Locking down OS X Server firewall?

Similar Messages

• How to lock down your Linux server

  When you're setting up a Linux server, security is key. Just as you lock your car when you leave it, securing your server is commonsense practice. In a guide onhow to begin securing a Linux server, Linux.com writer Swapnil Bhartiya says,"Servers need to be maintained all the time," and when it comes to securing your server, starting off the right way is crucial.1. Avoid excess services and packagesWhen you're setting up your server, you have the option to pick whatever packages you'll need, but every package you install creates more surface area for an attacker to push against. Some folks might say, "your server, you software," Bhartiya writes, but "don't take things for granted. [...] Install only those packages that you really need. If there are unwanted packages, purge." 2. Only use what you needLikewise, running services you don't...
  This topic first appeared in the Spiceworks Community

  See also:
  *http://mike.kaply.com/2012/03/16/customizing-firefox-autoconfig-files/
  *http://mike.kaply.com/2012/03/22/customizing-firefox-advanced-autoconfig-files/
  *http://mike.kaply.com/2013/04/24/major-changes-coming-in-firefox-21/
  *http://mike.kaply.com/2013/05/13/more-major-changes-coming-in-firefox-21/

• Locked down RDS Server

  Good morning,
   I followed this tutorial to lock down my RDS Server but I have one issue.
  http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/
   When users are in an app they try to attach a file and explorer defaults to the c my documents. Is there a way to change it so it defaults to there network drive?
   Also, how can I have there local drives redirect to the RDS server?
  Thanks,
  Derek

  Hi Derek,
  Please disable the below policy setting and verify.
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
  Do not allow drive redirection
  More information.
  Make Local Devices and Resources Available in a Remote Session
  https://technet.microsoft.com/en-in/library/cc770631.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Locking Down & Creating Exceptions

  We have seven school district buildings which includes an administration
  building. Each school has it's own server set on NW6.5SP5 and BM3.8SP4 as
  well as Zen 7. The admin bld has two servers, one for the building and one
  is our web/e-mail server using GW 7.0.2HP and Apache2. It also has GWava
  running with Kaspersky A/V (e-mail) and both servers are our DNS servers.
  If I set the default filters (to lock down the system) with BM, all
  connectivity is lost, which it should be. However, I've not been able to
  figure out the correct filters to set to allow traffic into and out of the
  web server and e-mail, i.e., if I lock down the building server no one can
  get to their e-mail or access the web server but can access the Internet via
  the BM proxy.
  I have Craig's books but guess I need a little more detail and pictures. Is
  there a book out there for those of us with A.D.D. that will walk me through
  creating a filter one-step-at-time including saying what each step is
  for/doing or what will be accomplished?
  I need to lock down each of the servers, but can't because, although users
  can get out to the Internet via the BM Proxy, they still don't have access
  to GroupWise from the client and / or Novell's iFolder, and Instant
  Messaging, of course. If I go to iManager 2.6 and attempt to creating
  exceptions for GW, iFolder and IM, the filter exceptions are created but
  don't make a difference.
  Sorry to drag on so long, but we've had an incident happen in the last month
  and we need to make the network more secure but still allow users to such
  things as the Internet, GW, iFolder, etc.
  Any suggestions and/or ideas would be appreciated,
  Tim

