Software Firewall (2003)

[Mike Smith]

I suppose this is the right group for Windows 2003 questions....


I have a question about the usage of software firewalls. Is it
becoming common practice for organizations to use the Windows 2003
software firewall on their servers? With XP SP 2, Microsoft is
basically making a statement about network security with workstations.
I would be willing to bet that most if not all installations of
Windows 2003 have the firewalls turned off, citing the usage of a PIX
or other hardware firewall for their gateways. I recently had an
internal attack froma laptop running XP non SP2. The laptop attacked
my router and took down all sites (main router was attacked) until the
laptop was powered off. This eye-opening experience was enough to
make me step up the XP SP2 rollout to workstations but I keep
thinking, why not the servers too? It is a lot of work to configure
the server firewalls but it is more work rebuilding after an incident.

I would like to hear from people/admins who use the 2003 firewalls on
their servers.

MIKE

 

[Lanwench [MVP - Exchange]]

I suppose this is the right group for Windows 2003 questions....

Well, MS is getting away from version-specific groups for server products,
so you may find W2003 help in here but note there's also
m.p.windows.server.general. Crossposting to both won't get you smacked
upside the head, I think....

I have a question about the usage of software firewalls. Is it
becoming common practice for organizations to use the Windows 2003
software firewall on their servers?

By some, I suppose.

With XP SP 2, Microsoft is
basically making a statement about network security with workstations.
I would be willing to bet that most if not all installations of
Windows 2003 have the firewalls turned off, citing the usage of a PIX
or other hardware firewall for their gateways.

Most networks I've seen/worked with don't use software firewalls on client
computers. Some do.

I recently had an
internal attack froma laptop running XP non SP2. The laptop attacked
my router and took down all sites (main router was attacked) until the
laptop was powered off. This eye-opening experience was enough to
make me step up the XP SP2 rollout to workstations but I keep
thinking, why not the servers too? It is a lot of work to configure
the server firewalls but it is more work rebuilding after an incident.

The larger issue is why this laptop was allowed to be connected to the
network, and if it was a domain member, why it didn't have centralized AV
software on it! Did someone just come in and plug it in, unauthorized? Does
the company have a policy stating that this is not allowed? There are ways
(not simple) to control whether a computer gets access to your network (gets
an IP address via DHCP, etc) ...might be worth looking into. Also, all
computers/servers need good antivirus, and need to be kept patched to the
gills with all critical updates to mitigate disasters like this....

I would like to hear from people/admins who use the 2003 firewalls on
their servers.

I'm not one of them, but I'm sure other people will post their own
techniques and experiences. You might also want to post in m.p.security and
m.p.windows.server.networking - crosspost, not multipost.

 

[Mike Smith]

The larger issue is why this laptop was allowed to be connected to the
network

The company is a group of doctors, and after enough beatings from
doctors who just had to "have full access to their machines", I gave
in during a IT meeting a month before the incident. I basically had
one doc who said that he wanted his machine to "act like a $3000
computer" but it was not doing so since I had certain restrictions in
place.

and if it was a domain member, why it didn't have centralized AV
software on it!

Centrally managed Trend Micro Office Scan somehow did not find it,
neither did Trend Housecall (post infection) or Stinger, or Mcafee, or
Symantec. I ended up rebuilding the machine after a day of searching
for an answer. There were many instances of SVCHOST.EXE building many
NATs to my router.

Did someone just come in and plug it in, unauthorized?
No.

Does the company have a policy stating that this is not allowed?

Yes. Some Doctors (owners) do not believe this applies to them.

(not simple) to control whether a computer gets access to your network (gets
an IP address via DHCP, etc) ...might be worth looking into. Also, all

I would LOVE to do that, but that would not be allowed.

computers/servers need good antivirus, and need to be kept patched to the
gills with all critical updates to mitigate disasters like this....

I use SUS, and Trend Scanmail, Office Scan and Server Protect. I
thought Trend was pretty good until this incident. I also have XP SP2
on most XP machines now.

Thanks for the infomation. Corporate policies are great, unless there
are people out there looking for me to make exceptions. I hope this
would be a valuable lesson for all of us, but I still get requests to
weaken GP, or give admin rights to laptops. I play the game, too,
like giving Power User access instead of admin, and setting up a OU
with a very similar set of restrictions excpet for one or two.

Our main infrastructure here is Citrix, so I have a strong GP already.
My main concern is that if this could happen on a laptop, it could
happen on a server. I am making the assumption that this thing,
whatever it was, had to have been a port attack of some sort.

Mike

 

[Matt Wagner [MSFT]]

Mike:

You should always be thinking of "defense in depth". Try to have
multiple layers of security, so that when one is breached, you have
another waiting for you. Depending on the current security situation in
your company, configuring the server firewalls may be worth the effort.

