Securing a Win box

I'm being forced to promote a development server to an test+evaluation server, which means moving it out of an isolated LAN onto the internet.

Running Win2K server, PHP 4.3X and MSSQL now, and I need to look into firewalls and anti-virus. Unfortunately, contract and purchasing requirements won't let me tie into the Norton licence that already exists, so I'm going solo.

1- As I understand it, NAV and McAfee just don't sell single server, no client licenses. Is this universal? I can't get any details from F-Prot or Sophos or the like for a single license for a server.

2- Need a few recommended firewall programs to look into. There's already a physical firewall, some debate as to whether the box will be behind it or not.

3- Don't tell me to go Linux, my LAMP boxes are already giving me dirty looks on this one ;). The customer says MS, I buy MS.

Well, no doubt about it, that server needs to be isolated from the lan, but should be behind the outer bastion of a firewall, at least, in the DMZ somewhere.....push that issue. As far as firewall software, I have had great luck with black ice, and also Checkpoint.

if you want a hardware router that will do packet filtering for not a lot of money, find an old PC, and look into using the Linux Router Project. It will run off of a single floppy disk as its OS.

Ok, if the LAN guy is worth his weight in salt, he should know that the server can be set up behind the firewall and access granted to specific ports 80,443 etc. No cost involved!!! (I know, I have done it...) as far as antivirus goes, look into Trend Micro, (www.trend.com) they have some server anti-virus suites that are excellent (I know, I use them...) You need to explain to the client that security is of the utmost importance and lowballing when it comes to security will only result in disaster....just my two cents!!

I agree blindeddie, but there are still some LAN guys out there who will fight it tooth and nail. They just dont like putting anything behind the firewall on the trusted network, even if it is given limited permissions.

Ask if you can add a port to the firewall. Not sure what your dealing with, but with cisco FW for instance, you could add another card (low cost) and isolate it from any other sub-net and have you own sub-net to host the new web box.