Solved

Is it unsecure to have other computers on the same IP as a server?

Posted on 2009-07-09
10
259 Views
Last Modified: 2012-05-07
Hi,

Imagine the following setup:
---------------------------------
- A windows server with a lot of security
- 1 or more win computers at the same static IP adress as the server.
- All behind the same router/firewall.

Is or could that be a security breach?
E.g. if a hacker gets access via an unsecure pc on the same static IP and then from that place could get access to the server?

IF unsecure..:
1) How can it be unsecure/attacked?
2) What is the solution?
0
Comment
Question by:loopstudio
  • 4
  • 4
  • 2
10 Comments
 
LVL 7

Expert Comment

by:brettkm
ID: 24812483
hihi,

Sounds like you are referring to local IP addresses?  It is not possible to have 2 machines with the same IP in the same network.

If the server and workstations are behind the same router/firewall (is it a decent one?), always kept up to date in terms of Windows patches, and locked down so some spud can't install any malicious software, you shouldn't have much to worry about.
0
 
LVL 1

Expert Comment

by:dhlevine
ID: 24812746
I agree with Brettkm...

If you have servers and workstations, laptops, etc. on the same local subnet behind a router/firewall - its not a big deal. However - make sure this "router/firewall" is maintained, and that it is set to a default deny posture for both incoming and outgoing traffic - open only what you need.

You shoould also make sure the Windows OS'es are kept up to date with Service Packs and patches. Also should have antivirus software on them. Can never be too safe. SOmething I like to do is make sure that the local fileswall is always turned on on each host as well... Windows Server 2003, 2008 each have a built in firewall that can be enabled. As does XP, Vist and 7. Turn it on.... open ports on the servers only for required application / data serving...

Oh - and rule # 1... make sure nobody except required personnel have physical accesss to the server. Logical and network security mean very little if someone can walk up to a system, power it off, throw it in the back of thier car and drive home with it (and then pull the drives, drop them into a USB enclosure and mount it on thier home computer... you know... boom! steak dinner!)....

Have fun...
D
0
 

Author Comment

by:loopstudio
ID: 24818805
Thanx both of You.

1) Could You recommend a good AntiVirus for Win 2003?
2) A thought:  What if there allready is malicious / spy / virus on one of the other machines? Can they then spy or in other way make harm to / on the server?
0
 
LVL 1

Expert Comment

by:dhlevine
ID: 24818906
There are some good AV solutions for Win 2003 Server... You can always use Clam AV, or BitDefender... We use TrendMicro OfficeScan Corporate Edition here... but there are myriad good solutions... Symantec, McAfee, Nod32, Sophos, etc.

If one computer on a network is infected by a virus it certainly is possible that the virus will make its way to the server somehow... so it is always a good idea to run AV on all computers, keep firewalls enabled on all endpoints and only allow traffic that is explicitly required.

The solution I usually provide to my friends and family consists of Avast! antivirus (free for home use) and Blue Coat's K9 web filter (free for home use). The combination usually keeps systems clean for the most part, of course nothing is perfect. For business use, again, we use Trend Micro.
0
 

Author Comment

by:loopstudio
ID: 24821621
Hi Dhlevine,

Thanx for info..

1) Yes, I also use Avast for private use. Of cause, when it comes to server, there are 2 important things also: a) it should be able to operate without slowing the server too much down and b) normally AV are very expensive, when its made for a server. So a good one in the cheap end would be nice

2) This is exactly what I was afraid of.. and the reason of my original question.
A server normally have very little access from different people and purposes, while laptops & desktops they normally have open for a lot of things, there is done a lot of browsing and emailing.
And my experience is that EVEN You have antivirus and vice versa on a normal computer, there ALLWAYS happen to come some mal/spy/virus sometimes.

So with that in mind..
Couldnt / Wouldnt You say then that its definately NOT recommended to have both server and desktops / laptops behind the same IP / hardware firewall / router ?
They need to have different IP's in order to be secure.. or?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Assisted Solution

by:brettkm
brettkm earned 50 total points
ID: 24822881
You haven't stated the type of environment this question refers to, so I'm assuming it's only a small setup, 1 server + a handful of workstations.

With this in mind, my orignial answer is still the case.

If you've got a massive corporate network to look after (which by the sounds of it you haven't), it's a different story, but as long as you keep your server up to date with patches/updates, your workstations up to date with patches/updates, and lock down the workstations so users don't have the required access to install malicious software, you're fine.

Obvioulsy anti virus/malware software is needed aswell, if the server is a mail server, then software thats scans mail before hitting the mailboxes is also a good idea.
0
 
LVL 1

Expert Comment

by:dhlevine
ID: 24823738
I agree with brettkm again.

Just follow best practice for security on the workstations and servers.

Make sure unauthorized people do not have access to the server console - physically or through remote desktop, vnc, etc.

Make sure users are not setup as administrators on their workstations. Least privilege is key. Make sure antivirus / antimalware software is on all server and workstations. Make sure local firewalls are running on servers and workstations. Only allow traffic to the servers on required ports.

If you have a file server, make sure that share and NTFS permissions are appropriate and not excessive.

If you have a local mail sevrer (Exchange or whatever) make sure you have an AV / Antispam solution for that, and make sure you don't allow open relaying.

Make sure all systems are automatically updating themselves with security patches. For a small network, that can be done individually. Or you can use WSUS if you want to have more control. Its free and pretty good for small environments.

There is no problem with servers and workstations being on the same network segment / subnet / vlan. Just follow these basic pricipals and you should be ok.

0
 

Author Comment

by:loopstudio
ID: 24824781
allright thanx again.. both of You

Do I here You say that: Even if 1 of the desktops have spy & virus, it cannot come to the server, if the servers win firewall only allows port 80 ?
0
 
LVL 1

Accepted Solution

by:
dhlevine earned 75 total points
ID: 24824853
If you have a desktop that is infected with a virus or spyware, it is possible for it to propagate across the network - it depends on the type of virus or spyware it is.

There are viruses (worms) that can propagate through windows file sharing, etc. But - if you have the servers' firewall enabled and you are only allowing port 80 to the server then your attack surface is greatly reduced and you should be safe.

Aside from some worms, most malware can only do stuff if you execute it. Point being... don't do stuff on the server... don't surf the web from it, etc.

You should be safe. (as safe as any networked computer can be)
0
 

Author Closing Comment

by:loopstudio
ID: 31601513
Thanx both of You :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now