Securing a Windows 2000 machine to survive college network

[Killbat]

I am serving an ASP based forum with a Windows 2000 machine in my house right now. As is, it's plenty safe, behind the DSL firewall and coexisting on the LAN with friendly machines. In the Fall, though, it's going on the campus network, a much more dangerous place.

I need help securing this thing.
I have removed file and printer sharing, but port 135 remains open, as well as ports 445 and 1025, default Windows crap.
How can I close up these holes? I'd rather have no ports open except the web and FTP server.

 

[Barnaby W. Füi]

use a software firewall to close those ports like zonealarm. are you using iis?

 

[Poontos]

Originally posted by: Killbat
I am serving an ASP based forum with a Windows 2000 machine in my house right now. As is, it's plenty safe, behind the DSL firewall and coexisting on the LAN with friendly machines. In the Fall, though, it's going on the campus network, a much more dangerous place.

I need help securing this thing.
I have removed file and printer sharing, but port 135 remains open, as well as ports 445 and 1025, default Windows crap.
How can I close up these holes? I'd rather have no ports open except the web and FTP server.

Have a look through the Security section of Labmice.net. Enjoy!

 

[crazydave]

One of the options you have (which is also mentioned in the link above) is using the IPSec security built into Win2k. One thing I thought was kinda cool is that you can even make your machine not respond to "ping" requests (which is good for preventing hackers looking for open systems that way). MS has a guide to locking down a server using IPSec at:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/network/maintain/security/ipsecld.asp

Hope that helps!

 

[Killbat]

There's some great resources here, thanks everybody!

 

[mastertech01]

You could also use a Netgear RT314 and build custom filters.

 

[SoulAssassin]

You also might want to go out to nsa.gov and look at some of the security templates that they have out there.

 

[nps5]

IIS? Secure? heh.

 

[Poontos]

Originally posted by: mastertech01
You could also use a Netgear RT314 and build custom filters.

OT, but my heart goes out to you and your family. My words may not be much comfort, but I honestly hope Michelle returns home, wherever she may be.

Regards, from up north. God speed.

Do you have any custom filters for RT314 handy?

Thanks.

 

[Poontos]

Originally posted by: nps5
IIS? Secure? heh.

Sure. Just depends on the administrator(s). Most out-of-the-box Internet daemons are not plug and play security and never have to worry about them.

 

[CaptainGoodnight]

Run the IIS Lockdown Tool.

http://www.microsoft.com/technet

 

[neuralfx]

well to stop pings just block all ICMP =) ya you can use the "IP Security Policies" in win2k, I suggest using a real firewall .. eh just because it sounds cool really .. its kinda misleading (though you may not care) those policies aren't exactly IPsec .. thats really a standard for secure communication, ie payloads are secure .. but well this is only the first time Microsoft has used "industry standard" terms to refer to their own proprietary implementation deals ..
-neural