[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 246
  • Last Modified:

securing win2k DNS server

Ok, hosting my own DNS server here. The reason I'm hosting it is because I also host a webserver here. I registered a domain name through NAMESECURE . I specified to NAMESECURE that I will be using my own DNS server and not theirs.

I have done the following on my win2k DNS server:

-fully patched
-removed file and print sharing
-only running DNS (nothing else. no IIS, no AD)
-disallowed zone transfers
-disallowed dynamic updates
-disabled recursion

Question: Should this DNS server be allowed to query root servers? I'm guessing it shouldnt?  I added A records for the address of my webserver.  That is all that is in the current forward lookup zone.

What else should I do to secure this box?
Thanks in advance
0
dissolved
Asked:
dissolved
1 Solution
 
poseidoncanuckCommented:
I always start with the authoritative security lockdown guides published by Microsoft:

Windows 2000 Security Hardening Guide
http://go.microsoft.com/fwlink/?LinkID=22380 

Microsoft Solution for Securing Windows 2000 Server
http://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp 

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
http://go.microsoft.com/fwlink/?LinkId=15159 

Then a few quick tips that are proven to make it very difficult for someone to "own" your server:
- Configure all privileged accounts with *very* strong passwords
- configure an IPSec "block" policy to allow Internet addresses to access only 53/tcp and 53/udp
- reconfigure Terminal Services RDP permissions to allow only a specific user (or group of users) to connect to the server via Terminal Services/Remote Desktop connections (the default is Administrators get to use TS)
- configure Automatic Updates to automatically download and install all patches on a daily basis (you have a far greater chance of someone "owning" your box due to a zero-day exploit, than you have of that server being "harmed" by a critical security update)
0
 
dissolvedAuthor Commented:
Thanks.
This DNS server actually isnt part of a domain. Its stand alone. Did kill a lot of un-needed services though.
Probably going to move DNS server to its own VLAN and use IP access lists to control who accesses it (ie: only let a certain range of IPs to resolve).
Thanks
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now