RE: TCP/IP Filtering problem on W2KAS

From: Skinner, Kit (KSkinner@sandstream.com)
Date: 02/04/02 

From: "Skinner, Kit" <KSkinner@sandstream.com>
To: "'Turner, Keith'" <TurnerL@tea-emh1.army.mil>, focus-ms@securityfocus.com
Date: Mon, 4 Feb 2002 17:00:45 -0000

The problem is that if you are listing ports that are 'allowed' and you
don't list every dynamic port used by a client (1024+) to access the DNS
server (53), then you are in effect filtering out the return inbound
response to your outbound request.

You might want to look at the very useful article by Steve Riley titled
"Using IPSec to Lock Down a Server":
http://www.microsoft.com/TechNet/itsolutions/network/maintain/security/ipsec
ld.asp
        (one URL, possibly wrapped)

I find using the IPSec filters MUCH more useful then the TCP/IP Filtering.
Some of the benefits:
        * it can filter both inbound AND outbound traffic
        * it can filter by protocol, port, and/or IP address/range
        * it does NOT require a reboot to make changes
        * there's a command-line tool in the resource kit for automating
        * you can apply the filters via Global Policies.

I'd check it out and see if it fits your needs better.

-K

-----Original Message-----
From: Turner, Keith [mailto:TurnerL@tea-emh1.army.mil]
Sent: Monday, February 04, 2002 7:15 AM
To: focus-ms@securityfocus.com
Subject: TCP/IP Filtering problem on W2KAS

  I've enabled TCP/IP filtering on a W2KAS IIS server. As a result, the
server can no longer use DNS (as a client). According to MSKB Q309798,
"TCP/IP Filtering can filter only inbound traffic. This feature does not
affect outbound traffic or response ports that are created to accept
responses from outbound requests." So, in theory, I should not have to add
*any* ports to the "allowed" list for the IIS server to be able to start a
conversation with a dns server and receive an answer. I started a capture
with network monitor, opened nslookup and fired off a few dns queries. The
query is making it to the dns server, which is responding with an answer.
Network Monitor sees this answer, but nslookup never gets it.
 Does anyone have any suggestions on how to get dns queries working with
TCP/IP filtering? If I remember correctly, this worked fine in NT4.

Thanks,
Keith

Relevant Pages

  • Re: Is This Normal DNS Behavior on a Server2003 SP2 Domain Controller
    ... Protection against the Microsoft DNS Cache Poisoning Vulnerability ... These response or service ports, are used by all Windows communications. ... How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server ...
    (microsoft.public.windows.server.dns)
  • Re: DNSReport w/ Hosting Your Own DNS
    ... Thing is, I'm aware of the risks, monitor the server daily, patch as soon as ... I wouldn't dream of attempting to run public DNS. ... While it is permissible on an SBS server to host a website directly ... I've seen that point of ports being open a risk a lot with hardly a reason ...
    (microsoft.public.windows.server.sbs)
  • Re: DNS and Domain problem
    ... > problems and they added themselves into DNS. ... > and seperated by a firewall. ... I'm able to ping from this server to ... ports that need to be allowed pass thru. ...
    (microsoft.public.win2000.dns)
  • Re: Exchange 2003 OWA Setup Help
    ... Which recordwould we have to update on the DNS server if we would ... > Your second question regarding forwarding your ports, ... > are the most secure methods to protecting your network. ...
    (microsoft.public.exchange.setup)
  • TCP/IP Filtering problem on W2KAS
    ... I've enabled TCP/IP filtering on a W2KAS IIS server. ... conversation with a dns server and receive an answer. ...
    (Focus-Microsoft)