-----BEGIN PGP SIGNED MESSAGE-----

Raphael,

        Yes, I apologize I forgot to say '#' or comment out the particular
ports and services. As a rule I generally disable ALL services that I
have no intent on using then any other ports/services that I see open
(ie....that open behind the scenes) I will comment out '#'.

Well the popular way to do this sort of thing in the win32
world......hmmmmmmm

http://www.symantec.com/product/home-is.html

http://www.pgp.com/products/dtop-security/default.asp

http://www.zonelabs.com/

http://www.tinysoftware.com/pwall.php

http://www.pandasoftware.com

www.mcafee.com (doesn't seem to want to pull up right now)

My personal favorite is PGP, because of the functionality of the
entire suite. I also like TinySoftware's firewall. These are easier
for users to set-up and configure and some work quite well. Plus they
are a bit more forgiving to the novice user as well.

Give it a shot, play with it.......lock down more than you need (on a
test box) see things fail......open up what is 'necessary'.

Cheers.

- -----Original Message-----
From: Focus on Microsoft Mailing List
[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Raphael PAILLARD
Sent: Wednesday, April 04, 2001 9:41 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Windows 2000 Server Questions

Hi,

When you say edit "C:\WINNT\system32\drivers\etc\-anyfiles" for
example
"services", it's mean that is possible to lock down a port with a
simple "#"
at the start of the line ?

If it's true, it's a very good way to secure a NT Box ! It's also a
none
popular way in NT's world.

Regards,

Raphaël
- ----- Original Message -----
From: "James Carter" <jcarterGENUITY.NET>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Wednesday, April 04, 2001 1:53 AM
Subject: Re: Windows 2000 Server Questions

