We help IT Professionals succeed at work.

Fresh Install of Windows 2003 Server

264 Views
Last Modified: 2013-11-22
Just wanted to know what the general public does.

I first put in a Firewall to block ALL incoming ports.

Then Install Windows 2003 Server and then apply ALL available Microsoft Updates without opening the ports from the starter page when the server first boots up.

Then I install AV software and then update all definitions.

Wondering what others do and if doing this in terms of WU before AV creates any issues.
Comment
Watch Question

Commented:
That's about right. Not sure what you rserver is for. I actually have a WSUS server that installs the update so the system doesn't need to get on the internet.

then I install the av, and the updates. You can normally download the updates on a different computer and manually install them. Once that is done you are somewhat safe to put the system on the net.

Author

Commented:
But accessing the inet (through the hardware firewall) that I just installed the fresh OS on, to perform WU and then install AV with their updates should be secure enough right?

NIce Strategy.
I need to rethink my deployment strategy.
So u dedicate a server that acts as your WSUS and push all Windows updates to all servers that way and therefore there is no need to connect your other servers to the internet directly to get updates? In your recommendation, I can also deploy, for example, Symantec Antivirus Corporate Edition to that same server and let it administer and be a central point of managment for all servers as it will "push" installs and updates through here.

How does that sound?

Commented:
Works good. You never know when a new virus is going to hit, but your hardware firewall should protect against any scanned attacks. If however the MS site, or AV site has been phished, you would not have to worry.

Not to mention, having the WSUS is much faster to install updates then downloading them each time you setup a server.

I setup new servers for new clients all the time and this saves me a lot of time.

Author

Commented:
>> If however the MS site, or AV site has been phished,......
Yes I will be protected from scanned attacks. That is why I always thought I should be ok there with just a firewall blocking all incoming ports. Usins Watguard Firebox X55e.

In terms of MS site or AV site being phished, that is basically my only real concern in terms of being "vulnerable" when 'directly' connecting the servers to the internet. Correct?


That sounds great, I maybe will dedicate a server to be the WSUS and AV server.

The reason why I am confirming the process that I normally undertake in protecting the servers is because I just built 5 servers from scratch and do not want to do this all over. But am willing to if there are portential risks involved and vulnerabilites.

I will install AV software on all after WU has been completed on all.
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Well from a security perspective, they are similiar, with your strategy having an edge, obviously because there is only one single point of external communication.

But from an efficiency and time saving standpoint, your solution is better by far.

I think I will implement a WSUS server after the fact.

Thanks for your insight and providing me with your experiences.
There is never any harm in asking what others are doing out there.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.