We find people placing Windows servers “naked” on the Internet with
frightening regularity. Without any sort of firewall or packet filtering
protection, these machines make very easy targets for hackers. Even
if you have a firewall, adding host-based packet filtering adds an
additional layer of protection, though in that case you’ll have to
decide for yourself if the only-marginally-better security is worth
the hassle of the added access complexity.

At the bare minimum, you should enable packet filtering on every
Windows box you have directly attached to the Internet. Both Windows 2000 and
Windows XP/2003 have built-in functionality for basic filtering.

The goal is to only allow the public [I use the term "public" here to
refer to anyone not physically at the machine] to connect to the
services explicitly offered to them, and prevent connection to all
other services. Examples of public services are your Web server, Mail
server, and administrative remote access service, such as Terminal
Services / Remote Desktop; things we want to protect include Windows
File and Print sharing, RPC, and database servers. Note that (in
almost all cases) the public does not directly connect to ColdFusion
or database servers; the public connects to the Web server, which in
turn connects to ColdFusion, which then connects to the database.
Therefore, ports used by CF and your DBMS should be blocked from the
Internet.

For Windows 2000, we’ll use TCP/IP Filtering. Note that any changes
to TCP/IP Filtering require a reboot; fortunately, you’ll rarely need
to make changes to TCP/IP Filtering once it’s set up.

Because of difficulties with DNS and packet filtering, you’ll need to
install the Windows DNS Server service, using the “Add/Remove
Programs” control panel, under “Add/Remove Windows Components”.

• Start->Control Panels->Network Connections
• Choose your active NIC (usually “Local Area Connection”)
• Click “Properties”
• In the list of protocols, click on TCP/IP, then click “Properties”
• Set the “Preferred DNS Server” to “127.0.0.1″.
• Click “Advanced…”
• Click on the “Options” tab
• Click on “TCP/IP filtering” and click “Properties”
• Check “Enable TCP/IP Filtering”
• Select “Permit Only” for both TCP and UDP
• Add the following ports under TCP:
  20 (ftp)
  21 (ftp)
  25 (smtp)
  53 (dns server)
  80 (http)
  110 (pop3)
  443 (https)
  3389 (remote desktop – important!)
  8999 (SeeFusion / SeeJava)

• Add the following port under UDP:
  53 (dns client/server)

If you’re running services other than those I listed, and the general
public needs to connect to them directly, be sure to add their “listen
ports” to that list.

The next problem to solve is DNS. The Windows DNS Server (and client)
will, by default, choose a random UDP port from which to send outbound
DNS queries. Since all but one of those ports are now firewalled off,
in order for DNS to work we have to ask the DNS Server to always use
port 53 to send DNS queries. This is done with a simple registry
update; create a DWORD entry named “SendPort” under
“HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services DNS
Parameters”, and set the value to 35 hex (which is 53 decimal.) Or,
create a .reg file with the following content, and “import” it into
your registry:

For Windows XP/2003, we’ll use the Windows Firewall, which allows
configuration without rebooting, and is a bit easier to set up than
TCP/IP Filtering.

• Start->Control Panels->Windows Firewall
• (A dialog will appear prompting you to start the Windows Firewall/ICS service.)
• Click “Yes”
• Click on the Exceptions tab
• Make sure “Remote Desktop” is checked
  – For added security, only enable Remote Desktop access from networks
  you want to access it from, by clicking “Edit…”, “Change Scope”, and
  selecting “Custom List”, then add a comma-delimited list of IP
  addresses or subnets that are allowed remote access. Be very careful
  with this, as it’s fairly easy to lock yourself out of the machine,
  requiring a trip to the data center to “unlock” access to your
  machine.

• Make sure “File and Printer Sharing” is NOT checked
  – If you /need/ File sharing to nearby machines, then enable it,
  click Edit, double click on each port in the list, and change the
  scope to “My network (subnet) only”.

Next, we add exceptions for the programs, or just ports, that
directly accept connections from the Internet. First, add the
following ports, by clicking “Add Port…”:

25 (smtp)
80 (http)
110 (pop3)
443 (https)
8999 (SeeFusion / SeeJava)

Next, use “Add Program…” for any other servers you’re running, that
the public directly connects to, such as your FTP server. The easiest
way to do this is to go to the properties for the service (in the
Services control panel), and copy the value of “Path to executable” on
the service properties panel, then go back to the Windows Firewall
exceptions list, click “Add Program…”, “Browse”, and paste. Repeat
as necessary.

If the server you’re configuring happens to be a database server
that’s only accessed by nearby application servers, be sure to change
the scope for your database server program to “Custom List”, then add
the IP address(es) of the application server(s). [You can also use
this technique to allow you to connect to the database server from the
office, or from home.]

Once this is done, click back to the “General” tab, turn the firewall
On, and click OK. (Do NOT check “Don’t allow exceptions”.)

You’ll need to restart any service you added using “Add Program…”,
so Windows Firewall can detect and authorize their ports.

Now, people on the Internet can only connect to the ports you’ve
explicitly authorized, the first important step in a secure system.

Be sure to test all of your public services, to ensure you didn’t miss anything!