Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Several questions about WinServer 2008

  • Filter
  • Time
  • Show
Clear All
new posts

  • Several questions about WinServer 2008

    Hello there

    I am fairly new in Windows Server series and I am trying to manage a Windows domain in our company. My background on servers depends on Linux-based systems, but in my opinion Windows handles some crucial components more complex than Linux. Therefore, I have stuck in some points.

    My first question is about the Firewall component in Server 2008. I know server firewalls are always confusing to set up but I even cannot understand how the firewall system works on Server 2008. I set "only accept connections from domain" but I can even access to domain server at home . Is there any kind of visual program or script that can control Windows Firewall easily? If not, I would consider to migrate some other firewall program. Do you know any kind of free or commercial type of firewall systems that can be used on Windows Server 2008? I don't want to mess up my server of course I just want a simpler interface for Windows Firewall (For one, who are familiar with Linux, I mean a program like "CSF", a program (or maybe script) that manupilates iptables rules).

    My second question is about roaming profiles. I have 2 domain servers and one of them is serving roaming profiles in a share like "\\server2\Profiles\%username%" . As an administrator (using the domain's Administrator account), I cannot access to those shares even if I have logged on locally. I need to take ownership of the user profile folders in order to see inside.

    I have read several articles and forum posts about this problem and they say that "Enable -add the administrators security group to roaming user profiles- setting in GPM". I have activated it from "Default Domain Policy", as instructed in the articles mentioned, but it doesn't help.

    Do I have any chance to see inside the user folders without touching the ownership status of these folders?

    Thanks in advance.

  • #2
    Re: Several questions about WinServer 2008

    I'm sure both of your questions could be answered by 5 minutes with Google...

    What protects your servers from the Internet - one would hope that there'd be a hardware firewall or a Linux box of some description between the WAN and LAN, and that your Windows servers aren't on the network edge.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.


    • #3
      Re: Several questions about WinServer 2008

      I just want to protect the domain servers, not the entire network as it is impossible to protect entire network due to the physical setup and location of the domain servers. (My company's network design is a bit complicated, previous system administrators hasn't planned it good enough to protect every single point on the network). If I had a properly designed network, I know I don't need to ask about anything, I can just go to a library and take a book about networking and everything goes fine. But that's not the case.

      I also know about ISA servers, MS Forefront etc. but they are just more than I need. I only want "allow this and that IP address, and deny everything". You may think that I have never tried to configure firewall, but everytime I try to change something I messed up the other side of system.

      Anyway, thank you for your answer.


      • #4
        Re: Several questions about WinServer 2008

        I'm going to pipe in with a security scenario here.

        You state you simply want to protect the domain controllers from the public. Ok, that's fantastic and great. But you go on to say you aren't really concerned so much with protecting the rest of the network from the internet.

        So, here's my scenario. I try to break into your network, and find I can't get onto your domain controller. But that's ok, because I realised one of your developers has left a SQL injection vulnerability on a publically accessible web server. So I inject a remote shell, and since you didn't deem it necessary to protect this server as much as your DC, I've suddenly got access.

        It's not so far from there for me to get local admin access.
        Suddenly, I'm a local admin on your server, which has access to your domain. It's only another short step for me to install a keylogger, or similar, wait for you to logon with a DA account (or force you to somehow) and then I've got your DA password, and I can jump straight onto your domain controller, even though it's firewalled from outside.

        See my point ? I'm not trying to pick on you here, simply outlining the steps one might take, if they were determined. (Obviously, there's no such thing as a fully secure network.. but you should be protecting everything as best you can)

        REgards the user profiles, that's perfectly normal configuration. even as a local administrator, you shouldn't necessarily be able to access profiles and home drives. I worked in a role for a Government organisation that was configured like that. I had permissions to setup permissions, and folders, and take ownership, but I couldn't actually browse the folders, unless I took ownership.
        THe data management team had different permissions again, and I would assume Security would have also. It's down to privilege separation, and a degree of privacy to users.

        For instance - as a CEO, or HR director, why would I want you to have carte blanche access to my HR payroll manager's home drive or profile, when he/she may have a draft file saved on the desktop, talking about how the IT team are going to have all their overtime cut due to the GFC.... ?

        to be more specific about your network firewall, and "only from domain" - you need to ensure that the 'network location' is set to Domain only for the network interface in question....

        I have "domain profile: inbound connections that do not match a rule are blocked"
        I then make sure that interface0, eth0, call it what you want, belongs to that network location

        The firewall can be managed using Windows Firewall and Advanced Security snapin, under the Administrative Tools menu.

        This thread
        May be helpful in understanding network locations a bit better..

        Also have alook through ths one:

        Hope I've helped out a bit.. (and welcome to the dark side :P)
        Please do show your appreciation to those who assist you by leaving Rep Point


        • #5
          Re: Several questions about WinServer 2008

          tehamel, I got the idea.

          From your words I understand that security is a complete situation. I will consider your advice and do as much as I can about it.

          Thank you