Securing Your WINS Solution

In many WINS implementations, WINS replication occurs across public networks, such as the Internet. Replicating the NetBIOS names and IP addresses of all hosts within the organization over these public networks creates a security risk, which you can mitigate by using VPN tunnels or placing servers within a perimeter network. Figure 4.11 shows where you perform this step in the process of deploying your WINS solution.

Figure 4.11: Securing WINS During the Deployment Process

Securing WINS Traffic with Tunnels

All WINS replication traffic sent over public networks should be encrypted. Encrypt the replication traffic by using Internet Protocol security (IPSec) or VPN tunnels. When choosing to encrypt replication traffic by using IPSec or VPN tunnels, do the following to further increase security:

• Use the strongest level of encryption.

• Use the Routing and Remote Access service to provide the IPSec or VPN tunnel.

• Use Kerberos V5 or other certificate-based authentication for secure communication channels.

For more information about deploying IPSec, see "Deploying IPSec" in this book. For more information about virtual private networks and the Routing and Remote Access service, see "Deploying Dial-Up and VPN Remote Access Servers" in this book. For more information about enabling Kerberos V5 authentication, see "Enabling Kerberos V5 authentication" in Help and Support Center for Windows Server 2003.

Running WINS on a Perimeter Network

Place WINS servers in a perimeter network when you must send WINS traffic over a public network to avoid exposing intranet NetBIOS names and WINS data. This placement protects corporate resources while providing NetBIOS name resolution to external clients that need access to these resources.