[Dshield] Locking down NT4 Server
mwoodson at bacxs.com
Tue Oct 2 06:40:24 GMT 2001
At 06:58 AM 10/1/2001 -0700, you wrote:
>I have an NT4 sp6a SRP server on the public side of my
>network. Its strictly a machine that uses back up exec
>software to back up my web server which is also on the
>outside. It has no IIS, its just used for backups.
>I'm looking to lock it down so that it does not accept
>traffic on any ports except the ports it needs in
>order to back up the other machines on the public
>For those of you that might have done this
>successfully in the past, any pitfalls or details to
>look out for? I'm looking in the manual and it lists
>the ports that it uses so I may just jump right into
>it from there.
>Any suggestions on port filtering like what I'm
>mentioning would be greatly appreciated.
Well, I'd start by setting the default stance to deny all except, and then
list the ports used by Backup-Exec's agent. You might find talking ahead
of time to Vertias' support worthwhile. They've probably had other clients
that have done the same thing. A good book on building firewall's would
probably be in order as well. Locking down NT is a lot harder than
Unix. Building exclusions is a real pain. I'd also suggest buttoning down
services. It will probably take a bit of tinkering, but you're going to
want to disable _all_ services except for the essential ones, figuring out
service dependencies and startup locations can be difficult. Again, a call
to Veritas before hand would be time well spent.
More information about the list