which services or ports need to be opened to allow NT authentication

Posted on 2004-11-12
Last Modified: 2010-04-09
I'm setting up a CheckPoint firewall (NG version) and have created a rule to allow incoming traffic to a SQL Server.
I've created, and authorized  a User Defined Service to match the SQL Server used query port.
The connection to the SQL Server works fine but I'd like to allow trusted connections (accepted by my SQL Server).
I'm wondering what are the ports or inbound CheckPoint services to authorize so that trusted connection work.
I've successfuly tested trusted connections (authorized ANY to test).
The server that will trust the connection is NT4 not W2K and should not use Kerberos auth (as far as I know).
Question by:fho
    LVL 3

    Accepted Solution

    If it's not AD realted then you should be able to do this with 139 but I've read some stuff around 137 and 138 too. I suggest that you open these all up on TCP and UDP and monitor the traffic you get when you get a trusted connection. Then shut down the others.


    Opening up 139 on an NT/2000 box (without configuring it specially) will enable anonymous (unauthenticated) clients  to scan you machine for shares and user/group names etc. It really should be avoided if at all possibel. Even if you turn off anonymous access with the group policy (or straight registry changes) then they'll still be able to attept to brute force access to the c$ share. If you really must do this then rename all the built in accounts (Administrator etc) so that brute forcing requires guessing the username as well as the password.

    LVL 1

    Author Comment

    Thanks, I'll do a test.
    I was wondering if they wasn't a kind of CheckPoint built in service that would be more secure, but it seems that it only exists for W2K (ie Kerberos).

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now