Hardening Win 2K Pro

[Duane Arnold]

That's the only way anyone can figure out what you are trying to say.

That's because you couldn't figure it out if it hit you up side your wooden
head.

Duane

 

[Duane Arnold]

Look, Egan and I have been at for quite awhile and I really don't care
what you think about it.

And let me be blunt about it, take the router and stick up ass. ;-)

That's your ass.

It didn't want to confuse you as to where it belongs. ;-)

Duane

 

[James Egan]

It's claimed that with the router firewall disabled, the router's
configuration is accessable.

I would guess that would go straight to the top of their "to do" list
and get fixed soon after discovery. Fundamental though, isn't it? How
these things get beyond initial testing is beyond me.

Having said that, your beloved win9x system left the netbios session
service port in a listening state (if the client for ms networks was
still bound) even if file and printer sharing was unbound from tcp/ip.
Although it was listening no-one could connect to the shares so it
wasn't a big deal apart from grc.com making the usual mountain out of
a molehill.

The point being that there's a big difference between a port being
open and someone being able to access your system. Best leave your
firewall on all the same, though. Unless you want to prove you were
right by getting your router hacked


Jim.

 

[null]

I would guess that would go straight to the top of their "to do" list
and get fixed soon after discovery.

Apparently, you didn't read what Rateliff had to say about that. It
seems it took forever. Assuming it's actually fixed, that is.

Fundamental though, isn't it? How
these things get beyond initial testing is beyond me.

Buyer beware.

Having said that, your beloved win9x system left the netbios session
service port in a listening state (if the client for ms networks was
still bound) even if file and printer sharing was unbound from tcp/ip.
Although it was listening no-one could connect to the shares so it
wasn't a big deal apart from grc.com making the usual mountain out of
a molehill.

I dunno how you managed to get off on that line of bull. I always
bound adapters to TCP/IP only when I was using 9X/ME. All 64K
ports were closed. Period. Netstat -an result was zilch. Period.

The point being that there's a big difference between a port being
open and someone being able to access your system. Best leave your
firewall on all the same, though. Unless you want to prove you were
right by getting your router hacked

That's definitey not how I would propose to do the testing

Art

http://home.epix.net/~artnpeg

 

[Duane Arnold]

Not unless you poke a hole. I have no holes.

The point wasn't aimed at you and your set-up in the first place.

You will have to look that up for yourself because you will not accept
anything I tell you. Check out the router forums.

like only the HTTP

Yeah I don't have go to a forums on that one.

How do you know that Kerio has not done that? When Windows comes up it
is the first item before any of the installed services. If the tray
networking icon is any indication of when TCP/IP is started, it is a
while *after* Kerio has been started.

Yeah OK. If Kerio like the rest of them somehow did that the *cow* jumped
over the Moon and you're right.

Then why does the Kerio splash screen show up well before the
networking tray icon.

Yeah OK you're right about that too.

Hey, I can cooperate with you and you're right. ;-)

Duane

 

[null]

There was a period back several years ago when the Linksys BEFSR41was
trying to get SPI working that they introduced some vulnerabilities
into the firmware. It took a long while to get it all sorted out. I
know because I was an official Linksys beta tester and I corresponded
with the development engineers at the time.

The last firmware revision I installed is an old one that we were told
was stable. It is 1.42.6. I have had no reason to change. I believe
you still have to disable SPI if you want to forward any ports.

FYI, I just installed rev 3.37.6 and the behaviour is quite different
indeed. With the firewall disabled, all ports, including 80 and 443
test as Blocked or Stealthed at the port scanning sites.

Art

http://home.epix.net/~artnpeg

 

[Bob]

FYI, I just installed rev 3.37.6 and the behaviour is quite different
indeed. With the firewall disabled, all ports, including 80 and 443
test as Blocked or Stealthed at the port scanning sites.

I recommend you pay close attention to the method used to test for
blocked ports. I have read that not all methods are reliable.

