?
Solved

Virtual Server through Cisco ASA

Posted on 2009-04-29
10
Medium Priority
?
626 Views
Last Modified: 2012-05-06
Scenario:
I am responsible for a domain Called business.com who has a website, and exchange, and database for all employees. Everything works well.

Now I have been charged with adding a virtual server to the network, not related to the domain. I have created the Virtual server and remote access through RDP through a separate port (3394) and verified connection.  The security/firewall is a Cisco ASA 5505 security appliance. To connect to this server from the outside they connect through RDP with the IP address and the new server listening port 3394. I have 7 IP addresses at my disposal however am only utilizing 3 & 1 web, 1 mail and 1 database program. This is an ongoing process so changes will be made as the needs of the new server change¿

I have no idea what is going to be on this server it is not a part of the company and therefore no company information is supposed to be on it. No browsing should be allowed to or from this machine.

This is going to have several sub-questions attached, I am sure as one is answered I will throw in another.

To start the question series &
How do I prevent browsing this new virtual server which is still a workgroup server, to and from the existing business.com domain (Network places/neighborhood)?

I have been asked about a private IP for this server so more than likely one of the 7 IPs will be dedicated for this server. How do I accomplish this through the ASA box?

Thanks in advance.
0
Comment
Question by:ultreya
  • 5
  • 5
10 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 24275320
To prevent being able to browse to it, turn off NetBIOS over TCP/IP, unbind Client for Microsoft Networks and disable the default Administrative shares.

To disable outbound browsing, you could disable access to Network Places in a local policy and that *should* take care of it with the above in place - I'd have to test.

For the ASA question, I'm not a Cisco guy so this one might be best asked in the Networking forum and ping LRMOORE.  But as a guess, I'd say there's likely a way to map a public IP to a private on over NAT.

0
 

Author Comment

by:ultreya
ID: 24276023
To disable outbound browsing, you could disable access to Network Places in a local policy and that *should* take care of it with the above in place - I'd have to test.

Where in the local policy do I change this?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 24278191
In the local group policy, User Config>Admin Templates>Desktop::

Hide My Network Places = Enabled
Do not add shares of recently opened.....=Enabled

That should help somewhat.  A savvy person could still very likely enter UNCs into the Run box to get around this, but you could remove the Run command via policy too.  You'll find that setting and more under Start Menu and Taskbar.



0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:ultreya
ID: 24295805
What about a workgroup server?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 24295946
It still has a local Group Policy that can be used.

0
 

Author Comment

by:ultreya
ID: 24305376
Although this method does "hide" the ability to browse. Is there a way to prevent browsing?

To further complicate the situation... I can make these changes  however the admin of the virtual server can go back and undo them as well. I need a resolution to this.

Even though the network is attached to a domain I do not feel safe having this workgroup computer on the same network. and it is my understanding that more will follow, on seperate workgroups, and I will need to eliminate browsing to and from them as well
0
 
LVL 51

Expert Comment

by:Netman66
ID: 24305620
You'd have to put up a firewall between those subnets and the production network and block those ports:

UDP 138
UDP 137
TCP 139

0
 

Author Comment

by:ultreya
ID: 24381739
What if they are on the same subnet ... They are ...
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 24383452
There are tons of client-side firewall programs that can be customized in such a manner as to block browsing as above.

Many of them have a free trial.  I'd suggest taking a look at a few of them to see if any can suit your needs.

Other than that, you can place them all on a different subnet behind a firewall device - it'll just require a little creativity.

0
 

Author Closing Comment

by:ultreya
ID: 31576210
Thank you
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why should I virtualize?  It’s a question that’s asked often enough.  My response is usually “Why SHOULDN’T you virtualize?”
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 18 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question