Server firewalls inside the perimeter

[ITWombat]

in another thread, RoyG suggested that it would be OK to give students admin rights so long as server security was up to par. Best practice normally calls for uptodate patching and disabling unused services.

I was just wondering if, added to the above, people here also have a firewall inside the LAN between their servers and client PCs

[ITWombat]

Oh look! A tumbleweed!

[Dos_Box]

in another thread, RoyG suggested that it would be OK to give students admin rights so long as server security was up to par. Best practice normally calls for uptodate patching and disabling unused services.

I was just wondering if, added to the above, people here also have a firewall inside the LAN between their servers and client PCs

No no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no. It's just plain bad.

[pete]

We don't have it here, but it was common practise in a couple of places I contracted in. Development servers were firewalled off from the rest of the LAN, so was the finance server.

If it's _well_ documented and done for sensible reasons, it can work. Problems arise when changes aren't documented. If you're doing it because a server isn't patched / secure you still have issues, but certain patches break certain expensive systems (I'm looking at you Oracle) so firewalling is sometimes the only option..

IIRC (few years ago), employees at Sophos (that have been there long enough to be considered sensible), have two computers on their desk, one for the Internet and one for the internal lan. They fire people who attempt to move files from one to another.

[CyberNerd]

in another thread, RoyG suggested that it would be OK to give students admin rights so long as server security was up to par

I didn't get the impression he was talking about production machines - any computer can be a server if it serves something and I don't see any problem giving kids admin on 'servers' so they can learn it . Some schools let kids bring in their own laptops, some schools even buy laptops for kids - there is no difference. I can't prevent a student brining in an AD DC on his/her laptop and probably it should be encouraged

Its definately not a good idea to give anyone admin rights to production servers except admins.

[NetworkGeezer]

No no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no. It's just plain bad.

ROFL

Actually, I saw that thread too. I think the admin rights were for PCs not servers (now that would be scary). Roy also used hardware disk reset as additonal measure against pishing and persistent badness.

The question really is whether there would much gained. A lot of malware uses common ports for SMB, SSL, SMTP etc (remember Blaster)