Anyone know of any good firewall software for windows servers that is ....

a.) affordable, not ISA....

b.) built for enterprise class (no ZoneAlarm, black ice, etc..)

c.) configurable to the port level?

Thanks!

I've used Kerio Personal Firewall on some test servers before, and have been VERY impressed...

Check out their full-featured server product here:

http://www.kerio.com/kwf_home.html

< edited by iquisitive > Ouch...just missed to read the first post properly

Does any one have a list of TCP and UDP ports to allow in TCP/IP Filtering? I think this is the way to go. The most important is not locking out remote desktop, what is the port for this?

Thanks

List of services in the services file located at

C:WINDOWSsystem32driversetcservices

And this link should explain to you how to setup remote desktop connection...

http://www.microsoft.com/windowsxp/expertz...rup/03may16.asp

RDP port is 3389
Other ports you might whant to keep open:

FTP 21
SMTP 25
DNS 53
HTTp 80
POP3 110
HTTPS 443
ENSIM PORT ?


They might be other ones

When Rackshack ships Windows 2003 std edition, you could use the firewall built into the OS.... I wish MS woudl have left that functionality in the Web edition, but its not supported there. Probably because it is tied to ICS, which is also not supported in the web edition.

The built-in firewall does provide low-level protection... However, I find other solutions, such as Kerio, to provide more comprehensive protection -- as they can open specific ports, only for specific programs, and they examine MD5 signatures for every program that wants network access.

The Windows Firewall supports the opening of specific ports.

Although there are those firewalls who monitor local applications and allow for the restriction of connections from processes running on the box, i feel that type of firewall is unnecesary for a server class machine if the box is properly admined. There shouldn't be a fear of a trojan or hostile app being applied and run on a Windows server that is admined properly.

The most important firewall for a server is one that blocks unsolicited inbound traffic, port scans, and other random hostile activity from the web on port that are not needed. The Windows 2003 firewall performs that job perfectly.

Due to the way NTFS opperates, a hosting client could upload a malicious binary, set permissions to execute, and then run code on the box.

Within the context of his user account.

True...

And although a properly administered box will minimize any possible negative impact that could result, no one can fully discredit the possiblity of exploit. For this reason, I feel that a stateful-packet-inspection firewall is preferable over a simple port-blocking one.

Certainly, port-blocking is better than nothing, but stateful-packet-inspection does one better.

What anti-virus software does everyone recommend for Windows 2003?

You have three options:

a) Symantec (Norton) Antivirus Corporate Edition - more than alive
b) McAfee NetShield - deceased
c) Kaspersky AV for servers - alive

They are the only ones true Enterprise-class (server-based) antivirus solutions. Using home solutions like AVG or Panda/Sophos is not any recommendable.

Unfortunately this kind of AV license is only sold in packs of minimum 5 or 10 licenses.

For Antivirus, I'd seriously recommend looking at Trend Micro's InterScan VirusWall or WebManager. Trend's updates are incredibly fast and the software auto-polls for emergency outbreak information as well.

I have run AVG with much success. They DO provide server-licensing, and a server-class product.

So, where read AVG, change to AVG-Free.

AVG-Free is NOT licensed for use on a server (commercial).... The commercial license costs money.

*wonders what happens when you run a non-comercial firewall on a server*

Running a non-commercial firewall could get you in legal trouble if the company found out about it.

Also, as a side-note, I discovered that Kerio does NOT work on Windows Server 2003... They system will not come back up after a reboot.

youch.

so, is there a *free* win2k3 firewall app out there?

i'm poor. (heh)

Tiny Firewall isn't free (for servers) but it's very affordable:

http://www.tinysoftware.com/home/tiny2?la=...a=&pg=tpf5-news

*ponders*

bah, my server doesn't need a firewall anyway.. pssssh.

ROFLMAO

So what was your IP again......haha.......

Use TCP/IP filtering if your not using a firewall.

Microsoft has removed that from Windows 2003 Web Server. It is in standard and higher only.

Wow, that was dumb of them.....

and something that'll lighten my wallet some more..

considering my server is for personal use only i'm not making any cash off it..

bah well. such is the price i suppose..

Kerio Winroute Pro latest version works just fine on 2k3. During set up you MUST SKIP the option that offers to configure internet access. If not you've just locked yourself out of your box. I'll create a step by step later with screenshots. (Gotta go to work)

I was refering to Kerio Personal Firewall, which is free, and does not work on Windows Server 2003.

Im using F-Secure Distrubuted Firewall on all my Win2k Servers. I believe that F-Secure is about the best you can get. Their firewall is top rate and their anti-virus software is A1. http://f-secure.com. As for open ports, apart from Remote deskstop is that port 3389 i have opened only the necessary ports.

