RE: Access to well-known ports on Win2K

From: Roberta Bragg (freouwebbe@msn.com)
Date: 11/02/02


From: "Roberta Bragg" <freouwebbe@msn.com>
To: "'Scott Mulcahy'" <scottcm@usa.net>, <focus-ms@securityfocus.com>
Date: Fri, 1 Nov 2002 17:06:36 -0600

Additional Information:

TCP/IP filtering allows you to 'only' allow certain ports - that's blocking
access and thats what was asked about.

IPSEc does not provide security at the user level; its a machine level
policy - works for all users of the machine; and can allow or block access
according to IP address of accessing machine (to be user level policy, it
would have to be able to be configured to work for a specific user account,
and it cannot be)

You do not need to create 1024 filters; you creat one which 'blocks all'
then create one for each one you wish to allow.

again: the policy is based on the machine; so would not matter if user
logged onto domain,

many routes for deployment as you mention: Group Policy; Local Security
Policy; property pages of network connection; script or batch file

all security is only good if its applied, as you say.

Solaris or W2K, if a user can change the security policy then its not going
to be an effective security policy.

> -----Original Message-----
> From: Scott Mulcahy [mailto:scottcm@usa.net]
> Sent: Friday, November 01, 2002 12:53 PM
> To: focus-ms@securityfocus.com
> Subject: RE: Access to well-known ports on Win2K
>
>
> TCP/IP Filtering does not provide port level security at the
> user level. You
> could use an IPSec policy and deploy to all users to block
> source ports below
> 1024. Then have a subset of those users in a different OU
> and assign that OU
> a policy that permits all ports.
>
> There's a couple of potential problems, though. 1) You need
> to create 1024
> selectors for TCP (or as MS calls them filters): 1 for each
> port. The good
> news is you'd only have to do this once. 2) If the user is
> able to stop the
> IPSec Policy Agent service then the IPSec policy is no longer active.
>
> This approach has the same limitation as applying any
> security using GPO's:
> Problems can occur and a GPO may not get applied, if a user
> doesn't log in
> using AD credentials they won't get the GPO, etc.
> Alternatively, you could
> apply IPSec as a local security policy but management of the
> policy just got
> much more difficult. You would also need to make sure that
> the user doesn't
> have the ability to modify the IPSec policy in this case.
>
> Quite simply, W2K, XP, .NET have the ability to do what you
> ask but it's not
> as simple as Solaris. On the positive side, if you go with a GPO then
> deployment is fairly simple.
>
> Good luck,
> Scott
>
> -----Original Message-----
> From: Roberta Bragg [mailto:freouwebbe@msn.com]
> Sent: Thursday, October 31, 2002 4:17 PM
> To: 'Rangan, Govindaraj'; focus-ms@securityfocus.com
> Subject: RE: Access to well-known ports on Win2K
>
>
> Several well know methods for restricting port access exist
> in WIndows 2000,
> XP and .NET.
>
> Take a look at TCP/IP filtering and IPSec policies (IPSec
> policies can be
> written to filter port access, as well as for encrypting
> data in flight)
>
> The Remote Access service can also be configured to provide
> this type of
> access control -
>
> None of these services require xtra purchases, downloads or
> other activity -
> they are built into the operationg system, just require
> configuration as
> does Solaris --
>
> > -----Original Message-----
> > From: Rangan, Govindaraj [mailto:govindr@ti.com]
> > Sent: Wednesday, October 30, 2002 10:59 PM
> > To: 'focus-ms@securityfocus.com'
> > Subject: RE: Access to well-known ports on Win2K
> >
> >
> > Hi All,
> > Greetings.
> > Do all users on Win2K have access to the
> > well-known ports? This
> > question arose when I was doing some security tests in a
> heterogeneous
> > environment with Windows and Solaris boxes. Solaris RSHD's
> > only security is
> > that before allowing access, it checks the source host and
> > source tcp port.
> > The host should be in hosts.equiv or .rhosts and the source
> > tcp port should
> > be one of well known ports (0-1023). The rsh client is a
> > setuid script and
> > starts as root. However on Windows 2000, it is possible for
> > any user (not
> > necessarily an admin user) to open a "well known port" to
> > connect to any
> > rshd.
> > Can we restrict access to well known ports to a
> > certain user or
> > group? If not, the secure way is that Solaris hosts shouldn't
> > trust Windows
> > hosts. Your help in resolving this is highly appreciated.
> >
> > Regards,
> > Govind
> >
>
>