Re: Internet Services Manager

From: Derek (derekm@rogers.com)
Date: 04/09/02


From: "Derek" <derekm@rogers.com>
To: <focus-ms@securityfocus.com>
Date: Tue, 9 Apr 2002 07:37:27 -0400

However, beware of Microsoft implementations of PPTP to secure
your MMC sessions.

To quote:
http://www.counterpane.com/pptp-faq.html

1. What did Bruce Schneier and Mudge actually do?
They found security flaws in Microsoft PPTP that allow attacks to
sniff passwords across the network, break the encryption scheme
and read confidential data, and mount denial of service attacks
against PPTP servers. They did not find flaws in PPTP, only in
Microsoft's implementation of it.

Derek

----- Original Message -----
From: "Free, Bob" <RWF4@pge.com>
To: "'Jason Yates'" <jyates@dataservice.org>;
<focus-ms@securityfocus.com>
Sent: Thursday, April 04, 2002 7:35 PM
Subject: RE: Internet Services Manager

> See ISM/MMC Does Not Work Through a Firewall [Q218471]
>
> CAUSE
> =====
>
> This is by design. If the MMC ISM was configured to operate
through a
> firewall
> using TCP port-based security alone, particularly by opening
additional TCP
> ports, it could potentially expose sensitive configuration
information to
> the
> Internet.
>
> The HTMLA uses TCP port 80, which is open on most firewalls for
Web traffic
> and
> sites.
>
> HTTP and FTP are well defined by firewalls, which make these
protocols more
> secure.
>
> RESOLUTION
> ==========
>
> To resolve this issue, do one of the following:
>
> Use HTMLA over SSL
> ------------------
>
> Use the HTML version of the Internet Service Manager (also
known as the HTML
> Administration or HTMLA) over SSL. This uses HTTP-based
security, which will
> require additional configurations mentioned in the online
documentation for
> the
> Windows NT Option Pack.
>
> -OR-
>
> Use the ISM MMC over PPTP
> -------------------------
>
> Use Point-to-Point Tunneling Protocol (PPTP) to tunnel through
the firewall.
> The
> ISM MMC can be used on the secure PPTP connection. This will
also require
> additional configurations.
>
>
> -----Original Message-----
> From: Jason Yates [mailto:jyates@dataservice.org]
> Sent: Thursday, April 04, 2002 1:57 PM
> To: 'focus-ms@securityfocus.com'
> Subject: Internet Services Manager
>
>
> I'm trying to use Internet Services Manager snap-in on a web
server
> located in our internal network. The web server is running
Win2k and
> IIS 5.0. At first, I was connecting fine. I've added TCP/IP
filtering
> to the remote machine, and now I can't connect. What ports
does ISM use
> anyway?
>
> I'm allowing UDP and TCP connection to port 137-139 and just
TCP to port
> 80. All other filtering is taken care off in the outside
firewall.
>
> -Jason
>
>



Relevant Pages

  • RE: L2TP + NAT-T
    ... "I'm using L2TP/IPSec since PPTP does not work through NAT. ... > Destination Port 0 ... > IKE Source Port 500 ... > IKE Destination Port 6159 ...
    (microsoft.public.win2000.ras_routing)
  • Re: VPN Windows 2000
    ... Just to throw my 2 cents worth here, PPTP is not nearly as secure as ... data stream or a publicly available server. ... I have personnaly used port forwarding for PPTP to access my ...
    (microsoft.public.win2000.networking)
  • Re: PPTP VPN WINDOWS XP pro SP2
    ... PPTP VPN client in SP2: I was able to connect to my office, ... I noticed that the port 137 scope was set to "subnet only". ... > Description of the Windows Firewall feature in Windows XP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How can I tell if a PPTP connection is initiated?
    ... I already had the ISP open port 1723 and ip 47. ... PPTP also? ... > I will suggest to check the router settings and make sure TCP Port 1723, ... >> Trying to get a VPN connection to work from outside our network. ...
    (microsoft.public.win2000.ras_routing)
  • Re: VPN and Error 721, Ports are Forwarded
    ... >>>>It shouldn't be port 47 but PROTOCOL 47, also known as PPTP pass through. ... I have port 1723 forwarded as TCP ... Both need to be enabled and forwarded, and this is often done on routers by a service called PPTP passthrough. ... A few routers automatically forward GRE if 1723/TCP is forwarded. ...
    (microsoft.public.windows.server.sbs)