Isolate systems

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Due to the large number of attacks against Windows Server we would like to
block windows systems from the larger community (Large college) to prevent
systems from getting attack, does anyone have any help, suggestions, info for
blocking ms port (135, 137, 139, & 445) from the community.

Thanks in advance,
Bob Smith
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

If you have access to the firewall, you might be able to configure what IP
addresses can and can not access your network/servers and on what ports
using what protocols. If you can not access the firewall you can use ipsec
filtering policy on your computers which is a policy that uses rules with
permit and block filter actions to act as a built in packet filtering
firewall. Ipsec policies are best when trying to configure for a subnet
range or a small range of IP addresses as you can not specify IP addresses
"ranges" in an ipsec policy. You can also create an ipsec rule "blacklist"
to add the IP address of attackers to block their access. Software firewalls
such as the ones from Sygate could be another option. Depending on your
network layout [operating system, domain, etc] you may be able to implement
ipsec negotiation security to block access from non domain computers or
domain computers that are not configured with at least a matching ipsec
client/respond policy. Ipsec can also use certificates for computer
authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec aware.
Ipsec negotiation polices also need to exempt domain controllers for traffic
between domain members and domain controllers. The links below are about
ipsec.

http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

Disable file and print sharing on any computers that do not need to offer
shares and do not need to be managed remotely via Computer Management or
command line tools that rely on the ports you mentioned. You also may be
able to take advantage of the user rights for "logon locally and deny logon
locally" to restrict what users can access a computer, though that will not
stop users from trying to make attempts to guess passwords. Such user rights
and ipsec policies can be managed via Group Policy for consistent
application and ease of administration to larger number of computers. A
managed switch may be another option as they offer options such as mac
filtering and port isolation [HP Procurve] to further restrict access to
your network. Mac filtering can be spoofed but it would be another barrier
to access and will deter most curious attackers. 802.1X switches are a
better access restricting option but they are not foolproof either and
require compatible operating systems, a Certificate Authority to issue
computer certificates, and an IAS server on the network. Also run the
Microsoft Baseline Security Analyzer on your computers to check for basic
vulnerabilities such as weak passwords, missing patches, and unneeded
services.--- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA.

"Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
news:4349381E-1D4F-44B7-A6E5-6347C2EF5E49@microsoft.com...
> Due to the large number of attacks against Windows Server we would like to
> block windows systems from the larger community (Large college) to prevent
> systems from getting attack, does anyone have any help, suggestions, info
> for
> blocking ms port (135, 137, 139, & 445) from the community.
>
> Thanks in advance,
> Bob Smith
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Steve,

Thanks for the great info, I do have access to the firewall and I have used
ipsec policies previously, I also run Languard to check against
vulnerabilities, my major attacks are coming from the basic MS ports and how
to isolate these ports without removing basic services, also we need to
maintin management, my thought here is to allow management access to two
subnets (server room and vpn subnets), however systems like domain
controllers I will have to leave open (of course I have these locked down) to
the community, I guess the answer here is to evaluate each system for the
specific needs and isolate based on that info.

Regards,
Bob Smith

"Steven L Umbach" wrote:

> If you have access to the firewall, you might be able to configure what IP
> addresses can and can not access your network/servers and on what ports
> using what protocols. If you can not access the firewall you can use ipsec
> filtering policy on your computers which is a policy that uses rules with
> permit and block filter actions to act as a built in packet filtering
> firewall. Ipsec policies are best when trying to configure for a subnet
> range or a small range of IP addresses as you can not specify IP addresses
> "ranges" in an ipsec policy. You can also create an ipsec rule "blacklist"
> to add the IP address of attackers to block their access. Software firewalls
> such as the ones from Sygate could be another option. Depending on your
> network layout [operating system, domain, etc] you may be able to implement
> ipsec negotiation security to block access from non domain computers or
> domain computers that are not configured with at least a matching ipsec
> client/respond policy. Ipsec can also use certificates for computer
> authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec aware.
> Ipsec negotiation polices also need to exempt domain controllers for traffic
> between domain members and domain controllers. The links below are about
> ipsec.
>
> http://www.securityfocus.com/infocus/1559
> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
>
> Disable file and print sharing on any computers that do not need to offer
> shares and do not need to be managed remotely via Computer Management or
> command line tools that rely on the ports you mentioned. You also may be
> able to take advantage of the user rights for "logon locally and deny logon
> locally" to restrict what users can access a computer, though that will not
> stop users from trying to make attempts to guess passwords. Such user rights
> and ipsec policies can be managed via Group Policy for consistent
> application and ease of administration to larger number of computers. A
> managed switch may be another option as they offer options such as mac
> filtering and port isolation [HP Procurve] to further restrict access to
> your network. Mac filtering can be spoofed but it would be another barrier
> to access and will deter most curious attackers. 802.1X switches are a
> better access restricting option but they are not foolproof either and
> require compatible operating systems, a Certificate Authority to issue
> computer certificates, and an IAS server on the network. Also run the
> Microsoft Baseline Security Analyzer on your computers to check for basic
> vulnerabilities such as weak passwords, missing patches, and unneeded
> services.--- Steve
>
> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA.
>
> "Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
> news:4349381E-1D4F-44B7-A6E5-6347C2EF5E49@microsoft.com...
> > Due to the large number of attacks against Windows Server we would like to
> > block windows systems from the larger community (Large college) to prevent
> > systems from getting attack, does anyone have any help, suggestions, info
> > for
> > blocking ms port (135, 137, 139, & 445) from the community.
> >
> > Thanks in advance,
> > Bob Smith
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Some ports obviously need to be available for legitimate users. Beyond using
some sort of port/protocol/Ip/mac"filtering" via switches, ipsec filtering,
firewall, routers, personal firewalls, you will need to rely on enforcing
strong passwords, hardening, and patching to ward off the evil. I assume
those ports are being isolated from users outside of the subnets that
contain the domain such as the internet? You should try to scan your
firewall yourself from outside the network, even if you use a self scan site
such as http://scan.sygatetech.com/ to see if it is blocking the traffic you
expect.


If legitimate users are trying to attack your computers you may have to see
if there is a user policy in force [or can be created] that you can user for
some type of disciplinary action after gathering info from audit logs and
such. I understand due to politics your hands may be tied to that approach
as many seem to be forced to tolerate more and more bad behavior these days.
Or you may have infected/compromised computers on the network and the user
does not even know they are infected in which case you should notify them
and block access from them until the problem is resolved. Firewalls are best
configured with a block all default rule and then you add the allowed
exceptions. If you are already using Languard you probably already have a
good idea of network risk assessment. Your thought sounds right on and in
step with the least privilege principle. --- Steve


"Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
news:58E03441-1BD2-45BC-BE33-8D4A60D1C634@microsoft.com...
> Steve,
>
> Thanks for the great info, I do have access to the firewall and I have
> used
> ipsec policies previously, I also run Languard to check against
> vulnerabilities, my major attacks are coming from the basic MS ports and
> how
> to isolate these ports without removing basic services, also we need to
> maintin management, my thought here is to allow management access to two
> subnets (server room and vpn subnets), however systems like domain
> controllers I will have to leave open (of course I have these locked down)
> to
> the community, I guess the answer here is to evaluate each system for the
> specific needs and isolate based on that info.
>
> Regards,
> Bob Smith
>
> "Steven L Umbach" wrote:
>
>> If you have access to the firewall, you might be able to configure what
>> IP
>> addresses can and can not access your network/servers and on what ports
>> using what protocols. If you can not access the firewall you can use
>> ipsec
>> filtering policy on your computers which is a policy that uses rules with
>> permit and block filter actions to act as a built in packet filtering
>> firewall. Ipsec policies are best when trying to configure for a subnet
>> range or a small range of IP addresses as you can not specify IP
>> addresses
>> "ranges" in an ipsec policy. You can also create an ipsec rule
>> "blacklist"
>> to add the IP address of attackers to block their access. Software
>> firewalls
>> such as the ones from Sygate could be another option. Depending on your
>> network layout [operating system, domain, etc] you may be able to
>> implement
>> ipsec negotiation security to block access from non domain computers or
>> domain computers that are not configured with at least a matching ipsec
>> client/respond policy. Ipsec can also use certificates for computer
>> authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec
>> aware.
>> Ipsec negotiation polices also need to exempt domain controllers for
>> traffic
>> between domain members and domain controllers. The links below are about
>> ipsec.
>>
>> http://www.securityfocus.com/infocus/1559
>> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
>>
>> Disable file and print sharing on any computers that do not need to offer
>> shares and do not need to be managed remotely via Computer Management or
>> command line tools that rely on the ports you mentioned. You also may be
>> able to take advantage of the user rights for "logon locally and deny
>> logon
>> locally" to restrict what users can access a computer, though that will
>> not
>> stop users from trying to make attempts to guess passwords. Such user
>> rights
>> and ipsec policies can be managed via Group Policy for consistent
>> application and ease of administration to larger number of computers. A
>> managed switch may be another option as they offer options such as mac
>> filtering and port isolation [HP Procurve] to further restrict access to
>> your network. Mac filtering can be spoofed but it would be another
>> barrier
>> to access and will deter most curious attackers. 802.1X switches are a
>> better access restricting option but they are not foolproof either and
>> require compatible operating systems, a Certificate Authority to issue
>> computer certificates, and an IAS server on the network. Also run the
>> Microsoft Baseline Security Analyzer on your computers to check for basic
>> vulnerabilities such as weak passwords, missing patches, and unneeded
>> services.--- Steve
>>
>> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA.
>>
>> "Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
>> news:4349381E-1D4F-44B7-A6E5-6347C2EF5E49@microsoft.com...
>> > Due to the large number of attacks against Windows Server we would like
>> > to
>> > block windows systems from the larger community (Large college) to
>> > prevent
>> > systems from getting attack, does anyone have any help, suggestions,
>> > info
>> > for
>> > blocking ms port (135, 137, 139, & 445) from the community.
>> >
>> > Thanks in advance,
>> > Bob Smith
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

You also may want to download the " Securing Windows 2000 Server Security
Guide". Once you get past all the chapters on security theory there are some
good guides to locking down servers including specific instructions on how
to use ipsec "filtering" policies to secure domain controllers and other
computers. --- Steve

http://www.microsoft.com/downloads/thankyou.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en

"Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
news:58E03441-1BD2-45BC-BE33-8D4A60D1C634@microsoft.com...
> Steve,
>
> Thanks for the great info, I do have access to the firewall and I have
