The Old Joel on Software Forum: Part 3 (of 5) - Preparing a server for connection to the wild

Preparing a server for connection to the wild

Hi, I've got a Dell Poweredge server on order that I'm going to colocate at an ISP's data centre.

What concerns me is that I'm not an MCSE or equivalent (although I have a friend who is) and I'm not sure I (or we) are going to be able to harden it appropriately.

Will I need to also buy a dedicated irewall or will ISA Server (I'm told this is what I need) be enough?

Can anyone point me in the right direction of any documentation that describes these things? Or have any other recommendations?

I'm probably going to go with 2000 as it's what I know or should I be looking at 2003?

Gwyn
Wednesday, October 8, 2003

Talk to the ISP you'll be doing the colo at. They should have some rules and regulations about what you're allowed to put into their datacenter. Apart from that, they should also provide the service of helping you configure the server to fit into their environment. Maybe they already provide some kind of firewall or whatnot services as part of the deal. They might even have some automated test to check that your server's configuration if acceptable.

If they'll just let you pop any old server into there datacenter, think again about doing business with them; all your "neighbors" will be amateruishly adminstered machines that will start going crazy come the next Windows worm/virus/breakdown.

Of course, the basic common sense don't-leave-any-services-you-don't-need-open type of advice also applies.

-tim

a2800276
Wednesday, October 8, 2003

Get a hardware firewall. My biggest issue with software firewalls is trying to wrap my brain around separating the firewall activity from the network activity on the same machine. With a hardware firewall you have an intuitive split and (IMHO) it's easier to figure out what's "inbound" when.

In addition, make sure the hardware firewall runs on a different OS than your server and you've added a layer of security.

Philo

Philo
Wednesday, October 8, 2003

ISA server does a pretty good job, our mail server has been attached via it for the last two years and no problems yet.
However we only have port 25 as an incoming port (plus dns etc) so we look like a pretty low profile to the outside world.
My personal view is that for a web server to go with a hardware box as well. That way you setup so that remote control (i.e. terminal services) is only allowed via a VPN or from a specified IP (if you have a static IP line from your office) The boxes are SOooo cheap the peace of mind is well worth while.

Peter Ibbotson
Wednesday, October 8, 2003

+1 on the hardware firewall. It may cost more to take up that extra 1U, but they usually come with a very easy to use web interface, which makes up for it in time savings.

Scot
Wednesday, October 8, 2003

Microsoft has a whitepaper on how to secure boxes that will be public facing. Most of that information applies to Windows 2000, and only partially applies to Windows 2003 (because of the way it's a little better locked down to start, and because of IIS changes between the two OSes).

It's worth tracking down. I just looked for the URL, but I don't have it handy. You might try to Google for it.

Brad Wilson (dotnetguy.techieswithcats.com)
Wednesday, October 8, 2003

You most definitely want to spend some time reading up on this subject.

Opening up a server to wild without some real knowledge is like jumping into the pool, and not checking if there is any water!

There is a zillion services that get enabled by default when setting up a web server. Stuff like NNTP (newsgroup servers), FTP etc. I don’t know of a check list, but I certainly do know that you want someone with good knowledge (or a good document) as to what to disable and turn off.

There is also some great tips at:

http://grc.com/default.htm

Albert D. Kallal
Edmonton, Alberta Canada
kallal@msn.com
http://www.attcanada.net/~kallal.msn

Albert D. Kallal
Wednesday, October 8, 2003

Make sure you also spend some time coming up with plan for what to do if the box gets comprimised.

Once you get the box locked down be sure to make a backup so you don't have to go through the process of locking it down all over againif you need to reinstall the OS. If your hardware config supports it, consider using some tool like Ghost to create an image of the boot partition so your restore is less painful.

Steve H
Wednesday, October 8, 2003

If you go with W2K (nothing wrong with it) - Get the IIS Lock Down tool which helps you disable all the unnecessary services quickly and get the Baseline Security Analyzer which ensures you have all the latest patches.

DJ
Wednesday, October 8, 2003

Little known fact is that 2000 has a firewall built in, although it's not advertised as such. It's part of IPSec. IPSec is normally about doing SSL-type security with any TCP/IP protocol - although you can ignore that feature for implementing a firewall with it.

http://www.google.com/search?q=Windows+2000+IPsec+firewall

It's kind of tricky to configure though. Windows Server 2003 has a much easier one built in -- just enable it from the properties of the network connection in Control Panel > Network Connections. You can then selectively enable what protocols to enable.

Now to administer your server remotely use the wonderful Terminal Services/Remote Desktop which is built in. The problem with this is that you need to enable incomin traffic to the Remote Desktop Protocol (aka "RDP" which is TCP port 3389), but with the 2003 built-in firewall AFAIK you can't restrict the IP addresses from which to accept incoming traffic to the RDP port... but you can with the tricky-to-configure IPSec, which you could use on Windows 2003 also, instead...

Duncan Smart
Wednesday, October 8, 2003

Duncan, the problem I had, trying to run ISA server on a single test box, was - when IIS is trying to talk to SQL Server (on the same box), is that an incoming connection? Outgoing connection? etc.
I found myself opening far more than I felt comfortable with just to get things working.

That's why I recommend a discrete box as a firewall.

Granted, it may have just been my idiocy at the time. YMMV.

Philo

Philo
Wednesday, October 8, 2003

Thanks for all your replies. It sounds like a hardware firewall is the way to go and I'll try and read up about the hardening at the suggested places.

Thanks

Gwyn
Thursday, October 9, 2003