[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] NT Security

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] NT Security
From: Bourque Daniel <Daniel.Bourque@loto-quebec.com>
Date: Sun, 31 Oct 1999 12:45:19 -0500

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]


I need to secure a Web server in my DMZ that is also my DNS Master Domain. I
have search Technet, read notes in the FAQ of Checkpoint and Phoneboy and I
am stuck with a problem...

I have disable all non essential services and unbind WINS.  Now, I am trying
to use the security option of the TCP-IP stack (NT 4.0SP5) to only activate
some ports. I have activate UDP/TCP 20-21 for FTP. 53 for DNS, 80 for Web,
123 for NTP and by Microsoft documentation, 135 use by the DNS Manager.

Now, Web access work, DNS request and transfert work but...

The MS Timeserv service configure as an NTP client doesn't work (work only
if all UDP port are open), DNS manager only work locally if I use the name
of the machine but not if I use the direct IP address (Error msg: ŤThere are
no more endpoints available from the endpoint mapper.ť).  It can administer
a remote secondary server on the same DMZ but the web server can't be
remotely admin.

I can live with the DNS Admin running only locally but not with Timeserv not
working.

Any idea what ports are missing in the list for Timeserv (add DNS Admin if
possible)?  Enabling all TCP and UDP ports work so Wins is not needed.  I
have found precious little about the security option of the NT's TCP/IP
stack. I will also use the same kind of setup on a NT machine that will be
install in front of the FW to test and report (mail/pager) the well being of
both the fw, the webs, dns, smtp servers protect by the fw.

Thank's for any help...


Daniel Bourque
Analyste - Centre d'Assistance Technique
Loto-Québec
daniel.bourque@loto-quebec.com
(514) 499-5056




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Is NAT at the internal interface possible ?
Next by Date: Re: [FW1] HP-UX 10.20 and FW-1 4.0 SP1 PANICS!
Prev by thread: [FW1] Sould I worry about these errs
Next by thread: Re: [FW1] HP-UX 10.20 and FW-1 4.0 SP1 PANICS!
Index(es):
- Date
- Thread