  >> In article <[email protected]>, Tim Ferguson wrote:
  >> When I say "Yes" to create a secure system when running BRDCFG, all outside
  >> access is blocked or isn't it supposed to be?.
  >> When you do that, it blocks all traffic to and from the public interface, and
  >> then adds some default exceptions intended to allow the VPN and certain
  >> proxies to work. (It will not overwrite any exceptions you might already
  >> having in place that would allow too much traffic through).
  >> The only way to the Internet
  >> is through the proxy, and VPN traffic is ok. Traffic on the VPN and the
  >> private IP network is fine, or should be, correct?
  >> Should be, correct.
  >> For Example:
  >> I have a user at 192.168.30.150 that needs to access his GW e-mail using the
  >> GW client to the server at 209.xxx.xxx.163, port 1677, but can't once the
  >> "secure system" is set. Realistically, we should set his client to check
  >> the private IP of the e-mail server at 192.168.20.1, port 1677, correct?
  >> Well...
  >> I'm not clear if you are trying to have the client access the GW process from
  >> inside or outside the LAN. Normally if you have a client on the inside of the
  >> LAN, that client should always be pointed to the internal IP address of a
  >> process, not the public IP address.
  I was talking about each teacher's workstation GW client, all of which are inside the VPN-created LAN
  >> If the GW process (POA, here) is running on the BMgr server itself, it is most
  >> likely listening on all IP addresses, and you need to make sure the internal
  >> address (unfiltered) is being used when inside the LAN.
  We have seven buildings, six schools and the administration building. Each building has it's own BorderManager server. Each building has it's own T-1 circuit. The buildings are connected by a BorderManager VPN (IKE). The web/mail server at the administration building is the VPN master.
  Currently each workstation's GW client (in each building) is set to the GW server's (MTA, POA, GWIA, WEBACC) public IP. Setting the filters to create a secure system would kill this capability, correct?
  >> If the process is being static NAT'd to that public address, you should not be
  >> able to access it from the inside (using the public address) with filters up
  >> or not.
  We are using "dynamic" NAT in each building. I only use "static" NAT when I create a secondary IP to my office computer so I can access it from home. NAT is then set to "dynamic and static" and not "static" only.
  >> If the process is being proxied to the public address, you could access it on
  >> the public address, as long as filter exceptions were added to allow the
  >> traffic from private to public, but it would be better to just point to the
  >> internal address.
  The process is not being proxied to the public address, was never able to get that configured and working.
  >> Often this means you just set up an internal DNS server.
  Explain further, please. Each of the two servers at the administration building is a public DNS server. To create an internal DNS server, it would be set just to the private IP's of most of the same objects on the public DNS servers?
  >> Should I then: (1) Create an exception on his building's server (the
  >> gateway) using the public interface to let his client out on port 1677? And
  >> (2) Create an exception on the mail server using the public interface to
  >> allow port 1677 in, and use a stateful filter exception on both so traffic
  >> goes both ways? or (3) ???
  >> If the client is on the inside of the LAN, you definitely should be pointing
  >> the client to an internal IP address.
  >> If the client is on the outside of the LAN (laptop taken home, for instance,
  >> or a home PC using GW client), then you have options:
  >> 1. GW running on a BMgr server
  YES
  >> 2. GW running internally, proxied to a public address
  NO
  >> 3. GW running internally, static NAT'd to a public address.
  NO
  From home or otherwise outside the private LAN, we use the GW server's public IP from the GW client.
  >> With 1 and 2, the filter exceptions are the same. With 3, they are different.
  >> I have examples for each in the filtering book.
  >> With 2, you not only have to have filter exceptions (public to public), you
  >> also have to have proxy configured and running AND access rules.
  >> With 3, you just need to have static NAT configured, filter exceptions, and a
  >> default route on the GW server. This option is the most common one I see.

• Trying to lock down DNS server settings to force use of OpenDNS

  I'm trying to lock down my time capsule on my home network to only allow outgoing DNS traffic to go through OpenDNS. I  have an 18 year old son, with his own computer, who bypasses my OpenDNS by entering the DNS settings for Google on his Windows 7 machine. I have no control over his machine, only my router.
  A discussion on the OpenDNS forums mentions blocking port 53 and forcing all DNS traffic through the OpenDNS server settings I've entered into my router, but I can't see any way to do this on the time capsule. Am I missing something?

  There is nothing you can do.. TC do not have access to firewall.. at least for ipv4.
  You need a much better router.. bridge the TC and grab a Netgear WNDR3800 and run Gargoyle firmware. The power will be put back in your hands.. then he will buy his own 3G connection.. maybe at 18 it is rather too late.

• Best Practise to lock down server 2012 for Junior Admins

  We require locking down the desktop for junior admins. Essentially we would like for them to only access specific tools and applications.
  Below are examples of specific tools they would require access to however, if we want to block out everything else then what is the best way to go about that? I would image a combination of group rights? how best to handle this?
  Examples
  All Programs->Accessories->System Tools->System Information. then export report.
  "ipconfig /all
  go to Run and then type "systeminfo" and capture all data.

  You can use security group and delegation of administration model.
  http://technet.microsoft.com/en-us/library/cc755982(v=WS.10).aspx
  Santhosh Sivarajan | Houston, TX | www.sivarajan.com
  ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
  Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
  Blogs: Blogs
  Twitter: Twitter
  LinkedIn: LinkedIn
  Facebook: Facebook
  Microsoft Virtual Academy:
  Microsoft Virtual Academy
  This posting is provided AS IS with no warranties, and confers no rights.