> used
> ipsec policies previously, I also run Languard to check against
> vulnerabilities, my major attacks are coming from the basic MS ports and
> how
> to isolate these ports without removing basic services, also we need to
> maintin management, my thought here is to allow management access to two
> subnets (server room and vpn subnets), however systems like domain
> controllers I will have to leave open (of course I have these locked down)
> to
> the community, I guess the answer here is to evaluate each system for the
> specific needs and isolate based on that info.
>
> Regards,
> Bob Smith
>
> "Steven L Umbach" wrote:
>
>> If you have access to the firewall, you might be able to configure what
>> IP
>> addresses can and can not access your network/servers and on what ports
>> using what protocols. If you can not access the firewall you can use
>> ipsec
>> filtering policy on your computers which is a policy that uses rules with
>> permit and block filter actions to act as a built in packet filtering
>> firewall. Ipsec policies are best when trying to configure for a subnet
>> range or a small range of IP addresses as you can not specify IP
>> addresses
>> "ranges" in an ipsec policy. You can also create an ipsec rule
>> "blacklist"
>> to add the IP address of attackers to block their access. Software
>> firewalls
>> such as the ones from Sygate could be another option. Depending on your
>> network layout [operating system, domain, etc] you may be able to
>> implement
>> ipsec negotiation security to block access from non domain computers or
>> domain computers that are not configured with at least a matching ipsec
>> client/respond policy. Ipsec can also use certificates for computer
>> authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec
>> aware.
>> Ipsec negotiation polices also need to exempt domain controllers for
>> traffic
>> between domain members and domain controllers. The links below are about
>> ipsec.
>>
>> http://www.securityfocus.com/infocus/1559
>> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
>>
>> Disable file and print sharing on any computers that do not need to offer
>> shares and do not need to be managed remotely via Computer Management or
>> command line tools that rely on the ports you mentioned. You also may be
>> able to take advantage of the user rights for "logon locally and deny
>> logon
>> locally" to restrict what users can access a computer, though that will
>> not
>> stop users from trying to make attempts to guess passwords. Such user
>> rights
>> and ipsec policies can be managed via Group Policy for consistent
>> application and ease of administration to larger number of computers. A
>> managed switch may be another option as they offer options such as mac
>> filtering and port isolation [HP Procurve] to further restrict access to
>> your network. Mac filtering can be spoofed but it would be another
>> barrier
>> to access and will deter most curious attackers. 802.1X switches are a
>> better access restricting option but they are not foolproof either and
>> require compatible operating systems, a Certificate Authority to issue
>> computer certificates, and an IAS server on the network. Also run the
>> Microsoft Baseline Security Analyzer on your computers to check for basic
>> vulnerabilities such as weak passwords, missing patches, and unneeded
>> services.--- Steve
>>
>> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA.
>>
>> "Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
>> news:4349381E-1D4F-44B7-A6E5-6347C2EF5E49@microsoft.com...
>> > Due to the large number of attacks against Windows Server we would like
>> > to
>> > block windows systems from the larger community (Large college) to
>> > prevent
>> > systems from getting attack, does anyone have any help, suggestions,
>> > info
>> > for
>> > blocking ms port (135, 137, 139, & 445) from the community.
>> >
>> > Thanks in advance,
>> > Bob Smith
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Basically a user community of 22,000 + users, with a AD migration ongoing (3
NT Account domains still in place), no real desktop policies, viruses galore
(agobot variants, sdbot variants, password attacks, lsass attacks) welcome to
my nightmare, I have written and implemented security policies for servers,
firewall in place and move systems previous to firewall behind it when
possible. My main problem right now is to prevent user community from
slamming DC and other servers, due to a agobot variant I had the Netlogon
service stop on all my DC as they were getting hammered by password attempts.
I will review the doc (Thank You) but was just wondering for the basic MS
ports what I can block to the user community, and still keep them up and
running.

