Results 1 to 9 of 9
  1. #1
    Join Date
    Mar 2004
    Location
    Belgium
    Posts
    81

    Unhappy Hardening my w2k server with IpSec -> TROUBLES!

    Hello,
    I'm having trouble hardening my Windows 2000 server install.
    I've configured IpSec to only allow (incoming, I hope) connections on port
    20 (FTP data)
    21 (FTP)
    80 (HTTP)
    3389 (Terminal server)

    Now the problem is that this server is unable to browse the internet. (Not that it's needed, but windows update doesn't work either.) It is also unable to lookup DNS information with nslookup. Surfing via IP works. But if my server can't perform DNS queries to other servers, this means mail won't work because it can't look up MX records. If I do nslookup it says it can't find the server name. I'm sure I've set my DNS settings right. (I got the server IP's from my ISP). Note that NetBIOS is disabled.
    This is my configuration:

    (That language is dutch )

    Any help is appreciated,

    Thanks,
    Glenn

  2. #2
    Join Date
    Mar 2004
    Location
    Belgium
    Posts
    81
    I would like to post a screenshot of my port configuration, but it says it will only allow me to post a URL after x posts...

  3. #3
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,302
    You probably need to allow port 53 for DNS queries
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  4. #4
    Join Date
    Mar 2004
    Location
    Belgium
    Posts
    81
    I've already tried that, no workie (It's open now too).

  5. #5
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,302
    How about HTTPS? 443?
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  6. #6
    Have you allowed both TCP AND UDP on port 53 as these would be required for DNS ?
    Invectis - Windows 2000, 2003 and MS SQL Server web hosting

  7. #7
    Join Date
    Jun 2003
    Posts
    673
    TCP will probably not be used for any DNS queries that you're doing.

    Make sure that your computer is configured to accept UDP packets coming from port 53 on your DNS resolvers, and going to any local port. If you are running a local resolver, you will need to accept any UDP packets with source port 53.

  8. #8
    Join Date
    May 2001
    Location
    Prince Edward Island
    Posts
    965
    You will have to open port 1024 anyway .. and probably 1024 to say 1050 to allow outgoing Internet explorer connections.
    [url]I got nothing/url]

    For clarity's sake, don't use "<ip address of hostname>" use the ACTUAL 32-bit numeric IP address of the machine.

  9. #9
    Join Date
    Mar 2004
    Location
    Belgium
    Posts
    81
    Hey! Its working! Thanks alot for all your suggestions! Btw, I've switched to IpSec policies, wich are a lot better (And don't require a restart). whoever is interested, check out www_microsoft_com/serviceproviders/columns/using_ipsec.asp

    Thanks alot everybody! I appreciate it!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •