Block internet access on server running Windows Server 2003 Standard

[kmm12115]

Hello, I'm new here, so I don't know if I posted this in the wrong category, if so, I appologize.

Is it possible to have my file server only accessable in the LAN. I would like to block all inbound/outbound traffic outside of the LAN. I back up all of my personal files to that server and some contain sensitive information.

I have it connected to my router but it has full access to outside the LAN/Internet.

Can this be done?

 

[chuck441]

Hello everyone,

I am looking to do exactly what kmm12115 asked about, but no one answered. Is this too hard to do? Or too easy, so no one bothered to reply?

I want to keep the Windows Server 2003 completely off the web, while every work station attached to it can go freely online.

The solution we are trying now is to have the server on a stand-alone router which is not connected to the web. There are two network cards in all the work stations, with one card connected to the server's router, and the other connected to the internet access router. But this has introduced a problem: the work stations have ended up with intermittent access to the web. This is happening even though each router does assign a non-conflicting set of IP's (Server router range is from 192.168.2.100 to 192.168.2.125, and the internet router from 192.168.1.100 to 192.168.1.125).

Because this method introduced the problem of intermittent web access, I'm looking for a simpler answer.

Some ideas I've considered include going back to one router, setting a fixed IP for the server, and then blocking web access through the web router. I've also thought about going back to one router and using a firewall program to block all internet traffic on the server.

One other idea I have to fix this would be to downgrade the stand-alone router the server is connected to, installing a stand-alone network switch instead, and assigning each network card attached to it a fixed IP address.

But would doing that perhaps make the server accessible to hacking through a work station? And maybe all of these ideas do that? At least the stand-alone router has a firewall, but having two routers where one does not have internet access is interfering with the web connection somehow. I had expected Windows to be a little smarter about recognizing which LAN card has internet access, and to automatically use that, but no ...

By the way, the work stations all have either Windows XP Home Edition or Vista Home Premium, all up-to-date with the latest Service Packs, etc.

Anyway, help! What is the best way to go?

 

[chuck441]

Does the lack of answers mean that no one knows, or that no one is willing to help? Or should I have started a fresh post? I really need someone with wisdom to help out here ...

 

[riser]

Consider the post is from September of 2011, I think it's dead.

Ideally, from the router you could simply block ports 80 and 443 TCP from the IP address of the server.

 

[chuck441]

Consider the post is from September of 2011, I think it's dead.

Ideally, from the router you could simply block ports 80 and 443 TCP from the IP address of the server.

Riser, Thank you for the idea, but it didn't work. I blocked the ports for the IP addresses (two NICs in the server), and I also blocked the MAC addresses. Of course the internet is solid now, but the server remains on line in spite of putting blocks in. I tried it with both of the wired routers, with the same result. Neither one blocks the internet access to the server, even though the blocks are in place. Do you have any other ideas? What about a firewall?

Thank you again, Chuck

 

[ngrego]

Manually assign an IP address and subnet mask ONLY to the server in question. Without Gateway address and DNS addresses it will not be able to access the internet.
Thats all you need to do!

 

[chuck441]

Manually assign an IP address and subnet mask ONLY to the server in question. Without Gateway address and DNS addresses it will not be able to access the internet.
Thats all you need to do!

Excellent! Thank you, ngrego! I just have one question about this solution: Will the server also be unreachable from the web? Basically, does this also keep hackers out?

Thanks again! Chuck

 

[ngrego]

There will be no DIRECT access to the machine from the web. Although if someone had the hacking knowledge (and a good reason) they could probably access it through your network depending on the security. Absolutely NO network is 100% hacker proof!

 

[chuck441]

There will be no DIRECT access to the machine from the web. Although if someone had the hacking knowledge (and a good reason) they could probably access it through your network depending on the security. Absolutely NO network is 100% hacker proof!

Well, ngrego, you were absolutely correct on getting the server off the web, and still maintaining local network access. It worked perfectly! I appreciate your taking the time to help me with that.

And knowing that there is "no DIRECT access" to the server from the web is what we wanted. We should be reasonably safe now.

God bless! Chuck

 

[sk1939]

Well, ngrego, you were absolutely correct on getting the server off the web, and still maintaining local network access. It worked perfectly! I appreciate your taking the time to help me with that.

And knowing that there is "no DIRECT access" to the server from the web is what we wanted. We should be reasonably safe now.

God bless! Chuck

Not having a default gateway can cause all kinds of network issues if you have network services, and not having a DNS server listed doesn't block web access, it just makes domain names un-resolveable. If you open IE, you can still get to websites if you know the IP address. The only sure way to block internet access is through firewall policy (Advanced Firewall or Windows Firewall), or Group Policy. Alternatively, you could set a firewall policy to deny traffic on the necessary ports to the server.