Get pass the firewall

I've created a virtual machine (VMWARE 5.5) where the host machine is a DC
Windows 2003

(AD+DNS+DHCP) and the guest is just a normal Windows 2003.

I need someone could help or give some tips in what kind of rules i must
create in the windows
firewall of the host server so the guest machine can ping the host server
and put it in the domain.


[]'s
Ricky

This newsgroup only supports Microsoft Virtual Server. If your question
isn't answered by someone in here, then try
microsoft.public.windows.server.security

"Ricky" <(E-Mail Removed)> wrote in message
news:eo$(E-Mail Removed)...
> I've created a virtual machine (VMWARE 5.5) where the host machine is a DC
> Windows 2003
>
> (AD+DNS+DHCP) and the guest is just a normal Windows 2003.
>
> I need someone could help or give some tips in what kind of rules i must
> create in the windows
> firewall of the host server so the guest machine can ping the host server
> and put it in the domain.
>
>
> []'s
> Ricky
>

Normal practice is to run DCs on a LAN with the firewall disabled.
Firewalls are only required between the LAN and the outside world.

Ricky wrote:
> I've created a virtual machine (VMWARE 5.5) where the host machine is
> a DC Windows 2003
>
> (AD+DNS+DHCP) and the guest is just a normal Windows 2003.
>
> I need someone could help or give some tips in what kind of rules i
> must create in the windows
> firewall of the host server so the guest machine can ping the host
> server and put it in the domain.
>
>
> []'s
> Ricky

Colin,

Is there a FAQ that says that ONLY Virtual Server is supported, or that
ONLY Microsoft products are supported at the exclusion of every other
vendor in the world?

Nonsense. Ricky isn't bashing a Microsoft product or evangelizing
VMWare over Virtual Server. He's just stating a fact: he uses VMWare.
Period. And he isn't asking why he should use VMWare instead of Virtual
Server, or vice versa. His question is a basic Windows networking
question and deserves full attention.

Ricky, in the Windows Firewall of the host, you'll most likely only need
to enable the File & Printer Sharing exception to enable the guest
server to join the host domain, as well as the "allow incoming echo
request" ICMP entry (in Advanced tab) if you want to be able to ping the
host.

However, if that doesn't help, you can also try this KB article for
advanced configuration. It may answer your questions:
http://support.microsoft.com/default...b;en-us;179442

Yours,
Brad



_______________________________________________
Bradley J. Dinerman, MVP - Windows Server Networking
President, New England Information Security Group
http://www.neisg.org





Colin Barnhorst wrote:
> This newsgroup only supports Microsoft Virtual Server. If your question
> isn't answered by someone in here, then try
> microsoft.public.windows.server.security
>
> "Ricky" <(E-Mail Removed)> wrote in message
> news:eo$(E-Mail Removed)...
>> I've created a virtual machine (VMWARE 5.5) where the host machine is a DC
>> Windows 2003
>>
>> (AD+DNS+DHCP) and the guest is just a normal Windows 2003.
>>
>> I need someone could help or give some tips in what kind of rules i must
>> create in the windows
>> firewall of the host server so the guest machine can ping the host server
>> and put it in the domain.
>>
>>
>> []'s
>> Ricky
>>
>
>

To say that firewalls are only required between the LAN and the outside
world is a gross misunderstanding of the need for firewalls and will get
lots of people into big trouble. If this were truly the case, then
Microsoft would never have released Windows Firewall or made it
available on DCs.

Firewalls protect not only against the outside threat, but also against
the inside ones. What if a user runs malicious code, intentionally or
not, from his workstation? A firewall on a serer or workstation will
protect the device from that scenario. (Of course, the ideal situation
would be to have policies, procedures and other countermeasures in
place to protect against that, but that's another story entirely.)

I think that perhaps instead of writing "normal practice is to run DCs
on a LAN with the firewall disabled," perhaps we should write "COMMON
practice is to run..." Then we can separate high-security servers from
moderate-security or low-security ones.

-Brad



_______________________________________________
Bradley J. Dinerman, MVP - Windows Server Networking
President, New England Information Security Group
http://www.neisg.org





Bill Grant wrote:
> Normal practice is to run DCs on a LAN with the firewall disabled.
> Firewalls are only required between the LAN and the outside world.
>
> Ricky wrote:
>> I've created a virtual machine (VMWARE 5.5) where the host machine is
>> a DC Windows 2003
>>
>> (AD+DNS+DHCP) and the guest is just a normal Windows 2003.
>>
>> I need someone could help or give some tips in what kind of rules i
>> must create in the windows
>> firewall of the host server so the guest machine can ping the host
>> server and put it in the domain.
>>
>>
>> []'s
>> Ricky
>
>

It's a pretty fine distinction between "normal" and "common" practice,
but I take your point.

That said, most of the points you make are not really relevant in the
context of the original posting. We were talking about a fairly simple
network situation in which I would never consider running a firewall.

