Solved

Closing ports & performance

Posted on 2004-04-21
13
3,344 Views
Last Modified: 2013-11-16
I just did a port test on grc.com Discovered that I had many many ports opened.
However, I am not sure how to close the ports... I am running SBS2003. Also, I do not know whether I will be needing the services.
I intend to install ZoneAlarm, but will it block incoming connections? (am a small-scale web server)
so can someone help:
1) tell me how to close the ports
2) tell me which ports is needed for service relevant to me
3) suggest ways to fortify my security features?
0
Comment
Question by:QLJ
  • 5
  • 2
  • 2
  • +2
13 Comments
 
LVL 2

Expert Comment

by:beaker67
ID: 10885514
Generally, running ZoneAlarm or any firewall, you can just tell it to close everything - even then, it should always allow you to receive information that you have specifically requested - for example, you will still get a web page if you click on a link. On the other hand, if you wanted to run a web server and closed the ports needed for that, than nobody would be able to get to it, but that only affects information that *you* have not specifically requested. Various ports and services usually only matter if you are running some kind of server - if not, just disable them all.
0
 
LVL 1

Author Comment

by:QLJ
ID: 10886061
hmm... so to get the facts right:
you are saying that I should close the ports using ZoneAlarm? Does the free version provide such a service? I thgt it only includes intrusion detection.
how about the fortification part? :)
0
 
LVL 2

Expert Comment

by:beaker67
ID: 10886417
Oops, never mind - it seems that ZoneAlarm (the free version anyway) doesn't let you do this, at least it doesn't let you specify. It does have some options for setting levels of security, and it will block incoming connections, but it won't let you customize it. ZoneAlarm mainly works by allowing or disabling access on a program-by-program basis.
0
 
LVL 1

Author Comment

by:QLJ
ID: 10886455
so wat's next on the list of to-dos?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 120 total points
ID: 10888112
Do NOT install ZoneAlarm on a server !  It's designed as a personal firewall.  Besides, it probably won't install on a server anyway.
I recommend in the first instance you go into TCP/IP advanced settings and turn off all ports to the outside world bar port 80, and ensure that you're 100% up to date with the latest patches, and subscribe to Windows SUS to ensure that you know when latest patches are available.
If you want to increase this level of protection, you could try publishing your web site with ISA server (isn't it included in SBS 2003??).
Next step is to look at your Internet router, and apply access-lists to ensure that the outside can only see your web server on port 80.
If you do not have your own Internet router, then look at buying a cheap firewall/router/ DSL router device, or whatever slots in.  This will keep all the rubbish out at the perimeter.
If you want to go further, look at BlackICE or Cisco CSA or some form of HOST-based IDS / IPS for your server, to ensure you're not being attacked.
These are really the basics.  More glamourous security solutions are of course available, but at cost.
0
 
LVL 2

Expert Comment

by:benjamin
ID: 10893193
Hi

I administered a SBS for some time and agree totally with Tim, hoever I would say that running port 80 web services is not the best idea on SBS as all your eggs are in one basket.  ( I have learnt this the hard way) a cheap machine published in a DMZ of ISA would be a lot better and allow you to tie down the access to a bare minimum on the SBS itself.   If you are not happy/confident with Firewalls then you should consider a  3rd party box for example Watchguard or similar as ISA is only as good as the admin who set it up.  I found that ISA is easy to get working but a lot harder to tie it down effectively.

Ben
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:QLJ
ID: 10895697
nope... ISA comes with SBS2003 premium.. mine is standard. :)
0
 

Expert Comment

by:SUKHOI_Flanker
ID: 10900739
wich services want u to be seen from the external network?
0
 
LVL 1

Author Comment

by:QLJ
ID: 10914647
running http, and intending to run either ftps/https and vpn
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10916707
A small firewall appliance would help you out - eg Netgear, Linksys, Netscreen-5, PIX 501, as long as large throughput will not be required.
Perimeter firewalls have the benefit of shielding your internal servers from all the rubbish out on the Internet, and also ensuring that only relevant ports are open to the outside world.
A router will also accomplish this - most have access-lists / packet filters built in these days.
0
 

Assisted Solution

by:SUKHOI_Flanker
SUKHOI_Flanker earned 40 total points
ID: 10916733
there is 2 ways for closing ports
u can download a program that shows the open ports in your machine and their process, so if u wanna close a port, close its process... search for tcpview www.sysinternals.com

 the second way is to filter the ports on a router/firewall, u can follow the policy: "no traffic allowed" and then add your special ports, eg: 80 for http, 443 for https ... u can do that, by installing a software firewall, or a physical one, u know it  depends on your architecture, your needs and your money ;)
0
 
LVL 1

Author Comment

by:QLJ
ID: 10916761
ok then, you are saying it is safe to do without any fortification. I already have Netgear DF824M router.
But what is defined by a large throughput?
0
 
LVL 2

Assisted Solution

by:benjamin
benjamin earned 40 total points
ID: 10921810
By throughput we are saying the amount of traffic/data that would pass your firewall.  If your web sites has just a few hits then a few meg through is fine if however you are hosting a site that has hundreds of hits per hour etc then a basic router with 8 meg through it will become a bottle neck.

If you can raise the budget a dedicated firewall will perform well and you will more than likely get VPN access through it. If not stick with your netgear as they normally support VPN passthrough and use the RRAS on SBS to to allow a PPTP VPN.  L2TP carries a hight over head but again delpends how many users you are supporting and what your security requirements are.

Ben
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now