Which publicly pointed services can go?

Posted on 2004-10-29
Last Modified: 2010-04-11
We are a Windows Server 2003 Standard Edition, Exchange 2003 Enterprise Edition w/ OWA & OMA, SQL 2000, Citrix Metaframe XP FR3 SP3 farm network currently being audited as all publicly traded companies are, under the Sarbanes-Oxley Act.  We have a corporate office and approximately 12-14 national field offices using NetVPN to communicate with the network.  We are planning to deploy a front end server Exchange(in DMZ)/back end server Exchange Server topology.  I need to know which publicly pointing services (like HTTPs) can be disabled without screwing everything up?
Question by:mattny
    1 Comment
    LVL 4

    Accepted Solution

    Exchange and Outlook like to use MAPI which is a NETBios API that uses port 135. This is a good port to keep closed because there is just too much chicanary that can happen there.  You will be better off using POP3 or IMAP which are both supported by Exchange 2003 and Outlook. For POP3 you need to keep tcp port 110 open, for IMAP, you need to keep tcp port 143.  If your user are going to be connecting this way, they will also need to specify their SMTP server for outgoing mail so you will also need tcp port 25.  If you're also going to use OWA, you'll need http tcp port 80 or better yet https: tcp port 443. These ports should take care of you for incoming.  You should be able to disable tcp and udp 1023 and below except for those. If you want to open your production network, you will need to change it as well of course and if  you decide you want outside access to the citrix for instance, it will have to be opened through both filters.

    I have not accounted for you VPN because I'm not sure how it is connected and whether you allow those connections to come through to your production network. I believe that VPN is provided by Bellsouth and ends at the modem or csu/dsu right? if so... I'm thinking that traffic will look like all other traffic when it comes out of the pipe so it will be difficult to give it privileged access. (I don't have any exposure to it though so I may be way out in right field)

    Finally, it isn't unusual to leave outgoing (egress) ports 1023 and below open and incoming (ingress) ports over 1023 open. That way your users can get to where they want to go but nobody can get in. It is a good idea though to take the time to identify the ports that you actually need open and close the rest. If you only use http, https, ftp, smtp, ntp, etc... only open those ports, close everything else. If somebody hollers and says their application is broke, just apologize and fix it. It's not a real big deal.

    I'm not an auditor, but I've taken several IT auditing courses, talked to several auditors, and assisted in auditing and writing audit reports. I have learned one very important thing that I can pass on to you. Almost without exception, especially in the IT field, auditors really, really appreciate your help. They do not want an adverserial relationship. Most of these auditors are not network people and are just going down a checklist. If something doesn't make sense, explain it to them. They will probably be receptive. It may still show up on the audit report but maybe not and they are certainly not going to be as harsh. For instance, if the regulation says that user ids will be locked out after three failed log on attempts and not unlocked until the SA has cleared it. You may instead have it set to unlock after 15 minutes to avoid a denial of service attack by somebody who enumerates the user names and then just goes and guesses passwords until all of the users are locked out. The 15 minutes prevented a brut force password attack but it also didn't take you a long time to get the users unlocked again. If you explain this to the auditor, they can write this into the report and make it understood that you are thinking and not that you are slack. Makes a big difference. You can have a positive audit result with some failed checks on a list as long as you are doing your job with due diligence.

    Good luck and have fun!


    And remember to compliment the auditor on the bow-tie.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    Social networking sites such as Facebook have become an immensely popular way to connect with friends, coworkers, and relatives on the internet.  Most are very user-friendly and provide methods to e-mail, chat, share pictures and videos, and even se…
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now