Solved

Closing ports & performance

Posted on 2004-04-21
13
3,349 Views
Last Modified: 2013-11-16
I just did a port test on grc.com Discovered that I had many many ports opened.
However, I am not sure how to close the ports... I am running SBS2003. Also, I do not know whether I will be needing the services.
I intend to install ZoneAlarm, but will it block incoming connections? (am a small-scale web server)
so can someone help:
1) tell me how to close the ports
2) tell me which ports is needed for service relevant to me
3) suggest ways to fortify my security features?
0
Comment
Question by:QLJ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
13 Comments
 
LVL 2

Expert Comment

by:beaker67
ID: 10885514
Generally, running ZoneAlarm or any firewall, you can just tell it to close everything - even then, it should always allow you to receive information that you have specifically requested - for example, you will still get a web page if you click on a link. On the other hand, if you wanted to run a web server and closed the ports needed for that, than nobody would be able to get to it, but that only affects information that *you* have not specifically requested. Various ports and services usually only matter if you are running some kind of server - if not, just disable them all.
0
 
LVL 1

Author Comment

by:QLJ
ID: 10886061
hmm... so to get the facts right:
you are saying that I should close the ports using ZoneAlarm? Does the free version provide such a service? I thgt it only includes intrusion detection.
how about the fortification part? :)
0
 
LVL 2

Expert Comment

by:beaker67
ID: 10886417
Oops, never mind - it seems that ZoneAlarm (the free version anyway) doesn't let you do this, at least it doesn't let you specify. It does have some options for setting levels of security, and it will block incoming connections, but it won't let you customize it. ZoneAlarm mainly works by allowing or disabling access on a program-by-program basis.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 1

Author Comment

by:QLJ
ID: 10886455
so wat's next on the list of to-dos?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 120 total points
ID: 10888112
Do NOT install ZoneAlarm on a server !  It's designed as a personal firewall.  Besides, it probably won't install on a server anyway.
I recommend in the first instance you go into TCP/IP advanced settings and turn off all ports to the outside world bar port 80, and ensure that you're 100% up to date with the latest patches, and subscribe to Windows SUS to ensure that you know when latest patches are available.
If you want to increase this level of protection, you could try publishing your web site with ISA server (isn't it included in SBS 2003??).
Next step is to look at your Internet router, and apply access-lists to ensure that the outside can only see your web server on port 80.
If you do not have your own Internet router, then look at buying a cheap firewall/router/ DSL router device, or whatever slots in.  This will keep all the rubbish out at the perimeter.
If you want to go further, look at BlackICE or Cisco CSA or some form of HOST-based IDS / IPS for your server, to ensure you're not being attacked.
These are really the basics.  More glamourous security solutions are of course available, but at cost.
0
 
LVL 2

Expert Comment

by:benjamin
ID: 10893193
Hi

I administered a SBS for some time and agree totally with Tim, hoever I would say that running port 80 web services is not the best idea on SBS as all your eggs are in one basket.  ( I have learnt this the hard way) a cheap machine published in a DMZ of ISA would be a lot better and allow you to tie down the access to a bare minimum on the SBS itself.   If you are not happy/confident with Firewalls then you should consider a  3rd party box for example Watchguard or similar as ISA is only as good as the admin who set it up.  I found that ISA is easy to get working but a lot harder to tie it down effectively.

Ben
0
 
LVL 1

Author Comment

by:QLJ
ID: 10895697
nope... ISA comes with SBS2003 premium.. mine is standard. :)
0
 

Expert Comment

by:SUKHOI_Flanker
ID: 10900739
wich services want u to be seen from the external network?
0
 
LVL 1

Author Comment

by:QLJ
ID: 10914647
running http, and intending to run either ftps/https and vpn
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10916707
A small firewall appliance would help you out - eg Netgear, Linksys, Netscreen-5, PIX 501, as long as large throughput will not be required.
Perimeter firewalls have the benefit of shielding your internal servers from all the rubbish out on the Internet, and also ensuring that only relevant ports are open to the outside world.
A router will also accomplish this - most have access-lists / packet filters built in these days.
0
 

Assisted Solution

by:SUKHOI_Flanker
SUKHOI_Flanker earned 40 total points
ID: 10916733
there is 2 ways for closing ports
u can download a program that shows the open ports in your machine and their process, so if u wanna close a port, close its process... search for tcpview www.sysinternals.com

 the second way is to filter the ports on a router/firewall, u can follow the policy: "no traffic allowed" and then add your special ports, eg: 80 for http, 443 for https ... u can do that, by installing a software firewall, or a physical one, u know it  depends on your architecture, your needs and your money ;)
0
 
LVL 1

Author Comment

by:QLJ
ID: 10916761
ok then, you are saying it is safe to do without any fortification. I already have Netgear DF824M router.
But what is defined by a large throughput?
0
 
LVL 2

Assisted Solution

by:benjamin
benjamin earned 40 total points
ID: 10921810
By throughput we are saying the amount of traffic/data that would pass your firewall.  If your web sites has just a few hits then a few meg through is fine if however you are hosting a site that has hundreds of hits per hour etc then a basic router with 8 meg through it will become a bottle neck.

If you can raise the budget a dedicated firewall will perform well and you will more than likely get VPN access through it. If not stick with your netgear as they normally support VPN passthrough and use the RRAS on SBS to to allow a PPTP VPN.  L2TP carries a hight over head but again delpends how many users you are supporting and what your security requirements are.

Ben
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Ready for our next Course of the Month? Here's what's on tap for June.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question