Options
Windows Server 2003 RAS server
Hi guys:
I just play around the RAS feature in server 2003. Now, I set it up as a gateway, run the NAT antivirus and dyndns client on it.
If this server is a member of the active directory, will it cause any security bleach if the server is being compromised? I don have a strong confortable feeling using a windows server sitting as a gateway just running NAT services. if i would like to assign the domain users for VPN, it gotta be a memeber of the domain. So I believe when the server is compromised, hacker X can also intercept the traffic for the domain controller as well. what do you guys recommend? Do you guys use any packet filtering in this ras server? How does yr setup? is it the ISA server a good recommendation?
I just play around the RAS feature in server 2003. Now, I set it up as a gateway, run the NAT antivirus and dyndns client on it.
If this server is a member of the active directory, will it cause any security bleach if the server is being compromised? I don have a strong confortable feeling using a windows server sitting as a gateway just running NAT services. if i would like to assign the domain users for VPN, it gotta be a memeber of the domain. So I believe when the server is compromised, hacker X can also intercept the traffic for the domain controller as well. what do you guys recommend? Do you guys use any packet filtering in this ras server? How does yr setup? is it the ISA server a good recommendation?
mean people SUCK !!! BACK OFF !!!
The Next Stop is, MCSE 2003 and CCNA.
Bachelors of Technology in 1 More Year.
-Working on CCENT. Thank you my love
The Next Stop is, MCSE 2003 and CCNA.
Bachelors of Technology in 1 More Year.
-Working on CCENT. Thank you my love
Comments
-
Options
doom969
Member Posts: 304
You can have it not a member of the domain, set ias on another box, put a additional firewall between, and authenticate users using RADIUS ....
Doom969Doom969
__________________________________________________________
MCP (282 - 270 - 284 - 290 - 291 - 293 - 294 - 298 - 299 - 350)
MCTS (351 - 620 - 622 - 647 - 649 - 671)
MCSA / S / M - MCSE / S
MCITP (EST - EA ) - MCT
A+ - IBM - SBSS2K3 - CISCO_SMB
CompTIA : A+ -
Options
taktsoi
Member Posts: 224
thx doom969.
yr suggestion is nice. however, i hate to run another box and another firewall.
I am thinking about putting the IAS on my domain controller. then filter the traffic in the ras gateway.
what about this ? any pros and cons?
thxmean people SUCK !!! BACK OFF !!!
The Next Stop is, MCSE 2003 and CCNA.
Bachelors of Technology in 1 More Year.
-Working on CCENT. Thank you my love -
Optionsdoom969
Member Posts: 304
Hi again,
I think its looking good, but I always prefer a separate firewall. The con i see is that you wont have very good logs ont the dropped packets and the like, wich could help in case of an attack. I also think you are gonna close that rras pretty tight. Depending of course of the firewall you between that one and the net.
Doom969Doom969
__________________________________________________________
MCP (282 - 270 - 284 - 290 - 291 - 293 - 294 - 298 - 299 - 350)
MCTS (351 - 620 - 622 - 647 - 649 - 671)
MCSA / S / M - MCSE / S
MCITP (EST - EA ) - MCT
A+ - IBM - SBSS2K3 - CISCO_SMB
CompTIA : A+ -
Options
royal
Member Posts: 3,352 ■■■■□□□□□□
Well one big con I can think of is that you are increasing the attack surface of your DC by adding additional services on it. DCs should be hardened as much as possible and should only contain what is necessarily to do its job providing directory services. I know it might sound like Microsoft book jargon, but it's what I believe. If you're adament about having IAS on the DC, it should be fine other than what was stated above.“For success, attitude is equally as important as ability.” - Harry F. Banks -
Optionstaktsoi
Member Posts: 224
thx royal
i put the ras as a gateway as part of my study for 291. of coz. in any situation, i dont' wanna mess up my domain controller. big no for me...no time to recover in any case.
the gateway used to run the m0n0wall, ipcop or smoothwall with strong filtering, and with some add-ons for vpn authenticate to domain controller. now. after i bomb the gateway and install the ras, i can't dial-in coz i just put the ras as standalone server and run as nat services. yes you guys are right, no log, no filter, just plain nat services..so uncomfortable without any loggings and filterings
now, i don't have another box for a firewall coz i already used up 5 boxes. 1 DC, 1 ras, 1 wsus, 1 myself, 1 my parents. of coz..i don count my laptop...haha...don wanna run a firewall on my laptop...
mm...thinking about getting ISA from my friends for the ras....what do u guys think?mean people SUCK !!! BACK OFF !!!
The Next Stop is, MCSE 2003 and CCNA.
Bachelors of Technology in 1 More Year.
-Working on CCENT. Thank you my love