I was gonna say - at home I'm using the free (for a year) McAfee firewall that Comcast high speed internet gives to its customers (to put something between our DSL and the WWW). -----Original Message----- From: Jim Kenzig [mailto:jimkenz@xxxxxxxxxxxxxx] Sent: Friday, September 06, 2002 11:31 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: IIS on a domain controller Surely you can at least use a software firewall like Blackice or Zonealarm or Tiny. JK -----Original Message----- From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx]On Behalf Of Daniel Angelucci Sent: Friday, September 06, 2002 11:19 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: IIS on a domain controller Where I work, we have no firewall, no NAT, no nothing. As a result, our DCs are live on the Internet. There are a million implications and things to watch for when doing this. Basically, security becomes much closer to a full time job for an 2k admin. There's a great document from SANS about securing Win2k which you can order at www.sans.org. Also, you can expect a lot of downtime because you will be patching your servers constantly. Most of the optional security patches are not optional when you are in the DMZ. Finally, the only way to truly secure a Internet live DC (IMO) is using Kerberos authentication and only Kerberos authentication. In addition, you would want to REQUIRE secure communication between your clients and the server. This means no legacy clients and no trusts to NT 4 domains. If I could, I would move my DCs behind a firewall tomorrow. I don't have the option and I get attacked a lot. Just two days ago I had to call Comcast security to get some !@#$%#!@ hacker removed from the Internet. It's not always fun, and it is a lot of work. Just my $.02 Dan ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm