loopstudio
asked on
Is it unsecure to have other computers on the same IP as a server?
Hi,
Imagine the following setup:
--------------------------
- A windows server with a lot of security
- 1 or more win computers at the same static IP adress as the server.
- All behind the same router/firewall.
Is or could that be a security breach?
E.g. if a hacker gets access via an unsecure pc on the same static IP and then from that place could get access to the server?
IF unsecure..:
1) How can it be unsecure/attacked?
2) What is the solution?
Imagine the following setup:
--------------------------
- A windows server with a lot of security
- 1 or more win computers at the same static IP adress as the server.
- All behind the same router/firewall.
Is or could that be a security breach?
E.g. if a hacker gets access via an unsecure pc on the same static IP and then from that place could get access to the server?
IF unsecure..:
1) How can it be unsecure/attacked?
2) What is the solution?
I agree with Brettkm...
If you have servers and workstations, laptops, etc. on the same local subnet behind a router/firewall - its not a big deal. However - make sure this "router/firewall" is maintained, and that it is set to a default deny posture for both incoming and outgoing traffic - open only what you need.
You shoould also make sure the Windows OS'es are kept up to date with Service Packs and patches. Also should have antivirus software on them. Can never be too safe. SOmething I like to do is make sure that the local fileswall is always turned on on each host as well... Windows Server 2003, 2008 each have a built in firewall that can be enabled. As does XP, Vist and 7. Turn it on.... open ports on the servers only for required application / data serving...
Oh - and rule # 1... make sure nobody except required personnel have physical accesss to the server. Logical and network security mean very little if someone can walk up to a system, power it off, throw it in the back of thier car and drive home with it (and then pull the drives, drop them into a USB enclosure and mount it on thier home computer... you know... boom! steak dinner!)....
Have fun...
D
If you have servers and workstations, laptops, etc. on the same local subnet behind a router/firewall - its not a big deal. However - make sure this "router/firewall" is maintained, and that it is set to a default deny posture for both incoming and outgoing traffic - open only what you need.
You shoould also make sure the Windows OS'es are kept up to date with Service Packs and patches. Also should have antivirus software on them. Can never be too safe. SOmething I like to do is make sure that the local fileswall is always turned on on each host as well... Windows Server 2003, 2008 each have a built in firewall that can be enabled. As does XP, Vist and 7. Turn it on.... open ports on the servers only for required application / data serving...
Oh - and rule # 1... make sure nobody except required personnel have physical accesss to the server. Logical and network security mean very little if someone can walk up to a system, power it off, throw it in the back of thier car and drive home with it (and then pull the drives, drop them into a USB enclosure and mount it on thier home computer... you know... boom! steak dinner!)....
Have fun...
D
ASKER
Thanx both of You.
1) Could You recommend a good AntiVirus for Win 2003?
2) A thought: What if there allready is malicious / spy / virus on one of the other machines? Can they then spy or in other way make harm to / on the server?
1) Could You recommend a good AntiVirus for Win 2003?
2) A thought: What if there allready is malicious / spy / virus on one of the other machines? Can they then spy or in other way make harm to / on the server?
There are some good AV solutions for Win 2003 Server... You can always use Clam AV, or BitDefender... We use TrendMicro OfficeScan Corporate Edition here... but there are myriad good solutions... Symantec, McAfee, Nod32, Sophos, etc.
If one computer on a network is infected by a virus it certainly is possible that the virus will make its way to the server somehow... so it is always a good idea to run AV on all computers, keep firewalls enabled on all endpoints and only allow traffic that is explicitly required.
The solution I usually provide to my friends and family consists of Avast! antivirus (free for home use) and Blue Coat's K9 web filter (free for home use). The combination usually keeps systems clean for the most part, of course nothing is perfect. For business use, again, we use Trend Micro.
If one computer on a network is infected by a virus it certainly is possible that the virus will make its way to the server somehow... so it is always a good idea to run AV on all computers, keep firewalls enabled on all endpoints and only allow traffic that is explicitly required.