--
Matt Wagner
Enterprise Engineering Center
Microsoft Corporation

Legal Disclaimer:
This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm Please do not
send e-mail directly to this alias. This alias is for newsgroup purposes
only.

 

[Lanwench [MVP - Exchange]]

The company is a group of doctors, and after enough beatings from
doctors who just had to "have full access to their machines", I gave
in during a IT meeting a month before the incident. I basically had
one doc who said that he wanted his machine to "act like a $3000
computer" but it was not doing so since I had certain restrictions in
place.

Do you have your manager's backing on any of the security measures you
sensibly want to put in place? If not, get your suggestions in writing as
well as their refusal. Don't let any of this fall on your head.

Centrally managed Trend Micro Office Scan somehow did not find it,
neither did Trend Housecall (post infection) or Stinger, or Mcafee, or
Symantec. I ended up rebuilding the machine after a day of searching
for an answer. There were many instances of SVCHOST.EXE building many
NATs to my router.


Yes. Some Doctors (owners) do not believe this applies to them.


I would LOVE to do that, but that would not be allowed.


I use SUS, and Trend Scanmail, Office Scan and Server Protect. I
thought Trend was pretty good until this incident. I also have XP SP2
on most XP machines now.

What version of Officescan?

Thanks for the infomation. Corporate policies are great, unless there
are people out there looking for me to make exceptions. I hope this
would be a valuable lesson for all of us, but I still get requests to
weaken GP, or give admin rights to laptops. I play the game, too,
like giving Power User access instead of admin, and setting up a OU
with a very similar set of restrictions excpet for one or two.

Our main infrastructure here is Citrix, so I have a strong GP already.
My main concern is that if this could happen on a laptop, it could
happen on a server. I am making the assumption that this thing,
whatever it was, had to have been a port attack of some sort.

Mike

I sympathize, but you already know that the real problem here isn't a
technical one, it's a human one. Just make sure your posterior is covered.

 

[Mike Smith]

Do you have your manager's backing on any of the security measures you
sensibly want to put in place? If not, get your suggestions in writing as
well as their refusal. Don't let any of this fall on your head.

Absolutely. He is the CEO, and unfortunately be buckles under the
pressure of the Doctors. When the exception happened, it was in a
meeting and they basically stayed on me until I buckled (in part
because I was tired of arguing the point and knew I wasn't going to
win.

<sigh> I know.

Just need to change the CYA approach I suppose ;-)

What version of Officescan?

7.100 Engine, currently the 251 pattern. I will never know what was
on the machine but it is gone due to the reinstall. I would have
liked to known what it was so that I could be sure that a firewall
would have prevented the problem.

I sympathize, but you already know that the real problem here isn't a
technical one, it's a human one. Just make sure your posterior is covered.

Yep, which is the main reason I am considering implementing interal
firewalls on the servers. I figure it is sort of a hole in security
which would be somewhat easy to patch. (I DO realize it could be such
a pain that I may be cursing the whole idea, but better than having a
problem because of NOT doing it).

My main reason for not doing it would be that there will need to be
exceptions for the known ports which need to be used for AD, DNS, DHCP
and whatever. If I was the guy writing viruses/trojans/worms I would
make use of those ports knowing that they would be open. The only
thing is that the attacker couldn't be discrete if he couldn't use
lessor known ports.

The doctors aren't the only problem. I am having problems with a
vendor (who I didn't pick) who sold us an app which is not compatible
with XP SP2. Their workaround is to not install SP2, turn off
automatic updating and/or downgrade to Windows 2000 Professional on
the machines in question. There doesn't appear to be a plan to fix
the problem and it is already a known problem in their next version of
the product scheduled for release next year. They won't answer
questions like, "How long do I NOT update Windows" or "When will you
have a SP2 compatible version of the product".

I did post this same message in the windows.servers.general group but
nobody even replied. I am guessing that 90 percent of people don't
use the 2003 server firewall. I must admit that when it came out I
assumed that it was for the Internet gateway, like a software firewall
to protect the network. The deal I had here was eye opening in that I
didn't really think I had a hole where I did.

Thanks for the discussion info.

Mike

 

[Mike Smith]

Mike:

You should always be thinking of "defense in depth". Try to have
multiple layers of security, so that when one is breached, you have
another waiting for you. Depending on the current security situation in
your company, configuring the server firewalls may be worth the effort.

Good advice. It certainly can't hurt anything to have "too much
protection" if there is such a thing. We have come a long way from my
first day. We had:

1. no passwords (with no ability for a user to create one)

2. no firewall but the PIX-type rules/ACL's you find on a Cisco 2600

3. open ports for TS and Citrix with no VPN/security (really scary
with no passwords)

4. Many open ports for unknown reasons.

5. No policies on anything, including disabling accounts after people
leave the company

It was quite the mess. Is there a good place to find a list of ports
which would need to be opened for AD? I know about some but I need to
assess the situation and research as many as I can before I start
turning on firewalls.

Thanks for the info

Mike