Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Which publicly pointed services can go?

Posted on 2004-10-29
Medium Priority
Last Modified: 2010-04-11
We are a Windows Server 2003 Standard Edition, Exchange 2003 Enterprise Edition w/ OWA & OMA, SQL 2000, Citrix Metaframe XP FR3 SP3 farm network currently being audited as all publicly traded companies are, under the Sarbanes-Oxley Act.  We have a corporate office and approximately 12-14 national field offices using NetVPN to communicate with the network.  We are planning to deploy a front end server Exchange(in DMZ)/back end server Exchange Server topology.  I need to know which publicly pointing services (like HTTPs) can be disabled without screwing everything up?
Question by:mattny
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

tmcguiness earned 2000 total points
ID: 12462072
Exchange and Outlook like to use MAPI which is a NETBios API that uses port 135. This is a good port to keep closed because there is just too much chicanary that can happen there.  You will be better off using POP3 or IMAP which are both supported by Exchange 2003 and Outlook. For POP3 you need to keep tcp port 110 open, for IMAP, you need to keep tcp port 143.  If your user are going to be connecting this way, they will also need to specify their SMTP server for outgoing mail so you will also need tcp port 25.  If you're also going to use OWA, you'll need http tcp port 80 or better yet https: tcp port 443. These ports should take care of you for incoming.  You should be able to disable tcp and udp 1023 and below except for those. If you want to open your production network, you will need to change it as well of course and if  you decide you want outside access to the citrix for instance, it will have to be opened through both filters.

I have not accounted for you VPN because I'm not sure how it is connected and whether you allow those connections to come through to your production network. I believe that VPN is provided by Bellsouth and ends at the modem or csu/dsu right? if so... I'm thinking that traffic will look like all other traffic when it comes out of the pipe so it will be difficult to give it privileged access. (I don't have any exposure to it though so I may be way out in right field)

Finally, it isn't unusual to leave outgoing (egress) ports 1023 and below open and incoming (ingress) ports over 1023 open. That way your users can get to where they want to go but nobody can get in. It is a good idea though to take the time to identify the ports that you actually need open and close the rest. If you only use http, https, ftp, smtp, ntp, etc... only open those ports, close everything else. If somebody hollers and says their application is broke, just apologize and fix it. It's not a real big deal.

I'm not an auditor, but I've taken several IT auditing courses, talked to several auditors, and assisted in auditing and writing audit reports. I have learned one very important thing that I can pass on to you. Almost without exception, especially in the IT field, auditors really, really appreciate your help. They do not want an adverserial relationship. Most of these auditors are not network people and are just going down a checklist. If something doesn't make sense, explain it to them. They will probably be receptive. It may still show up on the audit report but maybe not and they are certainly not going to be as harsh. For instance, if the regulation says that user ids will be locked out after three failed log on attempts and not unlocked until the SA has cleared it. You may instead have it set to unlock after 15 minutes to avoid a denial of service attack by somebody who enumerates the user names and then just goes and guesses passwords until all of the users are locked out. The 15 minutes prevented a brut force password attack but it also didn't take you a long time to get the users unlocked again. If you explain this to the auditor, they can write this into the report and make it understood that you are thinking and not that you are slack. Makes a big difference. You can have a positive audit result with some failed checks on a list as long as you are doing your job with due diligence.

Good luck and have fun!


And remember to compliment the auditor on the bow-tie.


Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question