RE: Win2K TCP/IP filtering and security
From: Skinner, Kit (KSkinner@sandstream.com)Date: 08/23/01
- Previous message: Laura A. Robinson: "Re: Windows 2000's Everyone permission"
- Maybe in reply to: James Renfrew: "Win2K TCP/IP filtering and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <E748F5C5A5A8D411B14100508BDCB15C75FF36@mail.mis.sandstream.com> From: "Skinner, Kit" <KSkinner@sandstream.com> To: "'Laura A. Robinson'" <larobins@bellatlantic.net>, 'James Renfrew' <General@JamesRenfrew.COM>, focus-ms@securityfocus.com Subject: RE: Win2K TCP/IP filtering and security Date: Thu, 23 Aug 2001 14:05:17 -0500
Thanks for the detail Laura.
RRAS can be useful, but I found it cumbersome when I'm just using a single
server. While its a good point that IPSec requires a good deal of planning
if you plan on using encryption or authentication, if you use it as a simple
Permit/Block setup, its really rather simple. For instance, setup a policy
that includes a rule that blocks all traffic, then create an additional rule
for each port inbound to the server (allow the mirror traffic) and your
done.
In any event, check them both out and see which works better for your
situation.
-K
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Thursday, August 23, 2001 12:20 PM
To: Skinner, Kit; 'James Renfrew'; focus-ms@securityfocus.com
Subject: Re: Win2K TCP/IP filtering and security
The reason that services are failing is twofold:
First, there aren't enough ports opened. For example, WINS listens on
NetBIOS port 137. Active Directory replication requires different ports
depending on what it's doing. It will need DNS (53), as well as the AD ports
(445, 389, 88, 123, 135, 3268 for a GC, and 1025 or 1026 [typically; used
for AD replication and logon]).
Second, by filtering on the interface instead of using RRAS, you do not have
the option to specify whether you want the filters to affect incoming
traffic, outgoing traffic, or both. If you do want to enable port filtering,
rather than doing it at the interface level, you may want to take a look at
using the filtering provided by RRAS. Its chief limitation is that it
doesn't allow you to open or close *ranges* of ports, but in your situation,
this probably wouldn't be an issue. It does, however, allow you to specify
at a significantly more granular level what types of port filtering you'd
like to use.
Last, IPSec may also be an option, as Kit mentions, but you will need to
plan its implementation rather carefully before rolling it out.
Hope this helps,
Laura
P.S. A link that may prove useful:
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/samplechapters/cnfc/cnf
c_por_zqyu.asp
----- Original Message -----
From: "Skinner, Kit" <KSkinner@sandstream.com>
To: "'James Renfrew'" <General@JamesRenfrew.COM>;
<focus-ms@securityfocus.com>
Sent: Thursday, August 23, 2001 12:22 PM
Subject: RE: Win2K TCP/IP filtering and security
> Well, I have to admit haven't noticed this before and its a new on for me,
> so unfortunately I can't give you much help there.
>
> However, you may want to look at using IPSec filters instead. One nice
> thing about them, is that you can change them on-the-fly without having to
> reboot. There's an article on Microsoft about it:
>
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutio
> ns/network/maintain/security/ipsecld.asp
> (link wrapped for 'readability')
>
> This will also allow all processes to start and map to their ports, but
the
> filters will prevent any traffic received by the interface from going to
the
> application/service.
>
> I know this isn't an answer to your specific problem, but it is a solution
> to your ultimate need.
>
> I hope this helps,
> -K
>
>
> -----Original Message-----
> From: James Renfrew [mailto:General@JamesRenfrew.COM]
> Sent: Wednesday, August 22, 2001 9:01 PM
> To: focus-ms@securityfocus.com
> Subject: Win2K TCP/IP filtering and security
>
>
> I have just rolled out my Win2K server, with a setup that was based
> off my
> NT4 server. Everything went pretty well the same except for the network
> properties for my servers interfaces.
>
> I had port filtering enabled on my NT4 system and I see the Windows 2K
> server has the same window. However I have found that after enabling port
> filtering and setting it to deny all, except for the ones I know I want
( 20
> / 21 / 25 / 80 / 110 ). However after implementing that a bunch of the
> services started crapping out on me and or started generating tons of
> errors.
>
> Can anyone who is also using port filtering tell me what settings they
have
> used?
>
> As near as I can tell the NT4 system gets by it, by just looping back
> requests internally on the server. Where as the 2K system actually sends
> the request right to the level of the interface and then is looped back as
> long as the port is available.
>
> One last thing too...
> I want to run netbeui on my LAN but NOT on the WAN interfaces. I see I
can
> disable it by clearing the check mark on the interface services and
protocol
> list. But I can not find a way to remove it totally without removing it
> from all of the interfaces on my server.
>
>
> By the way.. services I am running on this server include....
>
> WWW
> FTP
> SMTP -exch 5.5
> POP -exch 5.5
> NNTP -exch 5.5
> Netmeeting RDS
> Active Directory
> WINS
>
> Oh and yes a Half Life server too, but don't worry about that :)
>
> Thanking you in advance for your feed back.
>
> Regards
> James Renfrew
> www.jamesrenfrew.com
- Previous message: Laura A. Robinson: "Re: Windows 2000's Everyone permission"
- Maybe in reply to: James Renfrew: "Win2K TCP/IP filtering and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