The solution I usually provide to my friends and family consists of Avast! antivirus (free for home use) and Blue Coat's K9 web filter (free for home use). The combination usually keeps systems clean for the most part, of course nothing is perfect. For business use, again, we use Trend Micro.
ASKER
Hi Dhlevine,
Thanx for info..
1) Yes, I also use Avast for private use. Of cause, when it comes to server, there are 2 important things also: a) it should be able to operate without slowing the server too much down and b) normally AV are very expensive, when its made for a server. So a good one in the cheap end would be nice
2) This is exactly what I was afraid of.. and the reason of my original question.
A server normally have very little access from different people and purposes, while laptops & desktops they normally have open for a lot of things, there is done a lot of browsing and emailing.
And my experience is that EVEN You have antivirus and vice versa on a normal computer, there ALLWAYS happen to come some mal/spy/virus sometimes.
So with that in mind..
Couldnt / Wouldnt You say then that its definately NOT recommended to have both server and desktops / laptops behind the same IP / hardware firewall / router ?
They need to have different IP's in order to be secure.. or?
Thanx for info..
1) Yes, I also use Avast for private use. Of cause, when it comes to server, there are 2 important things also: a) it should be able to operate without slowing the server too much down and b) normally AV are very expensive, when its made for a server. So a good one in the cheap end would be nice
2) This is exactly what I was afraid of.. and the reason of my original question.
A server normally have very little access from different people and purposes, while laptops & desktops they normally have open for a lot of things, there is done a lot of browsing and emailing.
And my experience is that EVEN You have antivirus and vice versa on a normal computer, there ALLWAYS happen to come some mal/spy/virus sometimes.
So with that in mind..
Couldnt / Wouldnt You say then that its definately NOT recommended to have both server and desktops / laptops behind the same IP / hardware firewall / router ?
They need to have different IP's in order to be secure.. or?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with brettkm again.
Just follow best practice for security on the workstations and servers.
Make sure unauthorized people do not have access to the server console - physically or through remote desktop, vnc, etc.
Make sure users are not setup as administrators on their workstations. Least privilege is key. Make sure antivirus / antimalware software is on all server and workstations. Make sure local firewalls are running on servers and workstations. Only allow traffic to the servers on required ports.
If you have a file server, make sure that share and NTFS permissions are appropriate and not excessive.
If you have a local mail sevrer (Exchange or whatever) make sure you have an AV / Antispam solution for that, and make sure you don't allow open relaying.
Make sure all systems are automatically updating themselves with security patches. For a small network, that can be done individually. Or you can use WSUS if you want to have more control. Its free and pretty good for small environments.
There is no problem with servers and workstations being on the same network segment / subnet / vlan. Just follow these basic pricipals and you should be ok.
Just follow best practice for security on the workstations and servers.
Make sure unauthorized people do not have access to the server console - physically or through remote desktop, vnc, etc.
Make sure users are not setup as administrators on their workstations. Least privilege is key. Make sure antivirus / antimalware software is on all server and workstations. Make sure local firewalls are running on servers and workstations. Only allow traffic to the servers on required ports.
If you have a file server, make sure that share and NTFS permissions are appropriate and not excessive.
If you have a local mail sevrer (Exchange or whatever) make sure you have an AV / Antispam solution for that, and make sure you don't allow open relaying.
Make sure all systems are automatically updating themselves with security patches. For a small network, that can be done individually. Or you can use WSUS if you want to have more control. Its free and pretty good for small environments.
There is no problem with servers and workstations being on the same network segment / subnet / vlan. Just follow these basic pricipals and you should be ok.
ASKER
allright thanx again.. both of You
Do I here You say that: Even if 1 of the desktops have spy & virus, it cannot come to the server, if the servers win firewall only allows port 80 ?
Do I here You say that: Even if 1 of the desktops have spy & virus, it cannot come to the server, if the servers win firewall only allows port 80 ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx both of You :)
Sounds like you are referring to local IP addresses? It is not possible to have 2 machines with the same IP in the same network.
If the server and workstations are behind the same router/firewall (is it a decent one?), always kept up to date in terms of Windows patches, and locked down so some spud can't install any malicious software, you shouldn't have much to worry about.