NT Gatekeeper: Disabling IP Routing on Web Servers

My company's Windows NT Web servers are physically hosted in a demilitarized zone (DMZ). To manage the servers, we use a separate administration network, and each server has two NICs—one connects to the DMZ network subnet, and another links to our administration network subnet. We can configure an NT server with multiple NICs to route IP traffic between the subnets, but for obvious security reasons, we don't want IP routing enabled on our Web servers. Is IP routing enabled by default? How can we ensure that our Web servers aren't enabled for IP routing between the DMZ subnet and the administration subnet?

On NT systems, IP routing is disabled by default. To enable IP routing in NT, go to Network Settings, TCP/IP Properties. On the Routing tab, select the Enable IP Forwarding check box. You can also enable the feature from the registry. Navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTCPIPParameters registry subkey, and set the EnableIPRouter value (of type REG_DWORD) to 1. Reboot the system to effect the change.

To guarantee that no one enables your Web servers for IP routing without your knowledge, make sure that you configure the appropriate NT access-control and auditing options on the EnableIPRouter registry subkey and that only authorized users have access to your Web servers. You might also invest in an integrity-checking tool that alerts you when your systems' configuration changes. For an overview of NT system integrity-checking tools, see "Learning About NT Integrity-Checking Tools," February 2002, InstantDoc ID 23461.