Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

securing+hardening network/server


  • Please log in to reply
9 replies to this topic

#1 sniper8752

sniper8752

  • Members
  • 375 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 04 May 2015 - 08:53 PM

I am looking at starting my own Windows server.  I am concerned about the security, because I know once as I open the server up to the outside, I am vulnerable to attack.  I am partially familiar with OpenVPN, OpenSSL, SSH, and DMZ, but am not sure how to tie this all together, and what the best method to harden and secure the network/server is.  Can anyone give advice or recommend any good tutorials or reading material on this?



BC AdBot (Login to Remove)

 


m

#2 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 10 May 2015 - 11:20 AM

Just curious -- why would you make the server available on the Internet? Unless it's hosting a service that outside users need to access, or you need to manage it remotely, you shouldn't make it visible to anyone outside the internal network.

 

If you need to manage it remotely, best bet is set up a VPN to tunnel into your LAN. If you are hosting a service on it that others need to access, put it in the DMZ and isolate it from the rest of your LAN. If you don't need to do any of this, just make sure your firewall is good and secure.



#3 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 11 May 2015 - 02:28 PM

How about telling us what you want to use the server for?  That would be a great start.



#4 sniper8752

sniper8752
  • Topic Starter

  • Members
  • 375 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 12 May 2015 - 07:22 PM

I am looking to host Quicken data so some users can work on it. 



#5 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 12 May 2015 - 07:26 PM

So it's just a file server, not a domain controller?

Are these users on your local network, or are they external users? If they are outside your network, how will they access the data, and how will they authenticate?

#6 sniper8752

sniper8752
  • Topic Starter

  • Members
  • 375 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 12 May 2015 - 08:25 PM

Correct.  They will be external.  What would be the best, secure method to have them access to these financial documents?



#7 sflatechguy

sflatechguy

  • BC Advisor
  • 2,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:56 PM

Posted 13 May 2015 - 07:10 AM

There is no real "best" answer. How you configure all this depends on how the external users are going to authenticate. If you are responsible for the usernames and passwords they will use, you can configire the Routing and Remote Access Service on the server and set up a VPN. Or you could set it up as an FTP server, using either SSL/TLS or SSH to secure the connection. Or, depending the server OS you are using, you could enable Remote Desktop Web Access or RDP, again making sure to use only secure, encrypted connections.

 

If you aren't responsible for creating and maintaining the usernames and passwords, you could set up some sort of federation and allow the external users to access the files through a web browser.

 

In any event, you will want to create some sort of proxy in your DMZ that will route access to the Quicken file server, which should be sitting behind your firewall.

 

Those aren't very specific answers, but I don't really have enough info about your configuration to provide more details. Hope this helps.



#8 JohnnyJammer

JohnnyJammer

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:56 AM

Posted 13 May 2015 - 07:05 PM

To be honest, i would just use a small Unix box with IPCop on it and set up an OpenVPN conenction, this way you have a decent encrypted and FREE VPN client you can access and generate zip files with the users name and pass code.

The only thing you need is a small old crapy computer with 2 network cards/interfaces (One RED(Internet facing) the other GREEN (LAN))


Edited by JohnnyJammer, 13 May 2015 - 07:07 PM.


#9 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 13 May 2015 - 10:40 PM

Professional way is to put in a vpn router that allows client vpn connections.  This is your first level of authentication.  Then you have them authenticate to a RDP server session.  Then they authenticate to Quicken.

 

You can skip the RDP server if you can't afford it.

 

Netgear/Dlink have vpn routers with client software.  Just a matter of installing and configuring the client software on their pcs/laptops and that of the accounts on the router.



#10 sniper8752

sniper8752
  • Topic Starter

  • Members
  • 375 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 14 May 2015 - 07:46 PM

There is no real "best" answer. How you configure all this depends on how the external users are going to authenticate. If you are responsible for the usernames and passwords they will use, you can configire the Routing and Remote Access Service on the server and set up a VPN. Or you could set it up as an FTP server, using either SSL/TLS or SSH to secure the connection. Or, depending the server OS you are using, you could enable Remote Desktop Web Access or RDP, again making sure to use only secure, encrypted connections.

 

If you aren't responsible for creating and maintaining the usernames and passwords, you could set up some sort of federation and allow the external users to access the files through a web browser.

 

In any event, you will want to create some sort of proxy in your DMZ that will route access to the Quicken file server, which should be sitting behind your firewall.

 

Those aren't very specific answers, but I don't really have enough info about your configuration to provide more details. Hope this helps.

Right now, I have a SOHO router and a new server.  So I am pretty much open to anything, as long as it does not cost me thousands of dollars.

 

To be honest, i would just use a small Unix box with IPCop on it and set up an OpenVPN conenction, this way you have a decent encrypted and FREE VPN client you can access and generate zip files with the users name and pass code.

The only thing you need is a small old crapy computer with 2 network cards/interfaces (One RED(Internet facing) the other GREEN (LAN))

I never heard of IPCop.  I will try it out though.  And I never set up a VPN connection.  Is it easy to setup?  And I am not sure if the server will have two NICs.  If it doesn't, is there a work-around?

Professional way is to put in a vpn router that allows client vpn connections.  This is your first level of authentication.  Then you have them authenticate to a RDP server session.  Then they authenticate to Quicken.

 

You can skip the RDP server if you can't afford it.

 

Netgear/Dlink have vpn routers with client software.  Just a matter of installing and configuring the client software on their pcs/laptops and that of the accounts on the router.

Sounds like VPN is the way to go. 

 

Thanks everyone for your input!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users