Solved

Closing ports & performance

Posted on 2004-04-21
13
3,346 Views
Last Modified: 2013-11-16
I just did a port test on grc.com Discovered that I had many many ports opened.
However, I am not sure how to close the ports... I am running SBS2003. Also, I do not know whether I will be needing the services.
I intend to install ZoneAlarm, but will it block incoming connections? (am a small-scale web server)
so can someone help:
1) tell me how to close the ports
2) tell me which ports is needed for service relevant to me
3) suggest ways to fortify my security features?
0
Comment
Question by:QLJ
  • 5
  • 2
  • 2
  • +2
13 Comments
 
LVL 2

Expert Comment

by:beaker67
ID: 10885514
Generally, running ZoneAlarm or any firewall, you can just tell it to close everything - even then, it should always allow you to receive information that you have specifically requested - for example, you will still get a web page if you click on a link. On the other hand, if you wanted to run a web server and closed the ports needed for that, than nobody would be able to get to it, but that only affects information that *you* have not specifically requested. Various ports and services usually only matter if you are running some kind of server - if not, just disable them all.
0
 
LVL 1

Author Comment

by:QLJ
ID: 10886061
hmm... so to get the facts right:
you are saying that I should close the ports using ZoneAlarm? Does the free version provide such a service? I thgt it only includes intrusion detection.
how about the fortification part? :)
0
 
LVL 2

Expert Comment

by:beaker67
ID: 10886417
Oops, never mind - it seems that ZoneAlarm (the free version anyway) doesn't let you do this, at least it doesn't let you specify. It does have some options for setting levels of security, and it will block incoming connections, but it won't let you customize it. ZoneAlarm mainly works by allowing or disabling access on a program-by-program basis.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 1

Author Comment

by:QLJ
ID: 10886455
so wat's next on the list of to-dos?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 120 total points
ID: 10888112
Do NOT install ZoneAlarm on a server !  It's designed as a personal firewall.  Besides, it probably won't install on a server anyway.
I recommend in the first instance you go into TCP/IP advanced settings and turn off all ports to the outside world bar port 80, and ensure that you're 100% up to date with the latest patches, and subscribe to Windows SUS to ensure that you know when latest patches are available.
If you want to increase this level of protection, you could try publishing your web site with ISA server (isn't it included in SBS 2003??).
Next step is to look at your Internet router, and apply access-lists to ensure that the outside can only see your web server on port 80.
If you do not have your own Internet router, then look at buying a cheap firewall/router/ DSL router device, or whatever slots in.  This will keep all the rubbish out at the perimeter.
If you want to go further, look at BlackICE or Cisco CSA or some form of HOST-based IDS / IPS for your server, to ensure you're not being attacked.
These are really the basics.  More glamourous security solutions are of course available, but at cost.
0
 
LVL 2

Expert Comment

by:benjamin
ID: 10893193
Hi

I administered a SBS for some time and agree totally with Tim, hoever I would say that running port 80 web services is not the best idea on SBS as all your eggs are in one basket.  ( I have learnt this the hard way) a cheap machine published in a DMZ of ISA would be a lot better and allow you to tie down the access to a bare minimum on the SBS itself.   If you are not happy/confident with Firewalls then you should consider a  3rd party box for example Watchguard or similar as ISA is only as good as the admin who set it up.  I found that ISA is easy to get working but a lot harder to tie it down effectively.

Ben
0
 
LVL 1

Author Comment

by:QLJ
ID: 10895697
nope... ISA comes with SBS2003 premium.. mine is standard. :)
0
 

Expert Comment

by:SUKHOI_Flanker
ID: 10900739
wich services want u to be seen from the external network?
0
 
LVL 1

Author Comment

by:QLJ
ID: 10914647
running http, and intending to run either ftps/https and vpn
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10916707
A small firewall appliance would help you out - eg Netgear, Linksys, Netscreen-5, PIX 501, as long as large throughput will not be required.
Perimeter firewalls have the benefit of shielding your internal servers from all the rubbish out on the Internet, and also ensuring that only relevant ports are open to the outside world.
A router will also accomplish this - most have access-lists / packet filters built in these days.
0
 

Assisted Solution

by:SUKHOI_Flanker
SUKHOI_Flanker earned 40 total points
ID: 10916733
there is 2 ways for closing ports
u can download a program that shows the open ports in your machine and their process, so if u wanna close a port, close its process... search for tcpview www.sysinternals.com

 the second way is to filter the ports on a router/firewall, u can follow the policy: "no traffic allowed" and then add your special ports, eg: 80 for http, 443 for https ... u can do that, by installing a software firewall, or a physical one, u know it  depends on your architecture, your needs and your money ;)
0
 
LVL 1

Author Comment

by:QLJ
ID: 10916761
ok then, you are saying it is safe to do without any fortification. I already have Netgear DF824M router.
But what is defined by a large throughput?
0
 
LVL 2

Assisted Solution

by:benjamin
benjamin earned 40 total points
ID: 10921810
By throughput we are saying the amount of traffic/data that would pass your firewall.  If your web sites has just a few hits then a few meg through is fine if however you are hosting a site that has hundreds of hits per hour etc then a basic router with 8 meg through it will become a bottle neck.

If you can raise the budget a dedicated firewall will perform well and you will more than likely get VPN access through it. If not stick with your netgear as they normally support VPN passthrough and use the RRAS on SBS to to allow a PPTP VPN.  L2TP carries a hight over head but again delpends how many users you are supporting and what your security requirements are.

Ben
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question