Administering an ISP Installation

Previous Topic Next Topic

Some Notes on Security

While this section does not provide an exhaustive list of things to do in order to ensure a secure connection to the Internet, it does give some points to bear in mind when you set up an Internet connection. In general, it is better to talk about “levels” of security when discussing the subject. For detailed information about IIS 5.0 security, see Security in this book.

First, try to block all unwanted traffic at the router and firewall level. Routers can implement some very elementary rules to allow or deny packet traffic transported between networks or specific hosts, but they are hard to configure. In addition, routers usually do not implement every feature that you might need.

Second, try not to load the CPU of the router with complex access rules that can be easily implemented by a firewall. Usually, Internet Control Message Protocol (ICMP) traffic is blocked with routers. A firewall is a more sophisticated application than a router. It runs on a dedicated computer with two network interfaces, checking every network packet that flows in and out of these interfaces. It will block or allow packet traffic according to specific rules. Firewalls usually offer a better way of tracking dropped packets in log files, which could be a sign of potential network intrusion. For the highest level of security, monitor the log files constantly.

Third, you can set up the Windows operating system to audit accesses on specific resources and to have them recorded in the Security Log. For information, see the Windows 2000 Server online product documentation. For more information about auditing, see Security in this book.

In order to prevent unwanted Internet connections to your production Web servers, you can disable the bindings to the workstation, server, and NetBIOS interface.

To disable bindings

  1. Open Control Panel.
  2. Double-click the Network and Dialup Connections.
  3. Right-click Local Area Connection, and click Properties.
  4. Select the network adapter for which you want to disable the bindings.
  5. Clear the check box in front of all components except Internet Protocol TCP/IP.
  6. Select Internet Protocol TCP/IP, click Properties, and on the property sheet, click the Advanced button.
  7. On the WINS property sheet, select Disable NetBIOS over TCP/IP, and click OK.
  8. Click OK again and close each property sheet.
  9. Restart your computer.

    Note   Only experienced administrators should perform this task. If you choose the wrong network adapter, the services might not perform correctly in the back-end network.

For a broader perspective on security in the Windows environment, as well as in-depth information about many aspects of the Windows operating system and Internet security, see Security in this book, as well as http://www.microsoft.com/security/default.asp.


© 1997-1999 Microsoft Corporation. All rights reserved.