Securing Win2008 Server

TechBoyJK

Lifer
Oct 17, 2002
16,699
60
91
I'm going to setting up a small Windows 2008 Virtual Machine at work to host a few websites.

I don't really trust the Windows firewall, and this vm will have a public interface. Putting a hardware firewall in front of it isn't an option.

I'm hoping for 'free stuff' or fairly inexpensive packages that will help keep the server secure. (virus/malware/etc)

The only ports I need open are rdp and http
 

Dravic

Senior member
May 18, 2000
892
0
76
While the windows firewall was mediocre (from a configuration standpoint) early on, the firewall in win 2008 is very good and should handle all your needs. I don't agree with it being able to kill network stack functionality if the service is disabled, but that not really here nor there..

Are we talking a DMZ web server behind a firewall, but with a routable IP? I still wouldn't put anything directly on the internet with just a software host based firewall.

Just to give you an idea.. the moron who's job i now occupy put our IDS on the outside of our firewalls, so I can see all the internet traffic that hits our network segment, and we get roughly 145k attacks a month. not something you want a direct endpoint dealing with. Filter all unnecessary traffic with a stateful device first, and just port forward 80/443.

But that may just be the paranoid security engineer in me...
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
I'm going to setting up a small Windows 2008 Virtual Machine at work to host a few websites.

I don't really trust the Windows firewall, and this vm will have a public interface. Putting a hardware firewall in front of it isn't an option.

I'm hoping for 'free stuff' or fairly inexpensive packages that will help keep the server secure. (virus/malware/etc)

The only ports I need open are rdp and http

If I can't put a Web Server behind a hardware firewall, then I can't have a Web Server.

Trying to protect yourself with only software on the host is asking for trouble.
 

Paperlantern

Platinum Member
Apr 26, 2003
2,239
6
81
While the windows firewall was mediocre (from a configuration standpoint) early on, the firewall in win 2008 is very good and should handle all your needs. I don't agree with it being able to kill network stack functionality if the service is disabled, but that not really here nor there..

Are we talking a DMZ web server behind a firewall, but with a routable IP? I still wouldn't put anything directly on the internet with just a software host based firewall.

Just to give you an idea.. the moron who's job i now occupy put our IDS on the outside of our firewalls, so I can see all the internet traffic that hits our network segment, and we get roughly 145k attacks a month. not something you want a direct endpoint dealing with. Filter all unnecessary traffic with a stateful device first, and just port forward 80/443.

But that may just be the paranoid security engineer in me...

Fully agree here, no box should ever be fully exposed, ALWAYS use a stateful device in front of it that can deny inbound traffic that isn't forwarded to the box. Software firewalls just aren't meant to be subject to that kind of abuse. If you need something free and don't have access to an APPLIANCE, set up a low end dual homed box with PFSense or something similar. Will be a LOT better than nothing. Even an old outdated Watchguard would be better than nothing at all. Though if you can get your hands on something like that, load PFSense on it, at least that is up to date. I have a couple older Watchguards at my house that I put PFSense on, they work great. The fancy screens on them dont work any more of course, but pfSense recognizes all the interfaces and utilizes them perfectly.
 
Last edited:

SecurityTheatre

Senior member
Aug 14, 2011
672
0
0
I'm going to setting up a small Windows 2008 Virtual Machine at work to host a few websites.

This is for a company? o.0

I don't really trust the Windows firewall, and this vm will have a public interface.

Why don't you trust the Windows firewall? Why would you trust some other software firewall instead?

Putting a hardware firewall in front of it isn't an option.

Then you've ruled out the most secure and simplest approach. Why is this not an option?


The only ports I need open are rdp and http


I advise against publishing RDP services to the Internet. Regardless, a hardware firewall is the best option. Even some Linksys crap for $20 is going to be better than software, in my opinion.


My advice is... use a hardware firewall. As an alternative, use the Windows firewall. :)

Keep in mind that no firewall (anywhere close to your price range) protects the exposed services. If your web site has SQL injection, you might as well just leave the server's password blank too.

Be aware security isn't a "what tool is security come from?" sort of game.

:)
 

power_hour

Senior member
Oct 16, 2010
779
1
0
Putting a W2K08 Server online with just its firewall service is just begging to be fired.

If they break that firewall your OS is compromised, data is done and your screwed. Any company that demands that you get in your car go home and update your resume.

Retarded.