A
Aneesh
CLOSING PORTS FOR SECURITY
QUERY:
Please we need information on all the ports that we need
to give permission to enable a normal functioning of our
site.
Following Are the Configuration we use.
OUR PLATTFORM:
MS WINDOWS 2000 - Advanced Server using IIS 2000 (5.0) and
SQL 2000, we use Java, and our pages are asp dynamically
generated, we also use some applets.
SECURITY ISSUE:
For Security reasons we want to close all Ports except
those which are needed for the proper functioning of our
programs an connectivity to the Internet.
CURRENT SAFETY FACILITIES:
Symantec, Norton antivirus, Firewall, Patches and updates
from MS and Tools from Symantec
REASONS:
Even with all the security tools and patches we are still
affected by viruses, worms, ghost messages etc etc.
WORK DONE:
We have accessed several pages on Ports on the net and
reviewed the full list of IANA (the Port Conrolling
Authority).
Based on this information we used the MS limited Port
filtering Facility found in:
Connections > Properties > TCP/IP > Properties > Advanced
from MS http://support.microsoft.com/?id=309798 and gave
permission to Ports which we believed to be of use namely:
ftp 21/tcp File Transfer [Control]
ftp 21/udp File Transfer [Control]
ssh 22/tcp SSH Remote Login Protocol
ssh 22/udp SSH Remote Login Protocol
http 80/tcp World Wide Web HTTP
http 80/udp World Wide Web HTTP
www 80/tcp World Wide Web HTTP
www 80/udp World Wide Web HTTP
www-http 80/tcp World Wide Web HTTP
www-http 80/udp World Wide Web HTTP
auth 113/tcp Authentication Service - used
for Firewall
auth 113/udp Authentication Service - used
for Firewall
https 443/tcp http protocol over TLS/SSL
https 443/udp http protocol over TLS/SSL
password-chg 586/tcp Password Change
password-chg 586/udp Password Change
msexch-routing 691/tcp MS Exchange Routing
msexch-routing 691/udp MS Exchange Routing
msnp 1863/tcp MSNP
msnp 1863/udp MSNP
messageservice 2311/tcp Message Service
messageservice 2311/udp Message Service
Client Server 3389/TCP for Terminal Server client
default connection
msfw-control 3847/tcp MS Firewall Control
msfw-control 3847/udp MS Firewall Control
commplex-main 5000/tcp Yahoo Messenger - Voice Chat
commplex-main 5000/udp Yahoo Messenger - Voice Chat
commplex-link 5001/tcp Yahoo Messenger - Voice Chat
commplex-link 5001/udp Yahoo Messenger - Voice Chat
Yahoo Messenger - Messages
mmcc 5050/tcp multimedia conference control
tool
mmcc 5050/udp multimedia conference control
tool
http-alt 8008/tcp HTTP Alternate
http-alt 8008/udp HTTP Alternate
http-alt 8080/tcp HTTP Alternate (see port 80)
http-alt 8080/udp HTTP Alternate (see port 80)
RESULT:
The site or the browser would not come up, we could not
connect with msn or yahoo (needed for communication whilst
doing work).
These returned as soon as we allowed all ports to be open.
This tells us that we do not know all the Ports that need
permisssion.
MISCELLANEOUS:
We also need the ports to allow Hotmail and Yahoo chat
Messenger.
Thanking you in advance
Aneesh
QUERY:
Please we need information on all the ports that we need
to give permission to enable a normal functioning of our
site.
Following Are the Configuration we use.
OUR PLATTFORM:
MS WINDOWS 2000 - Advanced Server using IIS 2000 (5.0) and
SQL 2000, we use Java, and our pages are asp dynamically
generated, we also use some applets.
SECURITY ISSUE:
For Security reasons we want to close all Ports except
those which are needed for the proper functioning of our
programs an connectivity to the Internet.
CURRENT SAFETY FACILITIES:
Symantec, Norton antivirus, Firewall, Patches and updates
from MS and Tools from Symantec
REASONS:
Even with all the security tools and patches we are still
affected by viruses, worms, ghost messages etc etc.
WORK DONE:
We have accessed several pages on Ports on the net and
reviewed the full list of IANA (the Port Conrolling
Authority).
Based on this information we used the MS limited Port
filtering Facility found in:
Connections > Properties > TCP/IP > Properties > Advanced
where we enabled TCP/IP Filtering following instructions
from MS http://support.microsoft.com/?id=309798 and gave
permission to Ports which we believed to be of use namely:
ftp 21/tcp File Transfer [Control]
ftp 21/udp File Transfer [Control]
ssh 22/tcp SSH Remote Login Protocol
ssh 22/udp SSH Remote Login Protocol
http 80/tcp World Wide Web HTTP
http 80/udp World Wide Web HTTP
www 80/tcp World Wide Web HTTP
www 80/udp World Wide Web HTTP
www-http 80/tcp World Wide Web HTTP
www-http 80/udp World Wide Web HTTP
auth 113/tcp Authentication Service - used
for Firewall
auth 113/udp Authentication Service - used
for Firewall
https 443/tcp http protocol over TLS/SSL
https 443/udp http protocol over TLS/SSL
password-chg 586/tcp Password Change
password-chg 586/udp Password Change
msexch-routing 691/tcp MS Exchange Routing
msexch-routing 691/udp MS Exchange Routing
msnp 1863/tcp MSNP
msnp 1863/udp MSNP
messageservice 2311/tcp Message Service
messageservice 2311/udp Message Service
Client Server 3389/TCP for Terminal Server client
default connection
msfw-control 3847/tcp MS Firewall Control
msfw-control 3847/udp MS Firewall Control
commplex-main 5000/tcp Yahoo Messenger - Voice Chat
commplex-main 5000/udp Yahoo Messenger - Voice Chat
commplex-link 5001/tcp Yahoo Messenger - Voice Chat
commplex-link 5001/udp Yahoo Messenger - Voice Chat
Yahoo Messenger - Messages
mmcc 5050/tcp multimedia conference control
tool
mmcc 5050/udp multimedia conference control
tool
http-alt 8008/tcp HTTP Alternate
http-alt 8008/udp HTTP Alternate
http-alt 8080/tcp HTTP Alternate (see port 80)
http-alt 8080/udp HTTP Alternate (see port 80)
RESULT:
The site or the browser would not come up, we could not
connect with msn or yahoo (needed for communication whilst
doing work).
These returned as soon as we allowed all ports to be open.
This tells us that we do not know all the Ports that need
permisssion.
MISCELLANEOUS:
We also need the ports to allow Hotmail and Yahoo chat
Messenger.
Thanking you in advance
Aneesh