• Are Macs able to lock down the firewall?

  Are Nacs able to lock down the firewall?

  I have mine locked. Do you have a problem locking yours?

• How do I lock down an iPad from having certain apps removed?

  Hello,
  We are a Microsoft-based enterprise that has purchased iPad 2 devices as a means of reducing costs of wireless services as well as integration with the 3G adapter (to reduce damage and theft). While I have had great success with the iPhone Configuration Utility and an MDM server, I need to ensure that users cannot remove the Find My iPad App which we use to track employees and ensure they do not lose or steal the device (since they can't remove the battery).
  What can I do to lock down this app from being removed and also, I want to give these employees access to load whatever they wish on these iPad units. We control their access through a VPN to a Microsoft Terminal Server and with Microsoft Exchange but I don't want iTunes and the CEO's credit card being used to purchase apps. Any ideas anyone? I know that this can be done and if not, it will be done by me.
  Brian Tate
  Information Technology Manager
  Grand Texas Homes Inc
  http://www.grandhomes.com

  I'm not sure about the apps, but to prevent theft, you'll also need to disable the power button and the ability to restore the ipad. You might also want to superglue in your Sim card because if they remove that, it wont be tracked unless they connect to WiFi.
  Also, I'm not so sure it is an app on the iPad. I think it is built into the mail, calendar and contacts options if you have a Mobile me account.  http://www.apple.com/ipad/find-my-ipad-setup/

• Directory preferences in a locked down PC environment

  How do I change:
  ide.pref.dir
  ide.pref.dir.base
  ide.user.dir
  ide.work.dir
  ide.work.dir.base
  user.home
  so that they don't reference a windows path like \\<server>\<user>$, but <drive letter>:\Oracle\sqldeveloper instead
  We use locked down PC's (with no access to the A: and C: drives) . And when we start SQLD we get 16 dialogue windows say that it cannot access the A: drive, to which we press the continue button. You also get the message when using the File navigator and the File->Open or File-Save functions.
  On upgrade from 1.5.1 to 1.5.4 the number of dialogue windows dropped from 16 to 2.
  We also always lose our connextions and have to reimport from a saved file every morning.
  A response to thread Connections fail to load at startup by user user641239 at 1-sep-2008 0:59 seems to have the solution - except it requires access to regedit. We don't have that. It's much too painful to get SQLD part of the PC build at the customer, so we need to be able to configure without resorting to regedit.
  Any help appreciated.
  Nic
  Edited by: Nic Atkin on 17-apr-2009 2:41
  Edited by: Nic Atkin on 17-apr-2009 2:54

  Hi FurryOne,
  There is a way to hide both A: and C: - but you need Windows Administrator rights to do it. Not possible in a locked down PC, So I'll live with it for now.
  I was also having the Configure File Type Associations at startup everytime problem (see
  Re: Configure File Type Associations at startup everytime
  So, my current solution looks like this:
  AddVMOption -Dide.pref.dir.base=M:\Oracle\
  AddVMOption -Dide.pref.dir=M:\Oracle\sqldeveloper
  AddVMOption -Dide.user.dir.base=M:\Oracle\
  AddVMOption -Dide.user.dir=M:\Oracle\sqldeveloper
  AddVMOption -Dide.work.dir.base=M:\Oracle\
  AddVMOption -Dide.work.dir=M:\Oracle\sqldeveloper
  AddVMOption -Duser.home=M:\
  AddVMOption -Dno.shell.integration=true

• RD Session Host lock down best practice document

   
  Hello,
  I am currently working on deploying an RDS Farm. My farm has several RD Session host servers. Today I learned that you can do some bad things to the RD Session hosts, if a user presses
  CTRL + Alt + End when having a open session. I locked all of this down using different GPOs which include disabled access task manager, cmd, locking the server, reboot and shutdown etc.
  However, this being sad how would I know what else to lock down since I am new to this topic. I tried to find some Microsoft document about best practices what should be locked down but I wasn’t
  successful and unfortunately a search in the forum did not bring up anything else.
  With all the different features and option Windows Server 2008 R2 has I do not even know where to start.
  Can some please point me into the right direction.
  Thank you
  Marcus