Bill Grant (also an MVP - Networking)

Brad Dinerman [MVP - Windows Server Networking] wrote:
> To say that firewalls are only required between the LAN and the
> outside world is a gross misunderstanding of the need for firewalls
> and will get lots of people into big trouble. If this were truly the
> case, then Microsoft would never have released Windows Firewall or
> made it available on DCs.
>
> Firewalls protect not only against the outside threat, but also
> against the inside ones. What if a user runs malicious code,
> intentionally or not, from his workstation? A firewall on a serer or
> workstation will protect the device from that scenario. (Of course,
> the ideal situation would be to have policies, procedures and other
> countermeasures in place to protect against that, but that's another
> story entirely.)
> I think that perhaps instead of writing "normal practice is to run DCs
> on a LAN with the firewall disabled," perhaps we should write "COMMON
> practice is to run..." Then we can separate high-security servers
> from moderate-security or low-security ones.
>
> -Brad
>
>
>
> _______________________________________________
> Bradley J. Dinerman, MVP - Windows Server Networking
> President, New England Information Security Group
> http://www.neisg.org
>
>
>
>
>
> Bill Grant wrote:
>> Normal practice is to run DCs on a LAN with the firewall
>> disabled. Firewalls are only required between the LAN and the
>> outside world. Ricky wrote:
>>> I've created a virtual machine (VMWARE 5.5) where the host machine
>>> is a DC Windows 2003
>>>
>>> (AD+DNS+DHCP) and the guest is just a normal Windows 2003.
>>>
>>> I need someone could help or give some tips in what kind of rules i
>>> must create in the windows
>>> firewall of the host server so the guest machine can ping the host
>>> server and put it in the domain.
>>>
>>>
>>> []'s
>>> Ricky

I wasn't referring to VMWare but to the fact that the question concerned
Windows firewall rules with 2003 host and guest. In other words it did not
sound like a VS issue.

"Brad Dinerman [MVP - Windows Server Networking]" <(E-Mail Removed)> wrote in
message news:%(E-Mail Removed)...
> Colin,
>
> Is there a FAQ that says that ONLY Virtual Server is supported, or that
> ONLY Microsoft products are supported at the exclusion of every other
> vendor in the world?
>
> Nonsense. Ricky isn't bashing a Microsoft product or evangelizing VMWare
> over Virtual Server. He's just stating a fact: he uses VMWare. Period.
> And he isn't asking why he should use VMWare instead of Virtual Server, or
> vice versa. His question is a basic Windows networking question and
> deserves full attention.
>
> Ricky, in the Windows Firewall of the host, you'll most likely only need
> to enable the File & Printer Sharing exception to enable the guest server
> to join the host domain, as well as the "allow incoming echo request" ICMP
> entry (in Advanced tab) if you want to be able to ping the host.
>
> However, if that doesn't help, you can also try this KB article for
> advanced configuration. It may answer your questions:
> http://support.microsoft.com/default...b;en-us;179442
>
> Yours,
> Brad
>
>
>
> _______________________________________________
> Bradley J. Dinerman, MVP - Windows Server Networking
> President, New England Information Security Group
> http://www.neisg.org
>
>
>
>
>
> Colin Barnhorst wrote:
>> This newsgroup only supports Microsoft Virtual Server. If your question
>> isn't answered by someone in here, then try
>> microsoft.public.windows.server.security
>>
>> "Ricky" <(E-Mail Removed)> wrote in message
>> news:eo$(E-Mail Removed)...
>>> I've created a virtual machine (VMWARE 5.5) where the host machine is a
>>> DC Windows 2003
>>>
>>> (AD+DNS+DHCP) and the guest is just a normal Windows 2003.
>>>
>>> I need someone could help or give some tips in what kind of rules i must
>>> create in the windows
>>> firewall of the host server so the guest machine can ping the host
>>> server and put it in the domain.
>>>
>>>
>>> []'s
>>> Ricky
>>>
>>

For what it's worth, I happen to agree with you. I also do not run a
firewall on my domain controller. But here is a user who does, and
assuming that he understands the implications of this, we need to find a
solution for him...

-Brad


_______________________________________________
Bradley J. Dinerman, MVP - Windows Server Networking
President, New England Information Security Group
http://www.neisg.org





