Advice wanted on securing a Windows 2000 Server NAT computer

At work I our internet is shared throughout the office via a BT router connected to a Windows 2000 Server NAT configured computer which in turn connects to our switch.

I've got a problem being discussed on this thread about it having a problem with a virus/spyware/malware.


What concerns me most is that even though the system has full anti virus protection and all windows updates installed it can still get malcious code on it and more to the point keep getting it back.

We've never had this problem before - the system was formatted as annual maintenance a few months ago.

thanks in advance

 

Personally, I'd NAT at the router rather than at the server. Use a private network space between the server and the router. So if your network is using 10.0.0.0 IP addresses, use 192.168.0.0 addresses between the server and the router. If you are using 192.168.0.0 internally, use 10.0.0.0 address between the server and router.

I'd also alway recommend that business networks use a hardware firewall to secure their internet connection. Something from SonicWall, Watchguard or a Cisco PIX are all relatively cheap and straightforward to set up.

What services are you providing TO the internet. Are you allowing remote users to connect in to the server to access web pages, e-mail or other services?

The other thing is that Windows update tends only to patch the operating system. If you are running other services they need to be updated separately.

Lastly, if it is e-mail relaying that's using up your bandwidth, that can be a setting problem rather than virus.

 

IMO, the most important step in securing your network server is in securing the workstations that connect to it, and carefully selecting the permissions and shares given to those workstations and users.

Use a router eqipped with SPI, and make sure it is active.
Use a software firewall on all workstations.
Keep all workstations up-to-date, not only with Windows Updates, but also with Office updates, Java machine, etc.
Use group policies to restrict user actions.....lockdown the workstations.... Allow only what's needed for work.
Tweak IE settings on workstations ...... max temp file storage, cookie handling, etc.
When configured as RRAS with NAT, use the strongest encryption that will work effectively for your clients.

At my workplace, I limit the internet activity through the server by assigning all workstations with the router address as the default gateway (wired as modem>router>switch>all computers). Server acts as a DNS and DHCP server for LAN clients, as well as RRAS for remote clients.

 

IMO - only one major objection noahdfear: you must secure the server. The server is a trusted resource. If it gets compromised you have big problems. Otherwise a valid solution.

My preference would be :

• a dedicated hardware firewall and relax on the firewalls on each PC
• install a centrally managed AV solution and make sure all PC are kept up to date rather than concentrating on Windows update.
• I prefer handling VPN at the firewall rather than on the server.

 

@ ReggieB,

I didn't mean to imply in any way that securing the server is not important, or doesn't need to be done. On the contrary, several of the recommendations I gave concerned securing the server as well as the workstations.

 

That makes sense.

All agreed then