  Hi,
  The RD Session host  lock down best practices of each business is different, every enterprise admin can only to find the most suitable for their own solutions based on their IT infrastructure.
  I collected some resource info for you.
  Remote Desktop Services: Frequently Asked Questions
  http://www.microsoft.com/windowsserver2008/en/us/rds-faq.aspx
  Best Practices Analyzer for Remote Desktop Services
  http://technet.microsoft.com/en-us/library/dd391873(WS.10).aspx
  Remote Desktop Session Host Capacity Planning for 2008 R2
  http://www.microsoft.com/downloads/details.aspx?FamilyID=CA837962-4128-4680-B1C0-AD0985939063&displaylang=en   
  RDS Hardware Sizing and Capacity Planning Guidance.
  http://blogs.technet.com/iftekhar/archive/2010/02/10/rds-hardware-sizing-and-capacity-planning-guidance.aspx
  Technical Overview of Windows Server® 2008 R2 Remote Desktop Services
  http://download.microsoft.com/download/5/B/D/5BD5C253-4259-428B-A3E4-1F9C3D803074/TDM%20RDS%20Whitepaper_RC.docx
  Remote Desktop Load Simulation Tools
  http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3f5f040-ab7b-4ec6-9ed3-1698105510ad
  Hope this helps.
  Technology changes life……

• Forward facing locked down machines... kiosk?

  Hey everyone,
  So I have done a lot of research on this topic, but have yet to find an end-all solution to my conundrum. I have many machines in my network that are forward facing and public use reference terminals that connect to a database of books and things. These
  machines are not and should not be used to casual internet browsing so we have manually locked them down. These machines currently run IE10 Win7x32. The windows side locking down is no problem. But we are having a BIG issue with the current way we allow specific
  sites and lock out all others. 
  In our system, we have an abundance of allowed sites for quick research purposes that these machines are allowed to access. Still technically reference information. For the sake of argument, we have about 25 sites including the main database site that should
  be allowed through a proxy or other filtering system. Currently, we have this proxy based with exceptions built into IE... however, there is around a 255 char limit on that input box (for whatever reason).
  So that brings me to my current solution that is not quite working correctly. I have configured a .PAC script and stored it on a server that these machines can access and an msi for IE10 branding using the IEAK for IE10. This .PAC script does not seem to
  be working the way it should. I got the idea from a site I didn't save, but the basic idea is below:
  function FindProxyForURL(url, host)
  // variable strings to return
  var proxy_yes = "PROXY 255.255.255.255:8080";
  var proxy_no = "DIRECT";
  if (shExpMatch(url, "*.google.com")) { return proxy_no; }
  // Proxy anything else with yes
  return proxy_yes;
  So, my understanding is this would run when sites are accessed, if it matches the if statements it passes and if it doesn't, it defaults to proxy_yes which doesn't exist and thus doesn't load. The ADMX configures the proxy itself and everything should be
  great. 
  My main question: is there a better way to allow sites through to a machine WITHOUT loading the pages first. A simple whitelist/blacklist doesn't necessarily work because it, as far as I understand, still loads the pages but does not display them. Currently,
  it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong. It doesn't seem like the list from our previous installation from GP is being overridden using this method, and it doesn't
  apply to new machines connected to the policy. Of course, I know it is applying because other functions, like the content rating system that I accidentally left on, have caused some problems in the past. 
  We will be upgrading these machines to newer optiplex models and installing Windows 8, so if there is a more effective solution that only works in windows 8, I am willing to try it. 
  Thanks in advance for the help, you guys are always awesome! 

  Hi,
  >>Currently, it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong.
  In addition to IEAK 10, to configure proxy for IE 10 on Windows 7, if our most up-to-date domain controller is Windows Server 2012 or R2, we can use Group Policy Preferences
  Internet Settings extension to configure the proxy setting. Besides, we can also choose to install Remote Server Administrative Tools on a Windows 8 or 8.1 client and manage group policy settings from this client.
  Moreover, another way is that we can try using Group Policy Preferences Registry extension to configure the proxy settings for IE10 on Windows 7.
  Regarding this point, the following thread can be referred to as reference.
  Proxy settings not applying to IE above 8
  http://social.technet.microsoft.com/Forums/en-US/3b0f54d7-7293-49dc-9e3f-e8799c20265b/proxy-settings-not-applying-to-ie-above-8?forum=winserverGP
  Best regards,
  Frank Shen

• Wireless Controller locking down User per SSID

  I am using Wireless Controller 4112. We use WPA enterprise mode for authentication and encryption via Microsoft IAS server and MS AD domain.
  My question is how to lock down a user to a specific SSID? I would guess that this is via some vendor specific radius attributes, am I right? And if so, what would be the name (and ID) for the attributes?
  Thanks in advance.

