RE: Access to well-known ports on Win2K

From: Roberta Bragg (freouwebbe@msn.com)
Date: 11/02/02


From: "Roberta Bragg" <freouwebbe@msn.com>
To: "'Scott Mulcahy'" <scottcm@usa.net>, <focus-ms@securityfocus.com>
Date: Fri, 1 Nov 2002 17:06:36 -0600

Additional Information:

TCP/IP filtering allows you to 'only' allow certain ports - that's blocking
access and thats what was asked about.

IPSEc does not provide security at the user level; its a machine level
policy - works for all users of the machine; and can allow or block access
according to IP address of accessing machine (to be user level policy, it
would have to be able to be configured to work for a specific user account,
and it cannot be)

You do not need to create 1024 filters; you creat one which 'blocks all'
then create one for each one you wish to allow.

again: the policy is based on the machine; so would not matter if user
logged onto domain,

many routes for deployment as you mention: Group Policy; Local Security
Policy; property pages of network connection; script or batch file

all security is only good if its applied, as you say.

Solaris or W2K, if a user can change the security policy then its not going
to be an effective security policy.

> -----Original Message-----
> From: Scott Mulcahy [mailto:scottcm@usa.net]
> Sent: Friday, November 01, 2002 12:53 PM
> To: focus-ms@securityfocus.com
> Subject: RE: Access to well-known ports on Win2K
>
>
> TCP/IP Filtering does not provide port level security at the
> user level. You
> could use an IPSec policy and deploy to all users to block
> source ports below
> 1024. Then have a subset of those users in a different OU
> and assign that OU
> a policy that permits all ports.
>
> There's a couple of potential problems, though. 1) You need
> to create 1024
> selectors for TCP (or as MS calls them filters): 1 for each
> port. The good
> news is you'd only have to do this once. 2) If the user is
> able to stop the
> IPSec Policy Agent service then the IPSec policy is no longer active.
>
> This approach has the same limitation as applying any
> security using GPO's:
> Problems can occur and a GPO may not get applied, if a user
> doesn't log in
> using AD credentials they won't get the GPO, etc.
> Alternatively, you could
> apply IPSec as a local security policy but management of the
> policy just got
> much more difficult. You would also need to make sure that
> the user doesn't
> have the ability to modify the IPSec policy in this case.
>
> Quite simply, W2K, XP, .NET have the ability to do what you
> ask but it's not
> as simple as Solaris. On the positive side, if you go with a GPO then
> deployment is fairly simple.
>
> Good luck,
> Scott
>
> -----Original Message-----
> From: Roberta Bragg [mailto:freouwebbe@msn.com]
> Sent: Thursday, October 31, 2002 4:17 PM
> To: 'Rangan, Govindaraj'; focus-ms@securityfocus.com
> Subject: RE: Access to well-known ports on Win2K
>
>
> Several well know methods for restricting port access exist
> in WIndows 2000,
> XP and .NET.
>
> Take a look at TCP/IP filtering and IPSec policies (IPSec
> policies can be
> written to filter port access, as well as for encrypting
> data in flight)
>
> The Remote Access service can also be configured to provide
> this type of
> access control -
>
> None of these services require xtra purchases, downloads or
> other activity -
> they are built into the operationg system, just require
> configuration as
> does Solaris --
>
> > -----Original Message-----
> > From: Rangan, Govindaraj [mailto:govindr@ti.com]
> > Sent: Wednesday, October 30, 2002 10:59 PM
> > To: 'focus-ms@securityfocus.com'
> > Subject: RE: Access to well-known ports on Win2K
> >
> >
> > Hi All,
> > Greetings.
> > Do all users on Win2K have access to the
> > well-known ports? This
> > question arose when I was doing some security tests in a
> heterogeneous
> > environment with Windows and Solaris boxes. Solaris RSHD's
> > only security is
> > that before allowing access, it checks the source host and
> > source tcp port.
> > The host should be in hosts.equiv or .rhosts and the source
> > tcp port should
> > be one of well known ports (0-1023). The rsh client is a
> > setuid script and
> > starts as root. However on Windows 2000, it is possible for
> > any user (not
> > necessarily an admin user) to open a "well known port" to
> > connect to any
> > rshd.
> > Can we restrict access to well known ports to a
> > certain user or
> > group? If not, the secure way is that Solaris hosts shouldn't
> > trust Windows
> > hosts. Your help in resolving this is highly appreciated.
> >
> > Regards,
> > Govind
> >
>
>



Relevant Pages

  • Re: [RE: Access to well-known ports on Win2K]
    ... communication typically uses the ephemeral port range. ... policy - works for all users of the machine; and can allow or block access ... many routes for deployment as you mention: Group Policy; Local Security ... > IPSec Policy Agent service then the IPSec policy is no longer active. ...
    (Focus-Microsoft)
  • Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question
    ... an IPSec policy that should be sufficiently restrictive for your purposes. ... Client's Source port is ANY ... then how can I create an IPSec filter that blocks all ...
    (microsoft.public.win2000.security)
  • Re: IPSec Policy Doesnt Really Block
    ... basic filters to allow port 80 and port 25 inbound from Any to My IP, ... >I have created ipsec policies that work. ... The I add mirrored permit rules for the exceptions such ... >> Here is a list of IPSECPOL.exe commands I am using to create the policy. ...
    (microsoft.public.win2000.networking)
  • Re: IPSec Policy Doesnt Really Block
    ... basic filters to allow port 80 and port 25 inbound from Any to My IP, ... >I have created ipsec policies that work. ... The I add mirrored permit rules for the exceptions such ... >> Here is a list of IPSECPOL.exe commands I am using to create the policy. ...
    (microsoft.public.win2000.security)
  • Re: IPSEC Failing (Secure Server)
    ... Troubleshooting IPSec ... exchanges by enabling Audit Policy, which causes security events to be ... logged in the security log of the Event Viewer. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ...
    (microsoft.public.windows.server.networking)