Which publicly pointed services can go?

We are a Windows Server 2003 Standard Edition, Exchange 2003 Enterprise Edition w/ OWA & OMA, SQL 2000, Citrix Metaframe XP FR3 SP3 farm network currently being audited as all publicly traded companies are, under the Sarbanes-Oxley Act.  We have a corporate office and approximately 12-14 national field offices using NetVPN to communicate with the network.  We are planning to deploy a front end server Exchange(in DMZ)/back end server Exchange Server topology.  I need to know which publicly pointing services (like HTTPs) can be disabled without screwing everything up?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Exchange and Outlook like to use MAPI which is a NETBios API that uses port 135. This is a good port to keep closed because there is just too much chicanary that can happen there.  You will be better off using POP3 or IMAP which are both supported by Exchange 2003 and Outlook. For POP3 you need to keep tcp port 110 open, for IMAP, you need to keep tcp port 143.  If your user are going to be connecting this way, they will also need to specify their SMTP server for outgoing mail so you will also need tcp port 25.  If you're also going to use OWA, you'll need http tcp port 80 or better yet https: tcp port 443. These ports should take care of you for incoming.  You should be able to disable tcp and udp 1023 and below except for those. If you want to open your production network, you will need to change it as well of course and if  you decide you want outside access to the citrix for instance, it will have to be opened through both filters.

I have not accounted for you VPN because I'm not sure how it is connected and whether you allow those connections to come through to your production network. I believe that VPN is provided by Bellsouth and ends at the modem or csu/dsu right? if so... I'm thinking that traffic will look like all other traffic when it comes out of the pipe so it will be difficult to give it privileged access. (I don't have any exposure to it though so I may be way out in right field)

Finally, it isn't unusual to leave outgoing (egress) ports 1023 and below open and incoming (ingress) ports over 1023 open. That way your users can get to where they want to go but nobody can get in. It is a good idea though to take the time to identify the ports that you actually need open and close the rest. If you only use http, https, ftp, smtp, ntp, etc... only open those ports, close everything else. If somebody hollers and says their application is broke, just apologize and fix it. It's not a real big deal.

I'm not an auditor, but I've taken several IT auditing courses, talked to several auditors, and assisted in auditing and writing audit reports. I have learned one very important thing that I can pass on to you. Almost without exception, especially in the IT field, auditors really, really appreciate your help. They do not want an adverserial relationship. Most of these auditors are not network people and are just going down a checklist. If something doesn't make sense, explain it to them. They will probably be receptive. It may still show up on the audit report but maybe not and they are certainly not going to be as harsh. For instance, if the regulation says that user ids will be locked out after three failed log on attempts and not unlocked until the SA has cleared it. You may instead have it set to unlock after 15 minutes to avoid a denial of service attack by somebody who enumerates the user names and then just goes and guesses passwords until all of the users are locked out. The 15 minutes prevented a brut force password attack but it also didn't take you a long time to get the users unlocked again. If you explain this to the auditor, they can write this into the report and make it understood that you are thinking and not that you are slack. Makes a big difference. You can have a positive audit result with some failed checks on a list as long as you are doing your job with due diligence.

Good luck and have fun!


And remember to compliment the auditor on the bow-tie.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.