The one I use which I know is 100% accurate is TZO's Port Detective.
The reason I know is I discussed the matter with Eric McIntyre at TZO
who developed PD. You have an agent on your machine that phones home
to the TZO server and watches for traffic at the port being inspected.

If you use WallWatcher you can see if the packet even makes it thru
your ISP. That's how I originally discovered that Road Runner was
blocking port 80, among others. Then later I confirmed it with RR.

www.portdetective.com

It's a free service.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[null]

I recommend you pay close attention to the method used to test for
blocked ports. I have read that not all methods are reliable.

Don't believe everything you read.

The one I use which I know is 100% accurate is TZO's Port Detective.
The reason I know is I discussed the matter with Eric McIntyre at TZO
who developed PD.

I'd look for objective opinions by experts who didn't design the thing
myself.

You have an agent on your machine that phones home
to the TZO server and watches for traffic at the port being inspected.

If you use WallWatcher you can see if the packet even makes it thru
your ISP. That's how I originally discovered that Road Runner was
blocking port 80, among others. Then later I confirmed it with RR.

www.portdetective.com

It's a free service.

Looks like a nice app. I just ran it and got the same results as the
usual port scanning sites on the internet.

Art

http://home.epix.net/~artnpeg

 

[James Egan]

I dunno how you managed to get off on that line of bull. I always
bound adapters to TCP/IP only when I was using 9X/ME. All 64K
ports were closed. Period. Netstat -an result was zilch. Period.

Doh! I'm not talking about bindings to adaptors. It occurs with a
binding to the Client for MS Networks even if File and Printer sharing
is unbound.

Standalones like yours without a network client or service are
obviously not going to have open netbios ports but, believe it or not,
some people want to share files as well as Internet connections.


Jim.

 

[null]

standalones like yours without a network client or service are
obviously not going to have open netbios ports but, believe it or not,
some people want to share files as well as Internet connections.

No shit? Gee, you're really brilliant for figuring that out

Art

http://home.epix.net/~artnpeg

 

[kurt wismer]

I have a problem with tinkering with Windows - there are apps which
use certain ports and if you block them the apps won't work. I prefer
to create an alert in Kerio and discover first hand who's using what
port.

somewhere there's been a communication or logic breakdown...

what closing ports means in OS hardening parlance is actually a process
of stopping programs and/or services from listening on those ports... if
you have a specific program that listens on a particular port and you
want/need it to do so then you leave that specific program alone...
closing ports shouldn't prevent you from letting approved applications
listen on whatever ports they want to...

 

[kurt wismer]

Bob wrote:
[snip]

The number one defense is NAT. There is no reason to turn it off.

apparently someone doesn't understand the words coming out of my mouth
(errr keyboard, whatever)...

when you're debugging a connectivity problem there *IS* a reason to turn
it off - it might be the cause of the connectivity problem...

Oh, cut it out. I obviously meant there is no reason to turn it off
under normal operating conditions. Most people do not know how to
"debug a connectivity problem".

that doesn't mean they won't be instructed to perform the operation by
their isp's tech support... they don't need to know how to do it
themselves so long as a guy being paid minimum wage to read instructions
from a script is there to tell them what to do...

 

[Bob]

Don't believe everything you read.

Does that include your post?

Thanks for the warning.


--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge

 

[Bob]

that doesn't mean they won't be instructed to perform the operation by
their isp's tech support... they don't need to know how to do it
themselves so long as a guy being paid minimum wage to read instructions
from a script is there to tell them what to do...

LOL

--

Map of the Vast Right Wing Conspiracy
http://home.houston.rr.com/rkba/vrwc.html

"Nothing in the world can take the place of perseverence. Talent
will not; nothing is more common than unsuccessful men with talent.
Genius will not; unrewarded genius is almost a proverb. Education
will not; the world is full of educated derelicts. Persistence and
determination alone are omnipotent."
--Calvin Coolidge