Thanks Again,
Bob Smith

"Steven L Umbach" wrote:

> You also may want to download the " Securing Windows 2000 Server Security
> Guide". Once you get past all the chapters on security theory there are some
> good guides to locking down servers including specific instructions on how
> to use ipsec "filtering" policies to secure domain controllers and other
> computers. --- Steve
>
> http://www.microsoft.com/downloads/thankyou.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en
>
> "Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
> news:58E03441-1BD2-45BC-BE33-8D4A60D1C634@microsoft.com...
> > Steve,
> >
> > Thanks for the great info, I do have access to the firewall and I have
> > used
> > ipsec policies previously, I also run Languard to check against
> > vulnerabilities, my major attacks are coming from the basic MS ports and
> > how
> > to isolate these ports without removing basic services, also we need to
> > maintin management, my thought here is to allow management access to two
> > subnets (server room and vpn subnets), however systems like domain
> > controllers I will have to leave open (of course I have these locked down)
> > to
> > the community, I guess the answer here is to evaluate each system for the
> > specific needs and isolate based on that info.
> >
> > Regards,
> > Bob Smith
> >
> > "Steven L Umbach" wrote:
> >
> >> If you have access to the firewall, you might be able to configure what
> >> IP
> >> addresses can and can not access your network/servers and on what ports
> >> using what protocols. If you can not access the firewall you can use
> >> ipsec
> >> filtering policy on your computers which is a policy that uses rules with
> >> permit and block filter actions to act as a built in packet filtering
> >> firewall. Ipsec policies are best when trying to configure for a subnet
> >> range or a small range of IP addresses as you can not specify IP
> >> addresses
> >> "ranges" in an ipsec policy. You can also create an ipsec rule
> >> "blacklist"
> >> to add the IP address of attackers to block their access. Software
> >> firewalls
> >> such as the ones from Sygate could be another option. Depending on your
> >> network layout [operating system, domain, etc] you may be able to
> >> implement
> >> ipsec negotiation security to block access from non domain computers or
> >> domain computers that are not configured with at least a matching ipsec
> >> client/respond policy. Ipsec can also use certificates for computer
> >> authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec
> >> aware.
> >> Ipsec negotiation polices also need to exempt domain controllers for
> >> traffic
> >> between domain members and domain controllers. The links below are about
> >> ipsec.
> >>
> >> http://www.securityfocus.com/infocus/1559
> >> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
> >>
> >> Disable file and print sharing on any computers that do not need to offer
> >> shares and do not need to be managed remotely via Computer Management or
> >> command line tools that rely on the ports you mentioned. You also may be
> >> able to take advantage of the user rights for "logon locally and deny
> >> logon
> >> locally" to restrict what users can access a computer, though that will
> >> not
> >> stop users from trying to make attempts to guess passwords. Such user
> >> rights
> >> and ipsec policies can be managed via Group Policy for consistent
> >> application and ease of administration to larger number of computers. A
> >> managed switch may be another option as they offer options such as mac
> >> filtering and port isolation [HP Procurve] to further restrict access to
> >> your network. Mac filtering can be spoofed but it would be another
> >> barrier
> >> to access and will deter most curious attackers. 802.1X switches are a
> >> better access restricting option but they are not foolproof either and
> >> require compatible operating systems, a Certificate Authority to issue
> >> computer certificates, and an IAS server on the network. Also run the
> >> Microsoft Baseline Security Analyzer on your computers to check for basic
> >> vulnerabilities such as weak passwords, missing patches, and unneeded
> >> services.--- Steve
> >>
> >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA.
> >>
> >> "Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
> >> news:4349381E-1D4F-44B7-A6E5-6347C2EF5E49@microsoft.com...
> >> > Due to the large number of attacks against Windows Server we would like
> >> > to
> >> > block windows systems from the larger community (Large college) to
> >> > prevent
> >> > systems from getting attack, does anyone have any help, suggestions,
> >> > info
> >> > for
> >> > blocking ms port (135, 137, 139, & 445) from the community.
> >> >
> >> > Thanks in advance,
> >> > Bob Smith
> >>
> >>
> >>
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Ouch!! The real solution is a quarantine network, but that is a ways off for
Windows 2003 for the lan, though it can be done via VPN connections. A
quarantine network will run certain scripts on the users computer before
they logon to determine if logon is allowed. There may be third party
solutions but they will not be cheap.

