?
Solved

2K Adv Server, Firewalling Messenger service on external NIC

Posted on 2003-03-10
9
Medium Priority
?
555 Views
Last Modified: 2013-12-04


I am recieving messenger spam on my 2k adv server which is used as a multi-homed router.
i cant believe people will exploit stupid stuff like that to advertise a product that no one will buy. like as if this method of advertising will result in more sales than commercial advertising.

anyways, i now need to seup a firewall on the external nic only to block the messenger service...
i do use the messenger service for error reporting so i do not want to disable the service.
this router has lots of traffic running through all kinds of ports that shift numbers all the time, so i have to be carefull to only disable ports specifically related to messenger. for now im going to follow the following excerpt i found:

Blocking Network Access to the Messenger Service
Blocking access to the service is complicated because it can communicate over multiple protocols, and it shares a port mapper with other applications. Blocking all the possible ports will disable the ability of other computers to send you messages, but it will also disable other services. The most common service that may be affected is Windows file sharing. If you want to share a folder on your computer to the network, this ability may be affected. If you don't want to share a folder across your network, blocking these ports is suggested as a way to improve overall security:

Block access to ports 135, 137-139, and 445. The default configuration of the Internet Connection Firewall shipped with Windows XP will block these ports. Windows NT, 2000, and XP TCP/IP security and filtering options in the network control panel can also be used to block ports. If you have a personal firewall (like BlackICE or ZoneAlarm) you can configure it to block inbound traffic on those ports.

Possible issues with blocking Messenger ports:
- Microsoft Outlook clients can talk to Microsoft Exchange servers on TCP 135
- Windows file sharing requires TCP 139 or 445 depending upon OS
- Server operators, managed networks, and people with custom applications should take great care with blocking ports. Domains and trusts require several of these ports for authentication and other things.
- Some third party applications, particularly management oriented ones may require TCP 135
- Windows Media Technology (also known as NetShow) uses TCP 135 for the Windows Media Administrator and Windows Media Encoder
- According to Microsoft, "Microsoft Office suite and other applications are DCOM aware. You may disable functionality that is in use by blocking ports."
- UDP 137 is needed for netbios name resolution. It and port 138 may be needed for access to netbios resources on the network.
- Some RPC based services exist on high ports (those greater than 1024). It may be possible that those services can be accessed and exploited directly bypassing the mapper on 135.
---------------------------------------------------------------------------------------------------

so looks like ports 135 137 138 139 and 445 are the ones i need to disable unless someone knows more.
i need help with firewalling inbound connections on the external NIC only.
i do not want to install any third party firewall software unless absolutely necessary, and i would like some step by step help.

server details -
2k Server on a 400mhz AMD pc with 64mb ram - Woohoo! smokin machine!
10mbps external NIC - 100mbps internal nic
using routing and remote access, no filtering setup at all
only protocol bound to external NIC = TCP/IP
internal NIC has bound = TCP/IP & IPX/SPX
internal clients configured by DHCP




0
Comment
Question by:ViRoy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8108765
To provide some "native" firewalling in WIndows 2000 you need to use IPsec filtering. This will link will get you on your way.


http://obsimref.com/en/papers/ipfilter2k/

0
 
LVL 3

Expert Comment

by:Flash828
ID: 8109618
Can't you use tcp/ip filtering to filter out the ports used by messanger.  These are ports 135, 137, 138, 139.  These ports should not be open to open internet anyway, as they pose a security risk unless they are absolutely neccesary for your environment
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 4

Accepted Solution

by:
Ghost_Hacker earned 500 total points
ID: 8111130
Native firewalling in Windows is not as robust as , say using ISA or some other "real" firewall (it's really best used as just another layer of protection behind a true firewall). I prefer using IPsec as it is a better solution than the old tcp/ip filtering or the built in firewall the newer versions of Windows use).


But ,yes, your right you could just use tcp/ip filtering if you wish or unbind  "windows networking"  from the external interface. (I would recommend that last option as another layer of protection no matter what type of filtering you decide to use.)
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8115381
Oh and I dont think you need to block port 445...
0
 
LVL 4

Expert Comment

by:Ghost_Hacker
ID: 8115995
In Windows 2000 you should block 445 and the more traditional "netbios" ports of 135-139.


More info here:

http://ntsecurity.nu/papers/port445/
0
 
LVL 8

Author Comment

by:ViRoy
ID: 8123185
ghost: thank you much - i can only get into the building with the router on weekends. i will get back to you asap
0
 

Expert Comment

by:CleanupPing
ID: 9070753
ViRoy:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 8

Author Comment

by:ViRoy
ID: 9109814
will do
i was out of state for a few months, sorry
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
OfficeMate Freezes on login or does not load after login credentials are input.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month12 days, 4 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question