One note about Tiny Software Winroute. I love the product, just be sure to
turn off the remote administration ASAP!
The NAT, Mail, DNS, and DHCP should be turned off if not used also. Be sure
to set a password too.

* Erik Pace Birkholz, CISSP, MCSE
* Principal Consultant
* erik.birkholzfoundstone.com
* Foundstone - "Securing the World"
* Terminal Server: The Day of Reckoning
* http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=198

-----Original Message-----
From: James Carter [mailto:jcarterGENUITY.NET]
Sent: Thursday, April 05, 2001 11:33 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Windows 2000 Server Questions

-----BEGIN PGP SIGNED MESSAGE-----

Raphael,

        Yes, I apologize I forgot to say '#' or comment out the particular
ports and services. As a rule I generally disable ALL services that I
have no intent on using then any other ports/services that I see open
(ie....that open behind the scenes) I will comment out '#'.

Well the popular way to do this sort of thing in the win32
world......hmmmmmmm

http://www.symantec.com/product/home-is.html

http://www.pgp.com/products/dtop-security/default.asp

http://www.zonelabs.com/

http://www.tinysoftware.com/pwall.php

http://www.pandasoftware.com

www.mcafee.com (doesn't seem to want to pull up right now)

My personal favorite is PGP, because of the functionality of the
entire suite. I also like TinySoftware's firewall. These are easier
for users to set-up and configure and some work quite well. Plus they
are a bit more forgiving to the novice user as well.

Give it a shot, play with it.......lock down more than you need (on a
test box) see things fail......open up what is 'necessary'.

Cheers.

- -----Original Message-----
From: Focus on Microsoft Mailing List
[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Raphael PAILLARD
Sent: Wednesday, April 04, 2001 9:41 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Windows 2000 Server Questions

Hi,

When you say edit "C:\WINNT\system32\drivers\etc\-anyfiles" for
example
"services", it's mean that is possible to lock down a port with a
simple "#"
at the start of the line ?

If it's true, it's a very good way to secure a NT Box ! It's also a
none
popular way in NT's world.

Regards,

Raphaël
- ----- Original Message -----
From: "James Carter" <jcarterGENUITY.NET>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Wednesday, April 04, 2001 1:53 AM
Subject: Re: Windows 2000 Server Questions