To answer your specific question, as far as ports, the Security Guide will
list services that are a must and those that are optional. Unfortunately
from what you describe, those attacks are on common ports that need to be
available on domain controllers file and print sharing and rpc or else users
will not be able to logon to the domain and access resources. Your best bet
is to keep the domain controllers patched and maybe harden tcp/ip stack ,
via registry settings, to resist the onslaught, again I believe the security
guide goes into this. The link below also explains what ports are needed for
a domain to function.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442

I don't know your network makeup and clients but I can imagine it is not
favorable from what you describe. You can implement Software Update Services
on the network for free and force the Windows 2000/XP Pro computers in the
domain to be current with critical updates via Group Policy. You also might
be able to run virus removal tools such as McAfee Stinger on them via a
Group Policy startup script. But since you still have three NT domains you
are a ways off from automation and if you have clients like Windows 95/98 on
the network that makes it all that much more difficult. I feel for you
an! --- Steve


"Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
news:25B10B00-B4D4-411E-B586-C73624106E51@microsoft.com...
> Basically a user community of 22,000 + users, with a AD migration ongoing
> (3
> NT Account domains still in place), no real desktop policies, viruses
> galore
> (agobot variants, sdbot variants, password attacks, lsass attacks) welcome
> to
> my nightmare, I have written and implemented security policies for
> servers,
> firewall in place and move systems previous to firewall behind it when
> possible. My main problem right now is to prevent user community from
> slamming DC and other servers, due to a agobot variant I had the Netlogon
> service stop on all my DC as they were getting hammered by password
> attempts.
> I will review the doc (Thank You) but was just wondering for the basic MS
> ports what I can block to the user community, and still keep them up and
> running.
>
> Thanks Again,
> Bob Smith
>
> "Steven L Umbach" wrote:
>
>> You also may want to download the " Securing Windows 2000 Server Security
>> Guide". Once you get past all the chapters on security theory there are
>> some
>> good guides to locking down servers including specific instructions on
>> how
>> to use ipsec "filtering" policies to secure domain controllers and other
>> computers. --- Steve
>>
>> http://www.microsoft.com/downloads/thankyou.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en
>>
>> "Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
>> news:58E03441-1BD2-45BC-BE33-8D4A60D1C634@microsoft.com...
>> > Steve,
>> >
>> > Thanks for the great info, I do have access to the firewall and I have
>> > used
>> > ipsec policies previously, I also run Languard to check against
>> > vulnerabilities, my major attacks are coming from the basic MS ports
>> > and
>> > how
>> > to isolate these ports without removing basic services, also we need to
>> > maintin management, my thought here is to allow management access to
>> > two
>> > subnets (server room and vpn subnets), however systems like domain
>> > controllers I will have to leave open (of course I have these locked
>> > down)
>> > to
>> > the community, I guess the answer here is to evaluate each system for
>> > the
>> > specific needs and isolate based on that info.
>> >
>> > Regards,
>> > Bob Smith
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> If you have access to the firewall, you might be able to configure
>> >> what
>> >> IP
>> >> addresses can and can not access your network/servers and on what
>> >> ports
>> >> using what protocols. If you can not access the firewall you can use
>> >> ipsec
>> >> filtering policy on your computers which is a policy that uses rules
>> >> with
>> >> permit and block filter actions to act as a built in packet filtering
>> >> firewall. Ipsec policies are best when trying to configure for a
>> >> subnet
>> >> range or a small range of IP addresses as you can not specify IP
>> >> addresses
>> >> "ranges" in an ipsec policy. You can also create an ipsec rule
>> >> "blacklist"
>> >> to add the IP address of attackers to block their access. Software
>> >> firewalls
>> >> such as the ones from Sygate could be another option. Depending on
>> >> your
>> >> network layout [operating system, domain, etc] you may be able to
>> >> implement
>> >> ipsec negotiation security to block access from non domain computers
>> >> or
>> >> domain computers that are not configured with at least a matching
>> >> ipsec
>> >> client/respond policy. Ipsec can also use certificates for computer
>> >> authentication. Only Windows 2000/XP Pro/W2003 MS computers are ipsec
>> >> aware.
>> >> Ipsec negotiation polices also need to exempt domain controllers for
>> >> traffic
>> >> between domain members and domain controllers. The links below are
>> >> about
>> >> ipsec.
>> >>
>> >> http://www.securityfocus.com/infocus/1559
>> >> http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
>> >>
>> >> Disable file and print sharing on any computers that do not need to
>> >> offer
>> >> shares and do not need to be managed remotely via Computer Management
>> >> or
>> >> command line tools that rely on the ports you mentioned. You also may
>> >> be
>> >> able to take advantage of the user rights for "logon locally and deny
>> >> logon
>> >> locally" to restrict what users can access a computer, though that
>> >> will
>> >> not
>> >> stop users from trying to make attempts to guess passwords. Such user
>> >> rights
>> >> and ipsec policies can be managed via Group Policy for consistent
>> >> application and ease of administration to larger number of computers.
>> >> A
>> >> managed switch may be another option as they offer options such as mac
>> >> filtering and port isolation [HP Procurve] to further restrict access
>> >> to
>> >> your network. Mac filtering can be spoofed but it would be another
>> >> barrier
>> >> to access and will deter most curious attackers. 802.1X switches are
>> >> a
>> >> better access restricting option but they are not foolproof either and
>> >> require compatible operating systems, a Certificate Authority to issue
>> >> computer certificates, and an IAS server on the network. Also run the
>> >> Microsoft Baseline Security Analyzer on your computers to check for
>> >> basic
>> >> vulnerabilities such as weak passwords, missing patches, and unneeded
>> >> services.--- Steve
>> >>
>> >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx ---
>> >> MBSA.
>> >>
>> >> "Bob Smith" <BobSmith@discussions.microsoft.com> wrote in message
>> >> news:4349381E-1D4F-44B7-A6E5-6347C2EF5E49@microsoft.com...
>> >> > Due to the large number of attacks against Windows Server we would
>> >> > like
>> >> > to
>> >> > block windows systems from the larger community (Large college) to
>> >> > prevent
>> >> > systems from getting attack, does anyone have any help, suggestions,
>> >> > info
>> >> > for
>> >> > blocking ms port (135, 137, 139, & 445) from the community.
>> >> >
>> >> > Thanks in advance,
>> >> > Bob Smith
>> >>
>> >>
>> >>
>>
>>
>>