[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Is it unsecure to have other computers on the same IP as a server?

Posted on 2009-07-09
Medium Priority
Last Modified: 2012-05-07

Imagine the following setup:
- A windows server with a lot of security
- 1 or more win computers at the same static IP adress as the server.
- All behind the same router/firewall.

Is or could that be a security breach?
E.g. if a hacker gets access via an unsecure pc on the same static IP and then from that place could get access to the server?

IF unsecure..:
1) How can it be unsecure/attacked?
2) What is the solution?
Question by:loopstudio
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2

Expert Comment

ID: 24812483

Sounds like you are referring to local IP addresses?  It is not possible to have 2 machines with the same IP in the same network.

If the server and workstations are behind the same router/firewall (is it a decent one?), always kept up to date in terms of Windows patches, and locked down so some spud can't install any malicious software, you shouldn't have much to worry about.

Expert Comment

ID: 24812746
I agree with Brettkm...

If you have servers and workstations, laptops, etc. on the same local subnet behind a router/firewall - its not a big deal. However - make sure this "router/firewall" is maintained, and that it is set to a default deny posture for both incoming and outgoing traffic - open only what you need.

You shoould also make sure the Windows OS'es are kept up to date with Service Packs and patches. Also should have antivirus software on them. Can never be too safe. SOmething I like to do is make sure that the local fileswall is always turned on on each host as well... Windows Server 2003, 2008 each have a built in firewall that can be enabled. As does XP, Vist and 7. Turn it on.... open ports on the servers only for required application / data serving...

Oh - and rule # 1... make sure nobody except required personnel have physical accesss to the server. Logical and network security mean very little if someone can walk up to a system, power it off, throw it in the back of thier car and drive home with it (and then pull the drives, drop them into a USB enclosure and mount it on thier home computer... you know... boom! steak dinner!)....

Have fun...

Author Comment

ID: 24818805
Thanx both of You.

1) Could You recommend a good AntiVirus for Win 2003?
2) A thought:  What if there allready is malicious / spy / virus on one of the other machines? Can they then spy or in other way make harm to / on the server?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 24818906
There are some good AV solutions for Win 2003 Server... You can always use Clam AV, or BitDefender... We use TrendMicro OfficeScan Corporate Edition here... but there are myriad good solutions... Symantec, McAfee, Nod32, Sophos, etc.

If one computer on a network is infected by a virus it certainly is possible that the virus will make its way to the server somehow... so it is always a good idea to run AV on all computers, keep firewalls enabled on all endpoints and only allow traffic that is explicitly required.

The solution I usually provide to my friends and family consists of Avast! antivirus (free for home use) and Blue Coat's K9 web filter (free for home use). The combination usually keeps systems clean for the most part, of course nothing is perfect. For business use, again, we use Trend Micro.

Author Comment

ID: 24821621
Hi Dhlevine,

Thanx for info..

1) Yes, I also use Avast for private use. Of cause, when it comes to server, there are 2 important things also: a) it should be able to operate without slowing the server too much down and b) normally AV are very expensive, when its made for a server. So a good one in the cheap end would be nice

2) This is exactly what I was afraid of.. and the reason of my original question.
A server normally have very little access from different people and purposes, while laptops & desktops they normally have open for a lot of things, there is done a lot of browsing and emailing.
And my experience is that EVEN You have antivirus and vice versa on a normal computer, there ALLWAYS happen to come some mal/spy/virus sometimes.

So with that in mind..
Couldnt / Wouldnt You say then that its definately NOT recommended to have both server and desktops / laptops behind the same IP / hardware firewall / router ?
They need to have different IP's in order to be secure.. or?

Assisted Solution

brettkm earned 150 total points
ID: 24822881
You haven't stated the type of environment this question refers to, so I'm assuming it's only a small setup, 1 server + a handful of workstations.

With this in mind, my orignial answer is still the case.

If you've got a massive corporate network to look after (which by the sounds of it you haven't), it's a different story, but as long as you keep your server up to date with patches/updates, your workstations up to date with patches/updates, and lock down the workstations so users don't have the required access to install malicious software, you're fine.

Obvioulsy anti virus/malware software is needed aswell, if the server is a mail server, then software thats scans mail before hitting the mailboxes is also a good idea.

Expert Comment

ID: 24823738
I agree with brettkm again.

Just follow best practice for security on the workstations and servers.

Make sure unauthorized people do not have access to the server console - physically or through remote desktop, vnc, etc.

Make sure users are not setup as administrators on their workstations. Least privilege is key. Make sure antivirus / antimalware software is on all server and workstations. Make sure local firewalls are running on servers and workstations. Only allow traffic to the servers on required ports.

If you have a file server, make sure that share and NTFS permissions are appropriate and not excessive.

If you have a local mail sevrer (Exchange or whatever) make sure you have an AV / Antispam solution for that, and make sure you don't allow open relaying.

Make sure all systems are automatically updating themselves with security patches. For a small network, that can be done individually. Or you can use WSUS if you want to have more control. Its free and pretty good for small environments.

There is no problem with servers and workstations being on the same network segment / subnet / vlan. Just follow these basic pricipals and you should be ok.


Author Comment

ID: 24824781
allright thanx again.. both of You

Do I here You say that: Even if 1 of the desktops have spy & virus, it cannot come to the server, if the servers win firewall only allows port 80 ?

Accepted Solution

dhlevine earned 225 total points
ID: 24824853
If you have a desktop that is infected with a virus or spyware, it is possible for it to propagate across the network - it depends on the type of virus or spyware it is.

There are viruses (worms) that can propagate through windows file sharing, etc. But - if you have the servers' firewall enabled and you are only allowing port 80 to the server then your attack surface is greatly reduced and you should be safe.

Aside from some worms, most malware can only do stuff if you execute it. Point being... don't do stuff on the server... don't surf the web from it, etc.

You should be safe. (as safe as any networked computer can be)

Author Closing Comment

ID: 31601513
Thanx both of You :)

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Check out what's been happening in the Experts Exchange community.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question