0

I need to lock down my Windows Server. Is Forefront 2010 ideal for my circumstances? These are:

-I am the single user of my server -I RDP from other machines (eg the laptop). -I currently have no solution/using windows firewall (how good is this?).

Thanks

GurdeepS
  • 1,626
  • 5
  • 26
  • 33
  • I suppose one question might be why do you think/suspect that Windows firewall is inadequate? Going from that to something like ForeFront TMG is like trading in a pushbike for a jet fighter. Now there's nothing wrong with that if you need a jet fighter but... – Rob Moir Jun 03 '10 at 20:03

2 Answers2

1

Did u mean Forefront Threat Management Gateway 2010? Forefront is an identifier for a whole range of security products, including two firewall/proxy products (tmg and another one, forgot name), so a clear statement as to what product u meant would be helpful :)

Pharao2k

Nicolas Mehlei
  • 165
  • 1
  • 2
  • 9
1

Microsoft has a whole range of security products under the brand "ForeFront"; the only one of them which has firewall capabilities is ForeFront Threat Management Gateway 2010, though, so I'll assume this is what you're talking about.

ForeFront TMG 2010 is the successor to ISA Server 2006, and as such is a full-featured firewall and web proxy product. It is indeed a very powerful product, but it's a network firewall, not a host one; it would be quite overkill to install it on a single server in order to lock it down.

If you only need to protect that server, the built-in Windows Firewall is definitely enough.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Agreed... It would be more than "overkill", it would be a raving pain in the hoop. Forefront/ISA server tends to assume it owns the box its installed on and really doesn't make it simple to do otherwise. – Rob Moir Jun 03 '10 at 18:24
  • 2
    I actually hate so much the way ISA locks down everything, I took the habit of defining two access rules on any newly-installed ISA box where there's no explicit need to do otherwise: "allow everything from local host to anywhere" and "allow everything from the internal network to local host". My life has been *so* much simpler since that... – Massimo Jun 03 '10 at 18:38
  • I hear you. I think ISA is a pretty damn good product - I like it as the "internal" firewall on a back-to-back firewall arrangement. But it doesn't always make itself easy to work with. In a way that's a good thing, you don't want people who aren't sure what they're doing stripping away all their protection with 3 clicks of the 'next' button on some dumb wizard... but still! – Rob Moir Jun 03 '10 at 18:55
  • I find just idiotic having it lock down communications *from* the firewall itself to everywhere. I can of course understand the logic behind this ("lock everything by default"), but having to fine-grainly allow it to be a domain member is just *so* painful that allowing it to freely talk to anything it wants to talk to is just *better*. – Massimo Jun 03 '10 at 19:06