> -----BEGIN PGP SIGNED MESSAGE-----
>
> This is a bit of help.
>
> http://windowsupdate.microsoft.com/?IE
>
> This site will give you most of the updates you need and keep the
> reboots to a minimum. However the security patches are another
> story. Microsoft is a little slow on applying them to the
> windowsupdate
> site.
>
> IE 5.5 Sp1 is recommended, and go to this site for regularly
> updated patches as well as info.
>
> http://www.microsoft.com/technet/security/default.asp
>
> Particular note on the MIME vulnerability, and the necessity of
> having the right version of IE installed. When you download the
> patch it has 2 IE versions that you can select from IE 5.01 sp1 and
> IE 5.5 sp 1 the latter of the 2 I recommend. It should be painfully
> obvious that this means these are the versions you should be
> running but
> since I have seen countless e-mails and buleetins flaming Microsoft
> for their patch not working, I thought it best to bring it up.
>
> Also.....to manually lock down ports on the box please do this:
>
> Double Click 'My Computer' click 'Tools' Click 'Folder Options'
> click the 'View' tab, enable display compressed files and folders
> with
> alternate colors, display full path in address bar, display full
> path in title bar, enable show hidden files and folders, disable
> hide file extensions for known file types, disable hide protected
> operating
> system files(your gonna need this and can disable when finished and
> is recommended espescially if you will have others messing with
> stuff). Leave everything else like it is and click 'APPLY' then
> click 'LIKE CURRENT FOLDER'. This will then propagate the same view
> to any location you open up via a double click on my computer and
> browsing down the file tree.
>
>
> Now, for the meat of it. Browse down the file tree to:
> C:\WINNT\system32\drivers\etc (this was copied and pasted because
> of the ease of use brought upon by enabling some of the afore
> mentioned features)
> here you will see files you will want to modify to lock down the
> server at the port level.
> Most specifically, 'protocol' and 'networks', these will open up
> simply enough with 'notepad.exe'.
>
> This should help somewhat, good luck.
>
> - -----Original Message-----
> From: Focus on Microsoft Mailing List
> [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Kyle Buehler
> Sent: Monday, April 02, 2001 11:09 AM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Windows 2000 Server Questions
>
>
> So here's the situation. I'm the "New IT Guys". There have been 3
> before me, and I'm working on a Windows 2000 Server that has been
> setup via a tagteam of consultants. I'm not a Miscrosoftie by
> nature, but I deal with it here and there and in Advanced Windows
> 2000 at
> school. *joke* None the less, I'm getting into it. Anyway, here's
> some problems that are confusing me at the current moment ...
>
> 1. I did a security audit against the server using Nessus and it
> came back with ports 34555/udp, 27444/udp, 18753/udp, and 10498/tcp
> possibly running Trin00, Trin00, Shaft, and mstream respectively. I
> ran a few nmap scans against it and did not find the port open.
> netstat -an didn't yield any info either. I thought at first it was
> just catching normal traffic , but multiple scans have come out the
> same. Any idea what this could be? McAfee is up to date and running
> full scans once a night, and research shows that it should catch
> all the possible trojans.
>
> 2. Ports 6666 and 6667 are open also, but yield no warnings from
> Nessus. I know we are not running an irc server, so is there any 2k
> serive that claims those ports? Again, netstat didn't show anything
> useful.
>
> In my scan I found that only SP1 had been applied and the server
> was in desperate need of netbios-ssn hotfixes since I'm not quite
> sure wheather I have a cracker on my tail or not. I downloaded the
> required patches and applied them individually.
>
> 3. Is there a way to apply the patches without having to reboot
> everytime? This is a server that takes 5-10 minutes for a full
> cycle. Once I applied the patches I ran my scans again and the
> "problem"
> hadn't been fixed. Am I doing something wrong just running them?
>
> 4. Nessus found /_vti_bin/_vti_aut/dvwssr.dll ... I read up on
> this, except I can't find it in the directory shown, and that file
> doesn't come up by name in a find. Does it have another alias or
> counterpart?
>
> 5. The server is running Exchange, and it allows open relaying
> which I am kind of concerned about. Currently the consultant is the
> one
> working the Exchange Setup ( I plan to remedy that eventually), but
> where can I get some info on configuring something like that. Just
> looking at the Server Manager really looks like he got it working,
> and didn't go any farther than that.
>
> An help would be appreciated.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use
> <http://www.pgp.com>
>
> iQEVAwUBOspie1Dumg0FbJxvAQFOAAf+NGGHaNM1EtOBitIYTCjQxwZP1Y2a6ZKC
> 6OafAvyR+EG+Uk+45eHgsBM5RCfmFfwLUDOy/jFTKPO1Tuqfh467RuLOilzB9SRe
> sVaf5TL3JRRjsZIGX/Tws0Cc1/RVE9gIZt1aEwN/thXSfbt89fZgVX4cHHeHIKT4
> gMBf5O45YSW0Ms5u1LloImIhLcyhGq5ejNi+u1z7XmGdnXuNvK1dy11qoRhoAQE1
> g0dAwMId5deNXjZlvgGypEQs8NN9u/4yhNdZwTXRtUkOK16ye652P5QGihwbXvVL
> cRZhPboXSdIkhFnYo6OqMYG+RcAuPuSOnFGTYauDolByqefEgSsLkA==
> =ib31
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBOsy6P1Dumg0FbJxvAQHVHwf/SUe2pgz97jTqgBxlvcYmt1zSo5DimNF6
fmBP+Ake3u8KJ3fFXUJT5rfrqtZKgnRPrN0wBlzSr0NAnB4s60Zt+k3Yyinpp6Sf
EaizbTpb4sBo80qYXMDGGwKpQuaEunV/o1VDXG0fxz5T3vqZRjCO4cmmieqScfts
Z5MKpwkfbodOqoxBpMUzvMLt+u5B/smAKWnYCO7vjV0oX0Mr5cjs1L+FHCi5xE3R
4ZhQFPZjNd9dFl7GyGSVYcZdntM6g2xp5UFRaq/FbV+GkJKISRhwflvX60F7HP6E
B+NKjr0nUnD0oFYFCCiTL/Wq7iTJlnQNDtBxUbkCbc88mLbYlIzrNw==
=e9C3
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]