This article is derived from Chapter 14 of Roberta Bragg's book, MCSE Training Guide (70-220): Designing Security...
for a Windows 2000 Network .
Knowledge of internal network address schemes might enable an attacker to obtain additional information that could be used in a targeted attack (the address of a database server, for example). You can hide internal addresses in two ways: Network Address Translation (NAT) and the use of a proxy server. NAT maps internal addresses and ports to external addresses and ports. Many routers and firewalls can be configured to perform this function. Windows 2000 provides NAT capabilities as a part of the Routing and Remote Access service.
Microsoft Proxy Server substitutes its address for the source address of every packet that it passes to the external network. A common way to configure Proxy Server is to use two network cards: one on the internal network so that it can be contacted by internal computers, and one on the external network. Routing between the network cards does not occur. For a packet to be forwarded to a computer on the Internet, the server must process it. Because the Proxy Server keeps a cache of recently visited Web sites, the packet may not even be delivered to the external network. If it is, the internal address never accompanies it. Proxy Server 2.0 can also be used to filter exiting and returning packets by protocol and by port. Those that you have filtered out do not pass.
If you use NAT or a proxy server to hide internal addressing, you may benefit by configuring your internal DNS server to hold only internal addresses. Complete the job by removing the default root, which contains addresses for root Internet servers. Without this information, systems that attempt to "go around" the proxy server will be limited in their capability to access Internet resources. Because the proxy server sits with one interface on the external network, it can access an external DNS for name resolution. The proxy server is configured with an external DNS server as its primary DNS server.
To protect servers, first determine their level of exposure. In a simple network scheme, all internal servers sit behind a firewall. If the firewall is breached, all servers are at equal risk. In a larger, more complex network, some servers may be more exposed than others. If this is so, they may need additional security arrangements.
For all servers, you should take appropriate precautions, including the following:
--Limit and protect administrator accounts.
--Assign user accounts with care, with user rights and resource access restricted as appropriate.
--Protect data via DACLS.
--Fix and/or block known security holes by using the requisite service packs and hot fixes.
--Audit sensitive files, registry keys, and objects; and review Security logs for suspicious activity.
If servers are used for a particular purpose (such as database, messaging, connectivity, authentication, and so on), you should establish and maintain appropriate security measures.
You can set up client computer configuration similarly to servers with regard to access, user rights, and resource protection. In addition, because most client systems will use Web browsers to access the Internet, strict limitations on their configuration can further protect the client system and your internal network. The amount of predetermined configuration you do depends on your organization's policy, but you can effectively maintain this level of protection by using Group Policy.
Other client applications used to access the Internet may need security configuration as well. You may be able to use Group Policy for these, too. You must also decide which applications may be used.