Penetration Testing mailing list archives
Re: publications concerning port forwarding
From: vtlists () wyae de
Date: Fri, 13 Apr 2007 11:58:34 +0200
Thomas W Shinder writes:
This is WRONG. If you have a true application layer inspection firewall like the ISA firewall, a single "port" is required.
Leaving lots of trollbait aside: Portfiltering SMTP, POP3, IMAP, HTTP, HTTPS is a no-brainer. Thus we'll leave that as home exercise for the student. ;-) The tricky part of portfiltering MSX is to allow MS-RPC port (tcp/135) and the according "high ports". This can be done1.) by using a firewall that has a state engine for MS-RPCs. This applies for the newer MS-ISAs, CheckPoint and experimental Linux netfilter extensions. Please add if you know more. 2.) by allowing tcp/1024-65535 in both directions. This is not really recommended as that "hole" is a quite big
3.) by allowing a few selected high ports. MSX can be limited to which port range to use. That requires a few registry settings:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Name: TCP/IP port Value: REG_DWORD (the port number > 1023) Name: TCP/IP NSPI port Value: REG_DWORD (the port number > 1023) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem Name: TCP/IP port Value: REG_DWORD (the port number > 1023)You may also need to add
* UDP/TCP 53 (DNS) * UDP/TCP 88 (Kerberos authentication) * UDP/TCP 389 (LDAP Access) * TCP 445 (Microsoft Directory Service) * TCP 3268 (LDAP to global catalog servers) This is for generic access. For newer MSX installations you can try to use Microsoft's RPC-over-HTTP proxy instead - which will obviously needs HTTP(S)i.e. tcp/80 (443).
Bye Volker ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Re: publications concerning port forwarding, (continued)
- Re: publications concerning port forwarding vtlists (Apr 11)
- Re: publications concerning port forwarding Brendan Murray (Apr 10)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- Message not available
- RE: publications concerning port forwarding Wiedemann, Adrian (Apr 11)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 13)
- RE: publications concerning port forwarding Jason L. Ellison (Apr 11)
- Re: publications concerning port forwarding vtlists (Apr 13)