Re: Security Policy, IP filtering

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/02/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Mon, 2 Dec 2002 17:08:44 -0500

AFAIK, hisecweb.inf does not include port filtering, though it does do other
things to secure your computer. I would probably not enable hisecweb.inf on
a production server without having a backup or knowledge of the current
settings and knowing how to undo the settings.

I would probably recommend an external firewall device. There are free
linux firewalls that run entirely from a boot CD on an old 486 computer or
that supposedly have an easy to use GUI. Windows 2000 does come with the
ability to use IPsec filtering, but there's no logging or alerting, which
can make troubleshooting and intrusion detection difficult.

Definitely I would consider blocking all ports to and from your servers
except for required ports, such as TCP 80 for web browsing, TCP 1433 to
permitted developer IP addresses for SQL development, etc. The firewall
logs will show you which ports are being used; also running Vision from
www.foundstone.com/knowledge could be informative here as well.

Also, you can manually secure your servers using the instructions here:

http://securityadmin.info/faq.htm#harden and
http://securityadmin.info [especially the sections on IIS, SQL security and
vulnerability assessments]
also: www.sqlsecurity.com

Lastly, you should consider installing the free URLscan which comes with
IISlockdown, it is pretty useful for improving iis security.

"Erik" <Erik@nospam.com> wrote in message
news:020401c29a43$e84caa60$d3f82ecf@TK2MSFTNGXA10...
> All,
>
> I recently had a SQL Server attack on my IIS Server which
> someone was trying to crack a password.
>
> I would like to add a security policy that would allow me
> to filter ports and such. Is there a template out there
> that people use to do this? The problem is, the
> developers use software like Macromedia to connect to the
> server, and it opens several ports, and I am not sure
> which ones they are.
>
> I did take a look at the HiSecWeb file, but I am not sure
> if I should install this because of the risks associated.
>
> Thanks for the help,
>
> Erik

Relevant Pages

  • Re: Whats a decent modem/router for tech savy user?
    ... It is not possible to route or deny traffic to specific ports based on the source IP address. ... But it wont route back inside the LAN - needs internal DNS server spoofing. ... Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. ... Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. ...
    (uk.telecom.broadband)
  • Re: Cannot connect to RWW from home PC
    ... That would be the address you need a DNS record for. ... You say "And in the router you need to forward to your external nic IP" ... Still can't telnet to any of your ports at your public ip address. ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • Re: TCP/IP Filtering Problem
    ... Unlike tcp/ip filtering for TCP, filtering for UDP is not "stateful" in that the ... dns name resolution FROM your server. ... I have it set so that the following TCP ports are ...
    (microsoft.public.win2000.security)
  • Re: Netopia 3347NWG with Remote Desktop and Remote Web Workplace
    ... Glad you're back in business Greg! ... Ports Closed ... Despite this, Remote Web Workplace DOES WORK now, and Connect to Server ... Exchange BPA updates), ...
    (microsoft.public.windows.server.sbs)
  • Solution -> Re: SSH tunnel question.
    ... change IPS and ports around but that is not a big deal. ... telnet/ftp/rsh open on a server including on the Internet facing ports! ... I will go from the corp desktop to a hop ... through the firewall to the hop ...
    (SSH)