Re: Interpreting the results of an NMAP scan




I wanted to thank all the people who took the time to reply to my question. I am not a system admin by trade, and I do not have plans to become one in the near future :-). This server was setup by an IT professional services company which I suspect might not have taken the time to cross all the t's and dot all the i's ...

I am trying to help my friend understand what potential issues might exist with his current setup, help fix anything that is an emergency, and then help him select a new IT services provider.

I would like to recap what I understand from the various answers I got, and ask a few follow-up questions. I apologize for the length of this post ...

1 - Ports 80 and 443 are open because Outlook Web Access is enabled. The thing is, none of the employees of the business use OWA. People do need to have email access remotely, but they do so using the regular Outlook client over VPN, as well as through iphones and blackberries. I think I will recommend that these 2 ports be closed to the outside world since I can't see a real need for them to be open. The firm doesn't use Sharepoint or remote workplace or any of the other MS stuff that's bundled w/ Windows SBS 2003.

The server also has a Dell application called Open Manage Server Administrator. I can't recall what port this is available on, probably the default one (1311). From what I gathered this app has its own web server (i.e. it's not served by IIS), can anybody confirm that ?

2 - There is an Exchange server running on the server to accept incoming email and send outgoing email. I'm confused about the nmap scan reporting port 25 as 'filtered'. If I understand what the nmap doc says, this means that nothing can connect to that port from the outside world. I tried to telnet on port 25 and indeed got a 'connection failed' message. But if that is the case, how can external mail servers connect to the Exchange server to relay incoming emails ?

Also I don't know how the Outlook clients are configured to access the Exchange server: they probably don't use smtp either, more likely MAPI or IMAP.

4 - I believe the rationale for the VPN setup (and therefore the 1723 port for pptp) is because users need to access data located on shares on the server when working from home or from a hotel room. Since VPN is required, I'm not sure why ports 143 and 993 should be visible from the outside world either: these ports should be accessible for users on the company LAN only, shouldn't they ? Or maybe the intent was to provide a means to access emails remotely without having to establish a VPN connection first if the user did not need to access data on the drive shares.

The only reason for leaving imap ports visible from the internet might be for the iphones and blackberry clients. If that is the case, I would imagine we would want to expose only 993 to force imap over SSL ?

5 - For the linksys router, the admin password has been changed. I'm not sure what the role of that piece of hardware is exactly. I don't think it should be visible from the outside world and some of you agreed.

I do not know if ISA is being used either like some of the responders suggested. There are also a few Trend Micro products installed:

* Trend Micro Client/Server/Messaging Security for SMB Version 7.6 *
* Trend Micro End User Quarantine Version 1.2 *
* Trend Micro ScanMail for Exchange Version 7.5 *

Between Trend, ISA and the Linksys router I'm not sure what is used for which security needs. And there is also a netgear wireless router on the network to provide wireless access. And zero documentation provided by the guys who installed all that stuff ...

Again, a big thank you for your patience and feedback !
Dan.

---- Scan results from my original post for reference

Not shown: 990 closed ports
PORT STATE SERVICE VERSION
25/tcp filtered smtp
80/tcp open http Microsoft IIS
|_ html-title: The page cannot be displayed
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap Microsoft Exchange Server 2003 imapd
6.5.7638.1
443/tcp open ssl/https?
|_ sslv2: server still supports SSLv2
| html-title: Microsoft Outlook Web Access
|_ Requested resource was https://<...snipped...>
445/tcp filtered microsoft-ds
993/tcp open ssl/imap Microsoft Exchange Server 2003 imapd
6.5.7638.1
|_ sslv2: server still supports SSLv2
1723/tcp open pptp Microsoft (Firmware: 3790)
8081/tcp open http Linksys router http config (device model
BEFSR41/BEFSR11/BEFSRU31)
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = Linksys BEFSR41/BEFSR11/BEFSRU31
|_ html-title: 401 Authorization Required





------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



Relevant Pages

  • Re: Interpreting the results of an NMAP scan
    ... |_ sslv2: server still supports SSLv2 ... | html-title: Microsoft Outlook Web Access ... 993/tcp open ssl/imap Microsoft Exchange Server 2003 imapd 6.5.7638.1 ...
    (Security-Basics)
  • [NT] Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Allow Code Execution
    ... Get your security news from a reliable source. ... Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange ... Microsoft Exchange Server because of the way that it decodes the Transport ...
    (Securiteam)
  • RE: Catchall not working, EXTERNALLY?
    ... Microsoft CSS Online Newsgroup Support ... but we will start using the exchange server fully ... When I open the connection (over internet) to my exchange account, ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange Password
    ... Do not allow storage of credentials or .NET Passports for ... Microsoft CSS Online Newsgroup Support ... |> Technically speaking, whenever you open the mailbox on Exchange server, ... if the local account uses the same ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange Password
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... |> course of logging on to the Exchange server. ... if the local account uses the same ...
    (microsoft.public.windows.server.sbs)