Win 2003 integrated firewall enough?

Hi,

I want to kown if the Win 2003 server integrated firewall is enough to
protected a standalone web server.
This server will be configured to authorize Remote desktop access (for
remote administration) + VPN access to access other resources on the
computer.

For the moment this server is behind my ISA Server and I use some web and
server publishing rules to allow external users to access it.

thanks for your feed back.

Jerome.

"Jéjé" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I want to kown if the Win 2003 server integrated firewall is enough to
> protected a standalone web server.

No, nothing is "enough". Firewalls never provide
(permanent) protection -- the slow down and limit
attacks to certain ports, addresses or other specifics.

The above may (at first) seem pedantic but it is a key
psychological approach to understanding firewalls
and securing systems.

Firewalls by design, focus and control, i.e., slow down,
attacks they do not prevent them.

How safe do you wish to be?

The built in firewall offers virtually no extra security
over just not running unnecessary services or using the
already built-in (to Win2000) IPSec filters.

> This server will be configured to authorize Remote desktop access (for
> remote administration) + VPN access to access other resources on the
> computer.

The firewall can help or you could just BLOCK
all connections on other ports with IPSec filters.

Then you might want to consider filtering the source
or even content of messages on the OPEN ports, i.e.,
VPN and HTTP.

> For the moment this server is behind my ISA Server and I use some web and
> server publishing rules to allow external users to access it.

Now we are talking defense in depth.

You real danger now is those messages you CHOOSE to
let into your network and server....

IISLockdown tool can help.

Other content filters (on the ISA or the server) might also
be worthwhile.

Remember your virus and other protections.

--
Herb Martin


>
> thanks for your feed back.
>
> Jerome.
>
>

so you recommend to keep the server behind my isa server.
Ok, I'll do this.

"Herb Martin" <(E-Mail Removed)> wrote in message
news:O%(E-Mail Removed)...
> "Jéjé" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi,
>>
>> I want to kown if the Win 2003 server integrated firewall is enough to
>> protected a standalone web server.
>
> No, nothing is "enough". Firewalls never provide
> (permanent) protection -- the slow down and limit
> attacks to certain ports, addresses or other specifics.
>
> The above may (at first) seem pedantic but it is a key
> psychological approach to understanding firewalls
> and securing systems.
>
> Firewalls by design, focus and control, i.e., slow down,
> attacks they do not prevent them.
>
> How safe do you wish to be?
>
> The built in firewall offers virtually no extra security
> over just not running unnecessary services or using the
> already built-in (to Win2000) IPSec filters.
>
>> This server will be configured to authorize Remote desktop access (for
>> remote administration) + VPN access to access other resources on the
>> computer.
>
> The firewall can help or you could just BLOCK
> all connections on other ports with IPSec filters.
>
> Then you might want to consider filtering the source
> or even content of messages on the OPEN ports, i.e.,
> VPN and HTTP.
>
>> For the moment this server is behind my ISA Server and I use some web and
>> server publishing rules to allow external users to access it.
>
> Now we are talking defense in depth.
>
> You real danger now is those messages you CHOOSE to
> let into your network and server....
>
> IISLockdown tool can help.
>
> Other content filters (on the ISA or the server) might also
> be worthwhile.
>
> Remember your virus and other protections.
>
> --
> Herb Martin
>
>
>>
>> thanks for your feed back.
>>
>> Jerome.
>>
>>
>
>

"Jéjé" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> so you recommend to keep the server behind my isa server.
> Ok, I'll do this.
>

Yes.

That is one of the DESIGNED features of ISA.
i.e., Server Proxying and such.

--
Herb Martin


> "Herb Martin" <(E-Mail Removed)> wrote in message
> news:O%(E-Mail Removed)...
> > "Jéjé" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> Hi,
> >>
> >> I want to kown if the Win 2003 server integrated firewall is enough to
> >> protected a standalone web server.
> >
> > No, nothing is "enough". Firewalls never provide
> > (permanent) protection -- the slow down and limit
> > attacks to certain ports, addresses or other specifics.
> >
> > The above may (at first) seem pedantic but it is a key
> > psychological approach to understanding firewalls
> > and securing systems.
> >
> > Firewalls by design, focus and control, i.e., slow down,
> > attacks they do not prevent them.
> >
> > How safe do you wish to be?
> >
> > The built in firewall offers virtually no extra security
> > over just not running unnecessary services or using the
> > already built-in (to Win2000) IPSec filters.
> >
> >> This server will be configured to authorize Remote desktop access (for
> >> remote administration) + VPN access to access other resources on the
> >> computer.
> >
> > The firewall can help or you could just BLOCK
> > all connections on other ports with IPSec filters.
> >
> > Then you might want to consider filtering the source
> > or even content of messages on the OPEN ports, i.e.,
> > VPN and HTTP.
> >
> >> For the moment this server is behind my ISA Server and I use some web
and
> >> server publishing rules to allow external users to access it.
> >
> > Now we are talking defense in depth.
> >
> > You real danger now is those messages you CHOOSE to
> > let into your network and server....
> >
> > IISLockdown tool can help.
> >
> > Other content filters (on the ISA or the server) might also
> > be worthwhile.
> >
> > Remember your virus and other protections.
> >
> > --
> > Herb Martin
> >
> >
> >>
> >> thanks for your feed back.
> >>
> >> Jerome.
> >>
> >>
> >
> >
>
>