  Making progress in setting up the wireless controller with multiple VLAN and WLAN/SSID. I create a virtaul interface at the controller and assign a VLAN number to it. The controller mgmt port is also set to a trunk port. Create a new SSID WLAN and have it mapped to the new virtual interface. Things work good.
  The new problem I am trying to solve is how to prevent wired users to access the controller admin web interface via the virtual interface IP. I try create ACL and map it to the virtual interface. It doesn't seem working.

• Server firewall can't close AFP port 548

  Running 10.4.9 (not Intel) my external IP address I have shut down everything in the firewall except pop3 and http toward this server (call it x.x.10.200) and yet when I do a port scan - AFP and Ping still show up as vunerable. I am running stealth on TCP and UDP and have all ICMP boxes unchecked.
  anyone with some experience with this would be appreciated.
  Also my bad: the somehow hitting a control return key combination while in Advanced Settings clears and kills all those settings. could I get a screen print or list of what was in there?
  btw; I have put port 548 in the deny alway in under the advanced settings also and it still shows open to a port scan.
  Thanks
  PeteSanDiego
  Multiple   Mac OS X (10.4.9)   Server Security Networking

  I figured out that I had the outside ip address in the wrong side of the advanced settings, so I was able to close AFP. However, try as I can, I cannot stop the response to icmp ping. any help would be appreciated.
  Multiple   Mac OS X (10.4.9)  

• Application.cfc & locking down media files

  Hi,
  I've used a login framework for the Application.cfc (from
  Forta's CF8 book chapter 23). It successfully locks down .cfm
  files, but media/image files such as .jpg are still unsecure.
  What am I missing to make sure that even no matter what's in
  the folder, whether it be .jpg, .gif, .mov, .swf, etc... will only
  be accessible if the site visitor has the proper login credentials?
  I could probably "lock" the media files away in a database
  structure, but that's not very efficient. I'm sure CF8 has an easy
  way to handle this that I just don't know about.
  Thank you for your help!

  Azadi wrote:
  > the only secure way to not allow access to a web content
  is to not put
  > it on the web. cf never processes those 'media' files
  you mention - it
  > is your web server that handles requests for them.
  >
  > so either:
  > a) move those files into non-web-accessible part of your
  server and
  > serve them with cf via file system interaction
  tags/functions and
  > cfcontent/cfherader combinations
  > b) configure cf to process those files instead of your
  web server
  >
  > mind you, both options above may add significant
  processing overhead to
  > your application, so balance the need to secure access
  to those files
  > and your app performance wisely...
  >
  As well as these CF solutions mentioned by Azadi, you can
  look into the
  security options of your web server and try to apply them.
  These work
  differently then the ColdFusion based solution, but they get
  to the same
  end.

• Locked down Administrator profiles

  Hi,
  we're having a strange issue on our terminal servers.
  We have some GPOs to lock down normal user profiles which only apply to our TS users and not to administrators.
  When we create a new user profile for an Administrator he gets a locked down profile e.g. no right click in start menu, no icons in control panel...
  Existing administrator profiles work fine.
  When I check the registry under "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" there are many settings set to 1 (like NoChangeStartMenu, NoManageMyComputerVerb). If I change them to 0 everything is working fine.
  We have already disabled all GPOs and also removed the server from the Domain. It also happens when we create a new local user.
  We have tried to copy the default user profile from another server but we still get a locked down profile.
  Has anyone had the same issue?
  Regards

  Ok there are some files in %windir%\system32\grouppolicy:
  %windir%\system32\grouppolicy\machine\Citrix\GroupPolicy\Policies.gpf
  %windir%\system32\grouppolicy\user\Citrix\GroupPolicy\Policies.gpf
  %windir%\system32\grouppolicy\gpt.ini
  If I delete these files I can successfully create a new Admin profile!
  Is it safe to delete all those files?