Re: Internet Services Manager

From: Derek (derekm@rogers.com)
Date: 04/09/02


From: "Derek" <derekm@rogers.com>
To: <focus-ms@securityfocus.com>
Date: Tue, 9 Apr 2002 07:37:27 -0400

However, beware of Microsoft implementations of PPTP to secure
your MMC sessions.

To quote:
http://www.counterpane.com/pptp-faq.html

1. What did Bruce Schneier and Mudge actually do?
They found security flaws in Microsoft PPTP that allow attacks to
sniff passwords across the network, break the encryption scheme
and read confidential data, and mount denial of service attacks
against PPTP servers. They did not find flaws in PPTP, only in
Microsoft's implementation of it.

Derek

----- Original Message -----
From: "Free, Bob" <RWF4@pge.com>
To: "'Jason Yates'" <jyates@dataservice.org>;
<focus-ms@securityfocus.com>
Sent: Thursday, April 04, 2002 7:35 PM
Subject: RE: Internet Services Manager

> See ISM/MMC Does Not Work Through a Firewall [Q218471]
>
> CAUSE
> =====
>
> This is by design. If the MMC ISM was configured to operate
through a
> firewall
> using TCP port-based security alone, particularly by opening
additional TCP
> ports, it could potentially expose sensitive configuration
information to
> the
> Internet.
>
> The HTMLA uses TCP port 80, which is open on most firewalls for
Web traffic
> and
> sites.
>
> HTTP and FTP are well defined by firewalls, which make these
protocols more
> secure.
>
> RESOLUTION
> ==========
>
> To resolve this issue, do one of the following:
>
> Use HTMLA over SSL
> ------------------
>
> Use the HTML version of the Internet Service Manager (also
known as the HTML
> Administration or HTMLA) over SSL. This uses HTTP-based
security, which will
> require additional configurations mentioned in the online
documentation for
> the
> Windows NT Option Pack.
>
> -OR-
>
> Use the ISM MMC over PPTP
> -------------------------
>
> Use Point-to-Point Tunneling Protocol (PPTP) to tunnel through
the firewall.
> The
> ISM MMC can be used on the secure PPTP connection. This will
also require
> additional configurations.
>
>
> -----Original Message-----
> From: Jason Yates [mailto:jyates@dataservice.org]
> Sent: Thursday, April 04, 2002 1:57 PM
> To: 'focus-ms@securityfocus.com'
> Subject: Internet Services Manager
>
>
> I'm trying to use Internet Services Manager snap-in on a web
server
> located in our internal network. The web server is running
Win2k and
> IIS 5.0. At first, I was connecting fine. I've added TCP/IP
filtering
> to the remote machine, and now I can't connect. What ports
does ISM use
> anyway?
>
> I'm allowing UDP and TCP connection to port 137-139 and just
TCP to port
> 80. All other filtering is taken care off in the outside
firewall.
>
> -Jason
>
>