YAY, I found a FREE firewall that is certified to work on Windows 2003 Server:

Tiny Personal Firewall 4.5:

http://www.tinysoftware.com/home/tiny2?s=2...=news&id=355771

It's still in Beta right???

I found this...
Pricing
Tiny Personal Firewall 5.0 will be priced at $39 (Home User versions) and $99 (Professional version). Tiny Server Firewall 5.0 will be priced at $199 per server for servers with up to 5 simultaneous terminal services sessions and at $999 for terminal servers with unlimited number of simultaneous sessions.

Tiny Software announces important changes in product offering.


August 3, 2003, Santa Clara, CA - Tiny Software announces that Tiny Personal Firewall 5.0 will be sold in two flavors:

Desktop Edition targets all Windows 2000 Pro and XP computers and starts at $49 per license.
Server Edition targets all Windows 2000 Server and Windows 2003 Server OS families and starts at $199 per license.
Both editions will have identical functionalities for the time being with the price being the only difference. This step precedes the launch of Tiny Server Firewall 5.0 with more comfortable user management and some other server specific functionalities.

Hmm, looks like Tiny stopped support for version 4.5 Well, anyway, 4.5 was free... Here's a link to a mirror I found from google:

http://download.freenet.de/download.php?file_id=4393

The download will start automatically.

Have you tried it yet? How is it?

The interface isn't as intuitive as Kerio Personal Firewall... However, it is a VERY secure product. If you can not afford F-Secure, this is an excellent choice.

I didn't see any mention of sygate. The personal version works great on workstations, i've not tried it on server products. Anyone have any experience with their products on windows servers?

sygate is decent... I think Kerio is still the best. I have not seen it in action on a Windows 2003 Server; does it work on this platform? Kerio, unfortunatly, does not. Tiny just updated their version 4.5 FREE edition to support 2003.

Have no idea LighthousePoint. It only lists Windows 2000 servers on their site. I don't have Windows 2003 Server so I can't test it. That sucks that Kerio doesn't yet. I switched from Kerio to sygate a while back.
I figured i'd scope out some knowledge from some of you guys before I dove into hosting on a windows box in a production environment. Ain't doing it without a firewall that's for sure.

Well, I just finished a install of Windows 2003 Enterprise Edition on a spare box I have... I'll give sygate a try, an let ya'all know whether it works. (keeps fingers crossed -- I've messed up too many boxes within 15 minutes of completing a Windows install, he he he)

15 is too much. I've done it already in the first boot

Okay, just to update everybody, I messed around with Tiny Personal Firewall 4.5, and I must say that I love it. Now, coming from Kerio, there's a bit of a learning curve, however, once you get the hang of it, TPF is AMAZINGLY secure... And provides awsome anti-attack protection. In addition to an excellent Object-Oriented rule-driven stateful packet inspection firewall, TPF also provides anti-hacking mechanisms through their integrated IDS.

What's even better is that TPF comes out-of-box secure. Personally, I removed a few ALLOW rules, but I must say -- very well written.

If you're looking for a FREE firewall to run on your Windows 2003 Server, then this is one that'll compete with the best of them.

Ok, so here's the tuff question......

Does it support different rules for different nic cards.....


Nic0 can be full lockdown except ports..1,2,3,etc...

Nic1 can be open excep ports 6,7,8,etc....

You sound bored, so I thought I'd keep you busy while your waiting for all those servers to backup...haha.

Yes, actually, you can limit access via Physical interface, or better yet, IMHO, via IP address

Hi,

I'm new to Windows Server- I installed (default install) TPF4.5 as suggested in this board, and restarted- within a few minutes, even before I could see what needs to be configured, it locked me out of the server, and I had to get RS support to disable the firewall completely to get me logged in..

Now, can someone give the basic config needed to get it running first without locking out Remote Desktop, please..?

Visnetic Firewall for Servers works on Windows 2003. Even better Deerfield is offering special prices to owners of other firewalls. ($79.95) www.deerfield.com

I looked at Tiny Personal Firewall and you can buy a version for a server for $49 right now and it is version 5. Click on the Buy link in the upper right corner...

http://www.tinysoftware.com/

Does anyone know if I can use the desktop edition on a terminal server if all users share the same rules? Can multiple users still login at the same time?

Thanks.

It seems the only difference is the ability to create rules for each user and have them all active at one. Otherwise, I cannot see how you cannot use the single user version if everyone uses the same rules.

I am going to download and install it at home and configure it as a test. I don't want to lock myself out of the box remotely - hehe.

Using a personal/desktop/workstation firewall on a server violates Tiny's license agreement. Please purchase the server-product.