Discussion in 'Windows Server Systems' started by Dark Atheist, Mar 16, 2008.
have been asked this by a friend who has win2k3...seeing as i don't use win2k3 i cant really say
Comodo Firewall Pro 2.4
just as a note, version 3.0 pro does not support win2k3
bottom of the page for download
for a free or paid software firewall hands down its the best. no other app can touch its security.
edit: seems he forgot to tell me hes using x64 2k3 :/
anything external to the machine running windows
Hardware firewall all the way
is he actually using it as a 2k3 server (dns/ad/dhcp/smtp etc) ?
yes - web ftp mail, he has an 8 port linksys router in the office
if the router is set in nat mode that should cover most of the inbound protection, if any ports are forwarded, try to limit them to specific IP's within the router.
outpost 4.x runs on win2k3 (and have a 64bit version) although i wouldnt recomend it, he would do better to tighten up & configure the server properly, rather than trying to cover up open holes
i run a 2k3 std server but am confident in my config & routers inbound protection.
just make sure he disables any un-needed services/roles and keeps it up to date.
also its worth installing and configuring the Security Configuration Wizard
is he actually using the pc as a workstation aswel? (browsing on it etc)?
from what i understand he wants to do is, is what i have done with my BSD box (thanks to lord geffy and X) using PF, but he wants to do this on windows, server will sit there and be used as ftp, web, and storage, all other connections to the router will mainly be internal (some inet use) but they want to lock it down so that only the server can be reached, and only for web/ftp - port 80 and 21 (poss pasv for ftp).
For the ftp he would like to use per ip restriction. - i am looking at ftp serve progs for him - may settle on gene6
then he doesnt need a software firewall to lock that down. just configure the server properly
raidenftpd is about the best ftpd i have used. highly configurable, very secure
I prefer to block out potential threats at the firewall level rather than at the service level. Relying on the service to block out IP's makes it to easy to leave a hole accessible because of misconfiguration or because of a hole in the service itself. If it is blocked before it even reaches that level, there is no further worries.
can the built in firewall do what im after ?
the router & the xp firewall can do a great job of inbound protection. couple that with a well configured/up to date OS and there is no need for a separate (software) firewall.
the only reason you would really need a 3rd party firewall is for outgoing application control.
3rd party firewalls can cause conflicts with drivers & slow down your network, steer clear on a 2k3 machine.
windows firewall can limit apps/ports to ip's/range's or even just limit to local subnet only , but the best place for that is within the router.
dont just forward ports, forward ports and lock down the ip's within the router.
windows firewall gets a LOT of flak, usually because people let their pc's get infected with spyware/virus's and the firewall getse asily bypass'd/disabled.
however on an up to date/configured server, spyware/virus's wont be an issue (unless a user logs in and browses on the server) so it would be pretty hard to get disabled.
I've been running Untangle for a bit now. It wouldn't run as a Windows app. Ideally you'd run it on a separate PC. You can run it as a virtual machine with VMware server (completely free solution). The VM method will require system resources. Untangle offers a good deal of security. Firewall functions, anti-virus, anti-spam, anti-phishing, etc. It's a pretty nice little package. Check it out.
post Deleted by user
I would have to say BlackICE
This is the Update page.. Im not sure where the product page is.. But im sure you can find a torrent for it
IBM will no longer support the product after September of this year.
so I would avoid it