[Dshield] Locking down NT4 Server

Mark Woodson mwoodson at bacxs.com
Tue Oct 2 06:40:24 GMT 2001


At 06:58 AM 10/1/2001 -0700, you wrote:
>I have an NT4 sp6a SRP server on the public side of my
>network. Its strictly a machine that uses back up exec
>software to back up my web server which is also on the
>outside. It has no IIS, its just used for backups.
>
>I'm looking to lock it down so that it does not accept
>traffic on any ports except the ports it needs in
>order to back up the other machines on the public
>side.
>
>For those of you that might have done this
>successfully in the past, any pitfalls or details to
>look out for? I'm looking in the manual and it lists
>the ports that it uses so I may just jump right into
>it from there.
>
>Any suggestions on port filtering like what I'm
>mentioning would be greatly appreciated.

Well, I'd start by setting the default stance to deny all except, and then 
list the ports used by Backup-Exec's agent.  You might find talking ahead 
of time to Vertias' support worthwhile.  They've probably had other clients 
that have done the same thing.  A good book on building firewall's would 
probably be in order as well.  Locking down NT is a lot harder than 
Unix.  Building exclusions is a real pain.  I'd also suggest buttoning down 
services.  It will probably take a bit of tinkering, but you're going to 
want to disable _all_ services except for the essential ones, figuring out 
service dependencies and startup locations can be difficult.  Again, a call 
to Veritas before hand would be time well spent.

-Mark





More information about the list mailing list