valter

Hi m8, here is something for the start ... 1. Get a computer with 3 NICs 2. Install Windows 2003 Server and updates but NOT SP1 (remember NO SP1) 3. Make it a member server of your AD Now we have to secure ISA server itself. Do the following: 4. Download this from Microsoft site and extract it somwhere 5. On the DC make a new OU, call it ISA and place ISA server there. 6. Apply High Security-Member Server Baseline template to the ISA OU (template is located in the extracted material Windows Server 2003 Security Gu ide\Tools and Templates\Security Guide\Security Templates) Make sure to set the following services as follows (within GPO for ISA OU) a. Remote Access Connection Manager set startup to Automatic b. Routing and Remote Access set startup to Automatic c. Telephony set startup to Automatic Once done, on the ISA box open cmd and type "gpupdate /force", reboot machine when asked. 7. On the external interface on ISA server do the following: a. Clear the check box next to Client for Microsoft Networks b. Clear the check box next to File and Printer Sharing for Microsoft networks c. On the DNS tab of the Advanced TCP/IP properties clear the check box next to Register this connection address in DNS d. on the WINS tab of the Advanced TCP/IP properties clear the check box next to Enable LMHOSTS lookup and select Disable NetBIOS over TCP/IP Now ISA is secured (at least should be) Now you have to make up your mind about the clients, do you want to use SecureNAT, Web Proxy or Firewall clients Here is the description of the clients: Firewall clients are computers on which Firewall Client software has been installed and enabled. When a computer with the Firewall Client software installed requests resources on the Internet, the request is directed to the Firewall service on the ISA Server computer. The Firewall service authenticates and authorizes the user and filters the request based on Firewall rules and application filters or other add-ins. Firewall clients provide the highest level of functionality and security. SecureNAT clients do not require any client installation or configuration. SecureNAT clients are configured to route all requests for resources on other networks to the internal Internet Protocol (IP) address of the ISA Server computer. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running ISA Server as the default gateway. SecureNAT clients are easiest to configure because only the default gateway on the client computers must be configured. Web Proxy clients are any computers that run Web applications that comply with Hypertext Transfer Protocol (HTTP) 1.1, such as Web browsers. Requests from Web Proxy clients are directed to the Firewall service on the ISA Server computer. Because most client computers already run Web Proxy– compatible applications, Web Proxy clients do not require the installation of special software. However, the Web application must be configured to use the ISA Server computer. If you want I can scan you (PDF) my exercises so you can go through. Of course, having a book 70-350 Implementing Microsoft Internet Security and Acceleration Server 2004 is a MUST. If you don't have it, I can "borrow" you a PDF as well

Is that w2k3 box the only server in that AD?

Did you check the RAM?

Did you try to remove warez p2p program?

Trusts in 2 different AD would allow your user1 from AD1 to authenticate to AD2 and vv. The other way would be to migrate users from AD2 to AD1 and then slowly move servers as well ...

you can restrict printing using either user group access or using printing devices (Win2k3) but to display request that will be approved or denied is not possible using built in software ... you would have to look for some third party software that controls printing ...

Actually my question why do we use option "Local" not "Network", since it is networked-printer ?(i.e I want to know the reason for that) <{POST_SNAPBACK}> when you install printer on the server you have to use Local in order to share the printer, since you can't share "network" printer ... if you run for example HP Network Printer Installation Wizard to install HP network printers on your server, all printer will be installed as local, even though specific ports using IP addresses will be created, and printers will be shared ...

It might be that's downloading huge update, so give it some time

Sure you can, what matter is SID not the computer name, so you can safely remove that machine from DC OU and then join it again under the same name ....

sorry dude, but that's TCP/IP filtering, the same functionality that existis on Win2k3 beside firewall ... but that's NOT the firewall, never was, nor will be ... as I said, look for the third party firewall

You disable autocomplete

Clean Autocomplete in IE

I would promote that Win2k box to a DC (AD) and then use ADMT to migrate to Win2k3 .. your users wouldn't see any difference coz they log on from outside, so that would be the painless thing to do ... however, before you do anything, make sure you test it in the test environment ...

long story short, no there is not, if you don't need SP1, don't install it ... simple as that

Haven't seen a win2k box in a while, but I can't recall that win2k box has a built in firewall ... anyway, even Win2k3 box built in firewall wouldn't do what you're looking for, I would advise you to look for a third party product or ISA2k4

Be very, very carefull if you're running AD on your Win2k box ... don't just disable services for nothing, it must be the reason for that ... clean your event log and then restart the server, then check the event log again, and write down all errors (red cross), warnings (yellow exclamation) and info, including event id number, source, and the body of the error ... an excellent resource site for event log is eventid.net ... subscription costs 10 US$/year, **** cheap, and life saving web site ... or just post your errors and warnings here, so we will try to pinpoint the problem(s) ...

Why ISA2k when you can get ISA2k4 ... anyway, while ISA2k was opened from the start, ISA2k4 is sealed down, it doesn't trust no1, not event itself. Installation and configuratioin is pretty straight forward, you need though to decide client configuration, should it be NAT, firewall or proxy client configuration ... anyway, I'm taking ISA2k4 course right now, and can give you some directions for start if you want ... a good resource would also be www.isaserver.org

MS PRESS 70-290

But even if they can access it, they can't do anything ... what ever they try to do, they will receive Access denied ...

Well first you've edited your post later, never mind anyway, this Now I replaced the OS (not the PC, because I have dual OSs on each PC) for both PCs with WinXP and Win2000 Sever, they worked fine, with out any problem. still doesn't explain what means "worked fine" ... could you ping the routers, could you telnet to the routers ... anyway, there is no reason for not being able to ping anything from the Win2k3 box ... the only node that can drop the ping packet is the one you're trying to ping, in your case the router ... Try installing Win2k3 SP1 and don't forget to apply the latest hotfix for tcp/ip flaw

Check power properties, right click on the desktop, properties, screen saver, click on power button and then tab advanced, there is a settings what should happen when you press the power button ...

If the user is not administrator he/she can't use computer management anyway ... I don't think what you ask is possible to be done via GPO, but I think you might want to try MS TweakUI

if you can ping your box from the router, but not the router from the box then ICMP has been disabled on the router (security) can you ping LANA from LANB router? ... another thing, you have to enable telnet access on CISCO routers ... I assume you're taking CCNA labs, telnet access should be among chapters in the first semester ...

When you say you've changed the server, do you mean that you have installed a DHCP server on another box and not using the existing database? If so, then the problem is probably in your clients. If you have any external laptops, just plug it in and see what happens ... another thing, are you sure your server has network access, coz it might be this very last tcp/ip flaw

You're very welcome