March 12th, 2004, 06:49 PM
Lock down ports without firewall?
Is it possible to lock down all non-essential ports on my network pc's without the overhead of firewall software on each. We are protected by firewall to real-world, however, I would like to maintain an extra level of security within my local subnets. We use a mix of NT Server 4.0 / Workstation 4.0, XP Pro, Win98Se, one Unix server and one OS2 workstation.
March 12th, 2004, 08:18 PM
Yes, you can do several things:
1) Close off all local ports on each box if you don't need certain services running. Example: your mail server may never need FTP (21), telnet (23), etc...
2) If you do have services running internally on your network, make sure all config files are set up correctly. In my network, my linux server doesn't run telnet, only ssh, and accepts only trusted hosts based on ssh's configuration. VSFTP is the same way.
This allows a more secure environment as you know what's running on your system, it just takes time to figure out what you need and what you can eliminate. Also, it only applies to the unix server since that's where my knowledge lies. XP/NT can have services shut down as well.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
March 12th, 2004, 11:24 PM
Thanks Vorlin, I like your tagline.
Now, how do I lock those ports? Is there a utility available that will lock them down in ranges or will I have to do it manually (one port at a time) from within security settings for TCP/IP on the NT machines? The Unix box will be taken care of by our outside partner. I also have one open telnet port on the OS2 box to close. I was nearly appalled to find Telnet open rather than ssh on the Unix box considering the business it resides in. I had previously obtained LanGuard and ran it between me posting and your reply. Amazing how many items it found that could use a little spring tune-up.
March 13th, 2004, 02:07 AM
I'm not quite sure if I understand what you're asking for but try these:
For the XP machines: Using IPSec to Lock Down a Server
Browse around here for NT machines: NTSecurity.com
Also, check out Google for the rest and anything else you're looking for.
Hope this will help at least a bit
March 13th, 2004, 03:13 AM
People tend to get hung up on locking down ports, well these ports are open because of services running. If you shutoff the running services, then the ports will be closed. Learn what services you have running and turn them off if you don't need them.
BlackViper is an excellent resource to help lock down windows 2k/xp machines.
March 13th, 2004, 04:42 AM
dont dismiss the idea of a local fw just because of a little overhead. i preferr to see any unwanted or dangerous traffic. but if you must... right click on your network connection icon >>properties >> tcp/ip properties >> advanced >>options >>tcp/ip filtering and click properties.
once you turn this on it ONLY allows what you specify. so if you dont know what your doing you can find yourself dis-connected from the network
ive seen some WSH scripts do do this automatically but you'll have to do a search for that. i forgot where
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
March 13th, 2004, 09:54 PM
You can close open ports.
Or filter ports.
With your policy editor.
If you the admin of your os that your currenrly running you can filter ports.
I did it, On one my HDD's I filtered ports on a 2k os.
Policy editor will be located in your admin/tools/ section of your control panel.
Or it might be in your programs list.
\"If knowledge is power. Why doesn\'t everybody read?\"
March 13th, 2004, 10:33 PM
If you're really feeling adventuresome here's a thread with HTRegz showing how to do it with registry tweaking and myself posting a link to a thread that shows how to use a hexedit procedure. These were primarily for slamming port 135 closed, however, a lot of the info should apply to all ports. It's not for the faint of heart and I would recommend firewalls and shutting services off thus closing the ports, but what the heck, you might want to try it on a box anyway.
March 14th, 2004, 12:42 AM
Thanks for all the good info.
I understand about services using ports and shutting down non-essential services closes those ports. We are protected from world by hardware FW. My concern is more toward the inevitable attack from within launched through malicious code from visited website or email attachment. My organization will not forbid 'surfing' and several users (including top management) routinely check their personal hotmail, yahoo, and other email accounts. Several users have installed my searchbar and similar utilities. One 'top level' user has left personl messenger app running on taskbar when away from desk. Mine is not an easy job here.
I have been checking several FW tools and am certain they provide the protection we need, but am also sure they would drive my users nuts to the point they would create a rule to allow what I am trying to prevent.
Case in point: I am using my home network to check out the FW products. KERIOS took no less than 7 clicks to access this thread from the link in an Outlook message so I could post this reply. Then the forum would not load. I had to disable FW to get here.
I think a parallel, and precursor course of action will be to educate all my users about the potential for attacks from seemingly innocent sources.
Luckily I did a cut and past of this post. Having re-enabled the FW while creating the reply, the FW tried to block when I submitted. Had to disable FW, revisit the formum from link, reply, paste, etc. ad nauseum. I can see why my users would try to circumvent the FW. FW is saying access on 2 different UDP ports. Is this because I am using a broadband connection shared through my other XP machine?
Do no harm and love her if she\'ll let you.