To minimize the number of unsolicited inbound connections that enter your network, follow these common-sense suggestions when you implement your network security solution. First, consider physical isolation. If you can, separate your most frequently accessed services from your production network. For example, if you run a Web server onsite, place the server on a different network segment from the segment your production systems reside on. Or, have your Internet Service Provider (ISP) host or co-locate your Web site. Either of these methods reduces the amount of external traffic that enters your internal network.
Second, consider protocol isolation. Do any servers on your network contain particularly critical or sensitive data? If so, consider isolating those servers from the Internet by removing TCP/IP from them. As long as your internal workstations can access the servers via IPX or NetBEUI, your users won't lose functionality, but you'll remove some of the risk of connecting your network to the Internet.
Third, live by the maxim If you don't need it, don't run it. Every few weeks, Internet users report a new security bug in a commonly used application. In addition, some software packages' default configurations leave them vulnerable to exploitation. Recent exploits have compromised the WinGate proxy server and Microsoft FrontPage. Don't run an application on your network unless your users need it. You never know what bugs hackers might find and exploit in that application.
Fourth, if you have only one server and you use that server as your Internet router, unbind the Server service from the NIC that connects to the Internet. Select Control Panel, Network, and choose the Bindings tab. Expand the Server service, then expand the service's TCP/IP connection. You will see your two network adapters. Select the adapter that connects to the Internet and click Disable. These steps prevent external users from attempting to log on to your server across the Internet.