> -----BEGIN PGP SIGNED MESSAGE-----
>
> This is a bit of help.
>
> http://windowsupdate.microsoft.com/?IE
>
> This site will give you most of the updates you need and keep the
> reboots to a minimum. However the security patches are another
> story. Microsoft is a little slow on applying them to the
> windowsupdate
> site.
>
> IE 5.5 Sp1 is recommended, and go to this site for regularly
> updated patches as well as info.
>
> http://www.microsoft.com/technet/security/default.asp
>
> Particular note on the MIME vulnerability, and the necessity of
> having the right version of IE installed. When you download the
> patch it has 2 IE versions that you can select from IE 5.01 sp1 and
> IE 5.5 sp 1 the latter of the 2 I recommend. It should be painfully
> obvious that this means these are the versions you should be
> running but
> since I have seen countless e-mails and buleetins flaming Microsoft
> for their patch not working, I thought it best to bring it up.
>
> Also.....to manually lock down ports on the box please do this:
>
> Double Click 'My Computer' click 'Tools' Click 'Folder Options'
> click the 'View' tab, enable display compressed files and folders
> with
> alternate colors, display full path in address bar, display full
> path in title bar, enable show hidden files and folders, disable
> hide file extensions for known file types, disable hide protected
> operating
> system files(your gonna need this and can disable when finished and
> is recommended espescially if you will have others messing with
> stuff). Leave everything else like it is and click 'APPLY' then
> click 'LIKE CURRENT FOLDER'. This will then propagate the same view
> to any location you open up via a double click on my computer and
> browsing down the file tree.
>
>
> Now, for the meat of it. Browse down the file tree to:
> C:\WINNT\system32\drivers\etc (this was copied and pasted because
> of the ease of use brought upon by enabling some of the afore
> mentioned features)
> here you will see files you will want to modify to lock down the
> server at the port level.
> Most specifically, 'protocol' and 'networks', these will open up
> simply enough with 'notepad.exe'.
>
> This should help somewhat, good luck.
>
> - -----Original Message-----
> From: Focus on Microsoft Mailing List
> [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Kyle Buehler
> Sent: Monday, April 02, 2001 11:09 AM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Windows 2000 Server Questions
>
>
> So here's the situation. I'm the "New IT Guys". There have been 3
> before me, and I'm working on a Windows 2000 Server that has been
> setup via a tagteam of consultants. I'm not a Miscrosoftie by
> nature, but I deal with it here and there and in Advanced Windows
> 2000 at
> school. *joke* None the less, I'm getting into it. Anyway, here's
> some problems that are confusing me at the current moment ...
>
> 1. I did a security audit against the server using Nessus and it
> came back with ports 34555/udp, 27444/udp, 18753/udp, and 10498/tcp
> possibly running Trin00, Trin00, Shaft, and mstream respectively. I
> ran a few nmap scans against it and did not find the port open.
> netstat -an didn't yield any info either. I thought at first it was
> just catching normal traffic , but multiple scans have come out the
> same. Any idea what this could be? McAfee is up to date and running
> full scans once a night, and research shows that it should catch
> all the possible trojans.
>
> 2. Ports 6666 and 6667 are open also, but yield no warnings from
> Nessus. I know we are not running an irc server, so is there any 2k
> serive that claims those ports? Again, netstat didn't show anything
> useful.
>
> In my scan I found that only SP1 had been applied and the server
> was in desperate need of netbios-ssn hotfixes since I'm not quite
> sure wheather I have a cracker on my tail or not. I downloaded the
> required patches and applied them individually.
>
> 3. Is there a way to apply the patches without having to reboot
> everytime? This is a server that takes 5-10 minutes for a full
> cycle. Once I applied the patches I ran my scans again and the
> "problem"
> hadn't been fixed. Am I doing something wrong just running them?
>
> 4. Nessus found /_vti_bin/_vti_aut/dvwssr.dll ... I read up on
> this, except I can't find it in the directory shown, and that file
> doesn't come up by name in a find. Does it have another alias or
> counterpart?
>
> 5. The server is running Exchange, and it allows open relaying
> which I am kind of concerned about. Currently the consultant is the
> one
> working the Exchange Setup ( I plan to remedy that eventually), but
> where can I get some info on configuring something like that. Just
> looking at the Server Manager really looks like he got it working,
> and didn't go any farther than that.
>
> An help would be appreciated.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use
> <http://www.pgp.com>
>
> iQEVAwUBOspie1Dumg0FbJxvAQFOAAf+NGGHaNM1EtOBitIYTCjQxwZP1Y2a6ZKC
> 6OafAvyR+EG+Uk+45eHgsBM5RCfmFfwLUDOy/jFTKPO1Tuqfh467RuLOilzB9SRe
> sVaf5TL3JRRjsZIGX/Tws0Cc1/RVE9gIZt1aEwN/thXSfbt89fZgVX4cHHeHIKT4
> gMBf5O45YSW0Ms5u1LloImIhLcyhGq5ejNi+u1z7XmGdnXuNvK1dy11qoRhoAQE1
> g0dAwMId5deNXjZlvgGypEQs8NN9u/4yhNdZwTXRtUkOK16ye652P5QGihwbXvVL
> cRZhPboXSdIkhFnYo6OqMYG+RcAuPuSOnFGTYauDolByqefEgSsLkA==
> =ib31
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBOsy6P1Dumg0FbJxvAQHVHwf/SUe2pgz97jTqgBxlvcYmt1zSo5DimNF6
fmBP+Ake3u8KJ3fFXUJT5rfrqtZKgnRPrN0wBlzSr0NAnB4s60Zt+k3Yyinpp6Sf
EaizbTpb4sBo80qYXMDGGwKpQuaEunV/o1VDXG0fxz5T3vqZRjCO4cmmieqScfts
Z5MKpwkfbodOqoxBpMUzvMLt+u5B/smAKWnYCO7vjV0oX0Mr5cjs1L+FHCi5xE3R
4ZhQFPZjNd9dFl7GyGSVYcZdntM6g2xp5UFRaq/FbV+GkJKISRhwflvX60F7HP6E
B+NKjr0nUnD0oFYFCCiTL/Wq7iTJlnQNDtBxUbkCbc88mLbYlIzrNw==
=e9C3
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]