• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 226
  • Last Modified:

Which publicly pointed services can go?

We are a Windows Server 2003 Standard Edition, Exchange 2003 Enterprise Edition w/ OWA & OMA, SQL 2000, Citrix Metaframe XP FR3 SP3 farm network currently being audited as all publicly traded companies are, under the Sarbanes-Oxley Act.  We have a corporate office and approximately 12-14 national field offices using NetVPN to communicate with the network.  We are planning to deploy a front end server Exchange(in DMZ)/back end server Exchange Server topology.  I need to know which publicly pointing services (like HTTPs) can be disabled without screwing everything up?
1 Solution
Exchange and Outlook like to use MAPI which is a NETBios API that uses port 135. This is a good port to keep closed because there is just too much chicanary that can happen there.  You will be better off using POP3 or IMAP which are both supported by Exchange 2003 and Outlook. For POP3 you need to keep tcp port 110 open, for IMAP, you need to keep tcp port 143.  If your user are going to be connecting this way, they will also need to specify their SMTP server for outgoing mail so you will also need tcp port 25.  If you're also going to use OWA, you'll need http tcp port 80 or better yet https: tcp port 443. These ports should take care of you for incoming.  You should be able to disable tcp and udp 1023 and below except for those. If you want to open your production network, you will need to change it as well of course and if  you decide you want outside access to the citrix for instance, it will have to be opened through both filters.

I have not accounted for you VPN because I'm not sure how it is connected and whether you allow those connections to come through to your production network. I believe that VPN is provided by Bellsouth and ends at the modem or csu/dsu right? if so... I'm thinking that traffic will look like all other traffic when it comes out of the pipe so it will be difficult to give it privileged access. (I don't have any exposure to it though so I may be way out in right field)

Finally, it isn't unusual to leave outgoing (egress) ports 1023 and below open and incoming (ingress) ports over 1023 open. That way your users can get to where they want to go but nobody can get in. It is a good idea though to take the time to identify the ports that you actually need open and close the rest. If you only use http, https, ftp, smtp, ntp, etc... only open those ports, close everything else. If somebody hollers and says their application is broke, just apologize and fix it. It's not a real big deal.

I'm not an auditor, but I've taken several IT auditing courses, talked to several auditors, and assisted in auditing and writing audit reports. I have learned one very important thing that I can pass on to you. Almost without exception, especially in the IT field, auditors really, really appreciate your help. They do not want an adverserial relationship. Most of these auditors are not network people and are just going down a checklist. If something doesn't make sense, explain it to them. They will probably be receptive. It may still show up on the audit report but maybe not and they are certainly not going to be as harsh. For instance, if the regulation says that user ids will be locked out after three failed log on attempts and not unlocked until the SA has cleared it. You may instead have it set to unlock after 15 minutes to avoid a denial of service attack by somebody who enumerates the user names and then just goes and guesses passwords until all of the users are locked out. The 15 minutes prevented a brut force password attack but it also didn't take you a long time to get the users unlocked again. If you explain this to the auditor, they can write this into the report and make it understood that you are thinking and not that you are slack. Makes a big difference. You can have a positive audit result with some failed checks on a list as long as you are doing your job with due diligence.

Good luck and have fun!


And remember to compliment the auditor on the bow-tie.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now