Bill Grant wrote:
> It's a pretty fine distinction between "normal" and "common" practice,
> but I take your point.
>
> That said, most of the points you make are not really relevant in the
> context of the original posting. We were talking about a fairly simple
> network situation in which I would never consider running a firewall.
>
> Bill Grant (also an MVP - Networking)
>
> Brad Dinerman [MVP - Windows Server Networking] wrote:
>> To say that firewalls are only required between the LAN and the
>> outside world is a gross misunderstanding of the need for firewalls
>> and will get lots of people into big trouble. If this were truly the
>> case, then Microsoft would never have released Windows Firewall or
>> made it available on DCs.
>>
>> Firewalls protect not only against the outside threat, but also
>> against the inside ones. What if a user runs malicious code,
>> intentionally or not, from his workstation? A firewall on a serer or
>> workstation will protect the device from that scenario. (Of course,
>> the ideal situation would be to have policies, procedures and other
>> countermeasures in place to protect against that, but that's another
>> story entirely.)
>> I think that perhaps instead of writing "normal practice is to run DCs
>> on a LAN with the firewall disabled," perhaps we should write "COMMON
>> practice is to run..." Then we can separate high-security servers
>> from moderate-security or low-security ones.
>>
>> -Brad
>>
>>
>>
>> _______________________________________________
>> Bradley J. Dinerman, MVP - Windows Server Networking
>> President, New England Information Security Group
>> http://www.neisg.org
>>
>>
>>
>>
>>
>> Bill Grant wrote:
>>> Normal practice is to run DCs on a LAN with the firewall
>>> disabled. Firewalls are only required between the LAN and the
>>> outside world. Ricky wrote:
>>>> I've created a virtual machine (VMWARE 5.5) where the host machine
>>>> is a DC Windows 2003
>>>>
>>>> (AD+DNS+DHCP) and the guest is just a normal Windows 2003.
>>>>
>>>> I need someone could help or give some tips in what kind of rules i
>>>> must create in the windows
>>>> firewall of the host server so the guest machine can ping the host
>>>> server and put it in the domain.
>>>>
>>>>
>>>> []'s
>>>> Ricky
>
>

Hi

At first place i want to greatful all the help/tips to all you guys who
concern were to get me in the right way of solving this issue.

Now i'm going to explain what i did based on your tips but unfornutatly
didn't work well.

I have two network adapters (1.Lan; 2.Cable modem) in the HOST Server and
one virtual network adapter at the GUEST VIRTUAL Server (Windows Firewall
Desactivaded).

In the windows firewall Exception (HOST Server) i've already had done what
Brad advice me. Now based in the microsoft link i accomplish of Exceptions
in the firewall that are:

Exceptions -> Programs and Services -> Custom List
add the following ports/protocol:

135; 42; 389; 636; 3268; 3269; 53; 88 [All TCP]

What should i do now?...
[]'s
Ricky



"Brad Dinerman [MVP - Windows Server Networking]" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> For what it's worth, I happen to agree with you. I also do not run a
> firewall on my domain controller. But here is a user who does, and
> assuming that he understands the implications of this, we need to find a
> solution for him...
>
> -Brad
>
>
> _______________________________________________
> Bradley J. Dinerman, MVP - Windows Server Networking
> President, New England Information Security Group
> http://www.neisg.org
>
>
>
>
>
> Bill Grant wrote:
>> It's a pretty fine distinction between "normal" and "common"
>> practice, but I take your point.
>>
>> That said, most of the points you make are not really relevant in the
>> context of the original posting. We were talking about a fairly simple
>> network situation in which I would never consider running a firewall.
>>
>> Bill Grant (also an MVP - Networking)
>>
>> Brad Dinerman [MVP - Windows Server Networking] wrote:
>>> To say that firewalls are only required between the LAN and the
>>> outside world is a gross misunderstanding of the need for firewalls
>>> and will get lots of people into big trouble. If this were truly the
>>> case, then Microsoft would never have released Windows Firewall or
>>> made it available on DCs.
>>>
>>> Firewalls protect not only against the outside threat, but also
>>> against the inside ones. What if a user runs malicious code,
>>> intentionally or not, from his workstation? A firewall on a serer or
>>> workstation will protect the device from that scenario. (Of course,
>>> the ideal situation would be to have policies, procedures and other
>>> countermeasures in place to protect against that, but that's another
>>> story entirely.)
>>> I think that perhaps instead of writing "normal practice is to run DCs
>>> on a LAN with the firewall disabled," perhaps we should write "COMMON
>>> practice is to run..." Then we can separate high-security servers
>>> from moderate-security or low-security ones.
>>>
>>> -Brad
>>>
>>>
>>>
>>> _______________________________________________
>>> Bradley J. Dinerman, MVP - Windows Server Networking
>>> President, New England Information Security Group
>>> http://www.neisg.org
>>>
>>>
>>>
>>>
>>>
>>> Bill Grant wrote:
>>>> Normal practice is to run DCs on a LAN with the firewall
>>>> disabled. Firewalls are only required between the LAN and the
>>>> outside world. Ricky wrote:
>>>>> I've created a virtual machine (VMWARE 5.5) where the host machine
>>>>> is a DC Windows 2003
>>>>>
>>>>> (AD+DNS+DHCP) and the guest is just a normal Windows 2003.
>>>>>
>>>>> I need someone could help or give some tips in what kind of rules i
>>>>> must create in the windows
>>>>> firewall of the host server so the guest machine can ping the host
>>>>> server and put it in the domain.
>>>>>
>>>>>
>>>>> []'s
>>>>> Ricky
>>

Let's get this straight. You have a multihomed machine which is directly
connected to the Internet through a cable modem. This machine is a domain
controller, with no protection except the Windows firewall. You now want to
weaken the firewall security to allow access for a local domain client to
this server.

There is probably a way to do this fairly safely, but I would never do
it. I pass. Good luck.