Results 1 to 9 of 9
-
03-29-2004, 02:06 PM #1Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Belgium
- Posts
- 81
Hardening my w2k server with IpSec -> TROUBLES!
Hello,
I'm having trouble hardening my Windows 2000 server install.
I've configured IpSec to only allow (incoming, I hope) connections on port
20 (FTP data)
21 (FTP)
80 (HTTP)
3389 (Terminal server)
Now the problem is that this server is unable to browse the internet. (Not that it's needed, but windows update doesn't work either.) It is also unable to lookup DNS information with nslookup. Surfing via IP works. But if my server can't perform DNS queries to other servers, this means mail won't work because it can't look up MX records. If I do nslookup it says it can't find the server name. I'm sure I've set my DNS settings right. (I got the server IP's from my ISP). Note that NetBIOS is disabled.
This is my configuration:
(That language is dutch )
Any help is appreciated,
Thanks,
Glenn
-
03-29-2004, 02:07 PM #2Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Belgium
- Posts
- 81
I would like to post a screenshot of my port configuration, but it says it will only allow me to post a URL after x posts...
-
03-29-2004, 02:51 PM #3Web Hosting Master
- Join Date
- Jun 2001
- Location
- Denver, CO
- Posts
- 3,302
You probably need to allow port 53 for DNS queries
Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
Current specials here. Check them out.
-
03-29-2004, 03:06 PM #4Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Belgium
- Posts
- 81
I've already tried that, no workie (It's open now too).
-
03-29-2004, 05:10 PM #5Web Hosting Master
- Join Date
- Jun 2001
- Location
- Denver, CO
- Posts
- 3,302
How about HTTPS? 443?
Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
Current specials here. Check them out.
-
03-29-2004, 07:05 PM #6WHT Addict
- Join Date
- Feb 2004
- Posts
- 113
Have you allowed both TCP AND UDP on port 53 as these would be required for DNS ?
Invectis - Windows 2000, 2003 and MS SQL Server web hosting
-
03-29-2004, 07:57 PM #7Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 673
TCP will probably not be used for any DNS queries that you're doing.
Make sure that your computer is configured to accept UDP packets coming from port 53 on your DNS resolvers, and going to any local port. If you are running a local resolver, you will need to accept any UDP packets with source port 53.
-
03-29-2004, 09:26 PM #8Web Hosting Master
- Join Date
- May 2001
- Location
- Prince Edward Island
- Posts
- 965
You will have to open port 1024 anyway .. and probably 1024 to say 1050 to allow outgoing Internet explorer connections.
[url]I got nothing/url]
For clarity's sake, don't use "<ip address of hostname>" use the ACTUAL 32-bit numeric IP address of the machine.
-
03-30-2004, 07:44 AM #9Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Belgium
- Posts
- 81
Hey! Its working! Thanks alot for all your suggestions! Btw, I've switched to IpSec policies, wich are a lot better (And don't require a restart). whoever is interested, check out www_microsoft_com/serviceproviders/columns/using_ipsec.asp
Thanks alot everybody! I appreciate it!