TCP/IP Filtering does not provide port level security at the user level. You
could use an IPSec policy and deploy to all users to block source ports below
1024. Then have a subset of those users in a different OU and assign that OU
a policy that permits all ports.

There's a couple of potential problems, though. 1) You need to create 1024
selectors for TCP (or as MS calls them filters): 1 for each port. The good
news is you'd only have to do this once. 2) If the user is able to stop the
IPSec Policy Agent service then the IPSec policy is no longer active.

This approach has the same limitation as applying any security using GPO's:
Problems can occur and a GPO may not get applied, if a user doesn't log in
using AD credentials they won't get the GPO, etc. Alternatively, you could
apply IPSec as a local security policy but management of the policy just got
much more difficult. You would also need to make sure that the user doesn't
have the ability to modify the IPSec policy in this case.

Quite simply, W2K, XP, .NET have the ability to do what you ask but it's not
as simple as Solaris. On the positive side, if you go with a GPO then
deployment is fairly simple.

Good luck,
Scott

-----Original Message-----
From: Roberta Bragg [mailto:freouwebbemsn.com]
Sent: Thursday, October 31, 2002 4:17 PM
To: 'Rangan, Govindaraj'; focus-mssecurityfocus.com
Subject: RE: Access to well-known ports on Win2K

Several well know methods for restricting port access exist in WIndows 2000,
XP and .NET.

Take a look at TCP/IP filtering and IPSec policies (IPSec policies can be
written to filter port access, as well as for encrypting data in flight)

The Remote Access service can also be configured to provide this type of
access control -

None of these services require xtra purchases, downloads or other activity -
they are built into the operationg system, just require configuration as
does Solaris --

> -----Original Message-----
> From: Rangan, Govindaraj [mailto:govindrti.com]
> Sent: Wednesday, October 30, 2002 10:59 PM
> To: 'focus-mssecurityfocus.com'
> Subject: RE: Access to well-known ports on Win2K
>
>
> Hi All,
> Greetings.
> Do all users on Win2K have access to the
> well-known ports? This
> question arose when I was doing some security tests in a heterogeneous
> environment with Windows and Solaris boxes. Solaris RSHD's
> only security is
> that before allowing access, it checks the source host and
> source tcp port.
> The host should be in hosts.equiv or .rhosts and the source
> tcp port should
> be one of well known ports (0-1023). The rsh client is a
> setuid script and
> starts as root. However on Windows 2000, it is possible for
> any user (not
> necessarily an admin user) to open a "well known port" to
> connect to any
> rshd.
> Can we restrict access to well known ports to a
> certain user or
> group? If not, the secure way is that Solaris hosts shouldn't
> trust Windows
> hosts. Your help in resolving this is highly appreciated.
>
> Regards,
> Govind
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]