Re: Win 2003 integrated firewall enough?

From: Herb Martin (news_at_LearnQuick.com)
Date: 12/30/04


Date: Thu, 30 Dec 2004 12:48:41 -0600


"Jéjé" <willgart@BBBhotmailAAA.com> wrote in message
news:efiB96p7EHA.2124@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> I want to kown if the Win 2003 server integrated firewall is enough to
> protected a standalone web server.

No, nothing is "enough". Firewalls never provide
(permanent) protection -- the slow down and limit
attacks to certain ports, addresses or other specifics.

The above may (at first) seem pedantic but it is a key
psychological approach to understanding firewalls
and securing systems.

Firewalls by design, focus and control, i.e., slow down,
attacks they do not prevent them.

How safe do you wish to be?

The built in firewall offers virtually no extra security
over just not running unnecessary services or using the
already built-in (to Win2000) IPSec filters.

> This server will be configured to authorize Remote desktop access (for
> remote administration) + VPN access to access other resources on the
> computer.

The firewall can help or you could just BLOCK
all connections on other ports with IPSec filters.

Then you might want to consider filtering the source
or even content of messages on the OPEN ports, i.e.,
VPN and HTTP.

> For the moment this server is behind my ISA Server and I use some web and
> server publishing rules to allow external users to access it.

Now we are talking defense in depth.

You real danger now is those messages you CHOOSE to
let into your network and server....

IISLockdown tool can help.

Other content filters (on the ISA or the server) might also
be worthwhile.

Remember your virus and other protections.

-- 
Herb Martin
>
> thanks for your feed back.
>
> Jerome.
>
>