securing win2k DNS server

Posted on 2004-11-30
Last Modified: 2013-12-04
Ok, hosting my own DNS server here. The reason I'm hosting it is because I also host a webserver here. I registered a domain name through NAMESECURE . I specified to NAMESECURE that I will be using my own DNS server and not theirs.

I have done the following on my win2k DNS server:

-fully patched
-removed file and print sharing
-only running DNS (nothing else. no IIS, no AD)
-disallowed zone transfers
-disallowed dynamic updates
-disabled recursion

Question: Should this DNS server be allowed to query root servers? I'm guessing it shouldnt?  I added A records for the address of my webserver.  That is all that is in the current forward lookup zone.

What else should I do to secure this box?
Thanks in advance
Question by:dissolved
    LVL 4

    Accepted Solution

    I always start with the authoritative security lockdown guides published by Microsoft:

    Windows 2000 Security Hardening Guide

    Microsoft Solution for Securing Windows 2000 Server

    Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

    Then a few quick tips that are proven to make it very difficult for someone to "own" your server:
    - Configure all privileged accounts with *very* strong passwords
    - configure an IPSec "block" policy to allow Internet addresses to access only 53/tcp and 53/udp
    - reconfigure Terminal Services RDP permissions to allow only a specific user (or group of users) to connect to the server via Terminal Services/Remote Desktop connections (the default is Administrators get to use TS)
    - configure Automatic Updates to automatically download and install all patches on a daily basis (you have a far greater chance of someone "owning" your box due to a zero-day exploit, than you have of that server being "harmed" by a critical security update)

    Author Comment

    This DNS server actually isnt part of a domain. Its stand alone. Did kill a lot of un-needed services though.
    Probably going to move DNS server to its own VLAN and use IP access lists to control who accesses it (ie: only let a certain range of IPs to resolve).

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    Suggested Solutions

    So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
    Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now