Security Basics mailing list archives

RE: Securing a Win2k DNS server outside firewall...

From: "VNV Jeep" <vnvjeep () hotmail com>
Date: Fri, 06 Jun 2003 17:35:32 -0400

Dave!

Thanks very much! You are the man! This was exactly what I was lookingfor. I do have my web/ftp/mail servers set up in a similar fashion... theDNS was the one troubling me with those protocols other than 53. Thanksagain.


Take care,
Mike

IF all it is a DNS server then:


Go to Network Properties;
Properties of the NIC you are protecting;
Leave only TCP/IP selected;
Highlight TCP/IP and Select properties;
Select advanced;
Select the WINS tab;
Select Disable NetBIOS over TCP/IP;
Select Options;
Select TCP/IP Filtering Properties;
Select Enable TCP/IP Filtering for All Adapters;

Select Permit Only in all three boxes;
TCP add 53,1026,1027,1028,1029
UDP add 53,1026,1027,1028,1029
IP Proto add 6

Reboot and that is it.

You can verify it in Regedt32 by looking under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interf
aces\{00000000-0000-0000-0000-000000000000} (the external interface)
RawIPAllowedProtocols:REG_MULTI-SZ:6
TCPAllowedPorts:REG_MULTI-SZ:53,1026,1027,1028,1029
UDPAllowedPorts:REG_MULTI-SZ:53,1026,1027,1028,1029

Now everyone is going to start bitching about what are the UDP ports for

1026 etc...... the answer is, I do not know but by playing around withthis,

it is the configuration I got to work. I have 3 DNS servers running in this
configuration.

Also you can add 20,21 and 80,443 and IIS and FTP can run on them.

Dave



_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net


_________________________________________________________________

The new MSN 8: smart spam protection and 2 months FREE*http://join.msn.com/?page=features/junkmail



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in

about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm

----------------------------------------------------------------------------

Current thread:

Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... David Gillett (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... Richard Parry (Jun 06)
- Re: Securing a Win2k DNS server outside firewall... beartman (Jun 06)
  - RE: Securing a Win2k DNS server outside firewall... dave (Jun 06)
- <Possible follow-ups>
- RE: Securing a Win2k DNS server outside firewall... Bermingham, Bob (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
  - RE: Securing a Win2k DNS server outside firewall... Manuel Fernandes (Jun 09)
- RE: Securing a Win2k DNS server outside firewall... Minneker, Andrew L. (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... Pascal Rossillon (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... VNV Jeep (Jun 06)
- RE: Securing a Win2k DNS server outside firewall... type_o (Jun 09)