Win2k server and ISA 2004

[Pan Pan]

Hi,

We have 2 domain controllers serving about 25 winXP pc's (with SMS 2003 on
one of the dc's), and I am making plans to install ISA 2004 on the 2
servers. I'd like to lock down the dc's so that any traffic outside of
normal domain controller duties, will get blocked from both internal and
external network.

Can someone point me to hopefully a list of services to allow and which
ports to leave open so that the dc functions normally? I've looked through
microsoft's ISA webpage, but haven't had much success so far.

On DC-1, we have DNS, DHCP, Active Directory, and IIS running
On DC-2, we have SMS, Active Directory, and IIS running

thanks in advance,
panpan

 

[Steven L Umbach]

If that is the only reason you are installing ISA on your domain
controllers, that is pretty much overkill. Microsoft provides the Windows
2003 Server Security Guide as a free download and it details on how to use
ipsec "filtering" using rules with permit/block filter actions to control
traffic to and from domain controllers or other servers based on source and
destination IP addresses and installed services. Ipsec would not however be
the ideal solution as an internet firewall and is not intended as such but
behind a perimeter firewall can provide extra security via a packet
filtering type firewall implementation. The link below is for the Windows
2003 Server Security Guide.

http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 -- Windows
server port requirements.

 

[Steve Riley [MSFT]]

Positioning an ISA Server between member

If that is the only reason you are installing ISA on your domain
controllers, that is pretty much overkill. Microsoft provides the Windows
2003 Server Security Guide as a free download and it details on how to use
ipsec "filtering" using rules with permit/block filter actions to control
traffic to and from domain controllers or other servers based on source
and destination IP addresses and installed services. Ipsec would not
however be the ideal solution as an internet firewall and is not intended
as such but behind a perimeter firewall can provide extra security via a
packet filtering type firewall implementation. The link below is for the
Windows 2003 Server Security Guide.

http://www.microsoft.com/technet/security/prodtech/Win2003/W2003HG/SGCH00.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 --
Windows server port requirements.

 

[Steve Riley [MSFT]]

Positioning ISA Server between members and domain controllers is an
unsupported scenario. There is no need for this. If you want to block all
non-DC traffic from entering a domain controller, IPsec block/allow filters
are the right approach. See the paper "Active Directory in segmented
networks" for more details.

Steve Riley
(e-mail address removed)