


Link to post
Share on other sites
anderground    0

hi

this barracuda is really outstanding device, but as i said im completely new to server based networks and im trying to comprehend the basic concepts.

for starters my goal is to be able to maintain a network with more than 10 clients.

now im working on 3 small p2p networks, where devices like barracuda cannot be implemented, but one day it might be really necessary.

i have comodo fw's on all workstations. the best advice i could give to my colleagues regarding fw is, if firewall asks anything and you can't recognize the app, hit block but uncheck "dont ask again" option, so if something goes wrong we can just restart the machine.

i didnt have any signficant problem with fw's over several years on p2p networks.

i've got some basic filtering by using SpywareBlaster and Spy-Bot immunize (host file) feature.

anyway, my colleagues are mainly artists, and those people are very sensitive to restrictions.

i already had a conflict with some of them because of restricting some protocols.

yes there were viruses in my small networks but mostly spread by usb sticks which were infected god knows where.

last time it happened when our av didnt recognize a trojan from an usb stick, which is then spread on several other pc's (again through sticks).

then i changed the av app, and the new one (i wouldnt advertise but it is bitdefender) successfully cleaned all machines and im so far very satisfied with it.

as you can suppose, im using the simplest switches without any controll functions.

im just downloading untangle.. can't completely understand what it exactly does, but ill see.

-----------------------------------------------------------------------------------

weird thing, i cannot separate my replies, all go in one :blink:

What part of dhcp does not use TCP did you not understand??

ok, i have deleted those TCP exceptions :)

.. what does the scope say on the 67 udp exception?

sorry, i havent understood this question :huh:

-----------------------------------------------------------------------------

again, cannot separate :blink:

could someone explain the following:

i set the scope lease duration on the server to be 1 day (in dhcp config).

today i turned the client machine ON, while the server was OFF.

so there was no dhcp and no dns server working.

on my surprise i had a valid ip address (.10) and i had internet connection.

i went on couple of sites where i was yesterday (google, yahoo ..) so i guess i was able to go there because of DNS cache left on the client, but i dont understand how could i get the ip address without dhcp? is there some address "cache" as well.

however, then i turned the client off and when i turned it on a couple of hours later, my client didnt get the ip address (yellow mark).

now, im wondering which machine actually maintains lease duration, server or client.

according to this "case", client itself knows when the lease expires, and cancels its ip address by itself.

could someone explain the process?

thanks

Share this post


Link to post
Share on other sites
sc302    1,722

How do you think crapware was loaded onto the usb stick? Someones machine got infected with something by downloading some crap. IMO no one in the office should be using usb sticks to share data, that is what shares on the server are for. Much faster doing it that way too. You should consider disabling the usbs until they learn to give you rouge usbs to be scanned on a isolated pc. You don't need that crap entering your network. Complaining about blocked ports, eh? Kind of funny don't you think with what we are talking about and removing that crap.

could someone explain the following:

i set the scope lease duration on the server to be 1 day (in dhcp config).

today i turned the client machine ON, while the server was OFF.

so there was no dhcp and no dns server working.

on my surprise i had a valid ip address (.10) and i had internet connection.

i went on couple of sites where i was yesterday (google, yahoo ..) so i guess i was able to go there because of DNS cache left on the client, but i dont understand how could i get the ip address without dhcp? is there some ip "cache" as well.

however, then i turned the client off and when i turned it on a couple of hours later, my client didnt get the ip address (yellow mark).

now, im wondering which machine actually maintains lease duration, server or client.

according to this "case", client itself knows when the lease expires, and cancels its ip address by itself.

could someone explain the process?

thanks

If the server is off and it is the only dns server in the dns servers on tcpip, then it should not be able to go out to any site. If you have cold booted your computer it would not get a dhcp'd address as the address does not get stored on the nic. Somehting else is going on with your network, or your server wasn't turned off.

Untangle can turn a computer into a firewall/content filter, if you only have 1 nic in it you will have to set it up in some sort of proxy mode vs a pass through mode (2 nics required). I believe the proper term for a 1 nic setup in untangle is re-router.

Share this post


Link to post
Share on other sites
anderground    0

well, most of them carry stuff to their homes to work on it ... :alien:

Share this post


Link to post
Share on other sites
sc302    1,722

they should connect through the terminal server at work. home computers and home networks are for home. you don't support their home pcs do you? their pc's and anything from their pc's shouldn't enter a clean network. this poses problems (as you have seen). You don't have to be the network nazi, but I believe it is your responsibility to say something to the effect that if you want this business running smoothly this needs to stop happening. either that or the business needs to provide clean computers for people to work on and these computers need to get locked down hard to where they can do their work but that is it. Your job is to give them a good working environment, their job is to use a good working environment. Their job is not to fk up everyone elses good working environment and to help accomplish that restrictions need to be put into place (and I am not saying that they can't have access to everything, just certain things that can cause issues need to be restricted). BTW, it is easier to lift a restriction a litle bit than it is to remove spyware or format machines once a week to once a month.

Share this post


Link to post
Share on other sites
anderground    0

they should connect through the terminal server at work. home computers and home networks are for home.

you're right, but its about p2p networks, so no servers there.

im trying to get familiar with server networks because on one of the locations i already have 10 lan connections (including 1 network printer), so any new device in the net would require rearranging the whole network.

Share this post


Link to post
Share on other sites
sc302    1,722

so they are torrenting?

if you thought about it enough, you could restrict them to the point where they can work and not be effected in a negative way. we can help if the right questions are asked or even if diagrams were made up.

Share this post


Link to post
Share on other sites
anderground    0

You don't have to be the network nazi

Their job is not to fk up everyone elses good working environment

:D

Share this post


Link to post
Share on other sites
sc302    1,722

btw i fully understand being new. don't dismiss what we say on a whim. we are saying what we say for a reason and to help you. we do not wish ill will on your networks.

Share this post


Link to post
Share on other sites
anderground    0

so they are torrenting?

lol that was one of issues. :yes:

but we have agreement that whatever they download they wont open on their machines.

Share this post


Link to post
Share on other sites
anderground    0

im going to make a little test.

i will turn the both comps (server and client) off, then i will start just the client machine to see will i have a valid ip address and internet.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.