yes 135-139 is open for local outlook taffic for customers(not my recommendation but the company won't change that)
Printable View
yes 135-139 is open for local outlook taffic for customers(not my recommendation but the company won't change that)
Not everyone gets to play in a whitepaper sandbox. IPSec is a very good tool when you have to be creative. Would I have rather used a different solution? Absolutely! But, it worked.Quote:
Originally posted here by zENGER
IPSec is a VPN standard, not really a firewall standard or a way to block ports.
It sounds like you have some serious openings that shouldn't be open. Do you have 137-139 open to the internet?
;)
What IPSec will do for you is, while you don't necessarily close the port 135-139, you limit the connections in and out of the box to specific IP ranges on those ports. Outside attacks can no longer exploit that particular AD vulnerability.
anyone know of a way using windows 2003 to deny this guy from trying again.
If you have 135-139 open to the internet, then you're going to have some major issues.
What I would suggest is to use a VPN solution for your remote customers instead of allowing that traffic straight into the network.
If you have your Win2k3 AD up, then use your Group Policy tool to set up an IPSec policy. First, the default should be deny all. Then open only those ports you need to specific IP ranges. Make sure you have a list of the apps (AV, SMTP and such) on your network that need ports open for specific traffic. You can tailor the IPSec policy to special case OUs for those situations where you have exceptions to the general rules.Quote:
Originally posted here by jbclarkman
anyone know of a way using windows 2003 to deny this guy from trying again.
This won't be quick, and will require some planning and testing.
Hope that helps. ;)
wait until the hacker connects again and is inside the machine - then pull its net connection trapping him inside!!!
Thanks bash...../coat
Sorry for wagging my finger, and I'm not even sure what your job is at the company, but maybe you should explain to "the company" why having ports 135-139 open on the network is probably a bad idea. Even if you have to have them open, couldn't you at least filter traffic by IP ranges?Quote:
Originally posted here by jbclarkman
yes 135-139 is open for local outlook taffic for customers(not my recommendation but the company won't change that)
@valhallen - LMFAO! "Quick! Catch him with the ether-net!"
@ miracle - If his is an AD/Microsoft shop (which he has basically said), then dopping traffic on those ports inside the network is pretty much a deal breaker for most of the "useability". Not gonna happen.
jbclarkman I won't lecture, and as said we don't know your role/position at the company in question, but its basically professional suicide to allow ANYTHING inside your network in the fasion you've described. You really need to utilize some sort of VPN or Web application service or solution to give your business partners the access they require, without opening yourself to the world.
You *DO* have some solutions at your disposal, if you are a Microsoft shop. Hell, my understanding is the VPN services built into XP/2003 are pretty decent for small scale office use. Don't quote me, but it's cheaper than dropping $12,000 on a Nokia w/ Check Point FW-1 device, or a NetScreen, or something similar. Probably not the best solution, but better than what you've described so far.
To Zencoder:
I suppose I should have clarified that ports 135-139 should not be wide open to being accessed by the OUTSIDE network. Clearly, in a MS/AD network, those ports are necessary internally.
The above quote is from the OP. I still don't understand what "customer connection purposes" means, but several others have already suggested tunneling the traffic, which I would also suggest. If that isn't an option, you could still set up IP ranges that are allowed to connect.Quote:
just this one box on the inside has an external ip for customer connection purposes.
To jbclarkman:
Clearly you are in over your head on this one. Find someone that can help you clean up the mess before it gets any uglier.