iphonogasm Posted June 6, 2012 Posted June 6, 2012 hi, my first quesion. I have a DMZ to a server running 2008 Enterprise. When i add an exception in windows firewall for the Public profile (i also add it to all profiles) but the port doesnt open when doing a portscan externally. Secondly... Any idea if there is/what is the Group Policy to disable saving ALL passwords (VPN, Network Drives, RDP etc etc) Thanks!! Quote
ICTCity Posted June 8, 2012 Posted June 8, 2012 Mhhh but do you have at least the entry in your firewall? I mean, when you click apply, does the rule is registered? re you sure you don't have another firewall? Which port are you trying to open? Which port is already opened? There's only one policy which doesn't permit (to the user) to save password for .NET Passport account. This means you can still save VPNs password and so on if they're not Windows things. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 9, 2012 Author Posted June 9, 2012 Yes the rule created was named "Test" and opened TCP port 1000 The rule is then shown as "Active" and is a Public rule I no other firewall running. I have a NAT at the router, however this does not apply now that i am using a DMZ I have 80, 1723, 25, 110, 143, 21, 3389 and a few others, which are open in the firewall. Im just not able to get 1000 open, maybe i need to go higher like 4000? Thanks for policy reply, that doesnt really matter! One more thing, how can i block port scanning requests? do i need to block by IP range, and is this possible in Windows Firewall? Thanks! Quote
ICTCity Posted June 9, 2012 Posted June 9, 2012 Well the first 1024 ports are WELL-know, then there're the REGISTERED port (until 49151) so you should use a port in this range: 4915265535 Blocking port scanning is not possible, by default the port is blocked, but you can still be able to scan it... Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 9, 2012 Author Posted June 9, 2012 Ok yes, but i should still be able to open these ports right? I will try 50000 now.... The reason i ask about blocking port scans is, i just tried a scan on a local hosting company domain and it timed out... as where i can scan my domain... Thanks again! UPDADTE: 50000 still wont open. Restarted and all?? Quote
ICTCity Posted June 9, 2012 Posted June 9, 2012 Are you sure is not opened? I mean... there's no reason for Win FW to don't open a port ) maybe the executable of the program is blocked... can you provide more details about what are you opening? Well, many FWs have this possibility, you can "block" a scan from outside, it's like a traceroute, there're firewalls that blocks packets and stop. The same thing happens on port scanning. When you are trying to find an open port (because of you're an attacker or you're testing your OWN security) you can use many programs that have also the settings to wait for the next probe. In other words, if your firwall see that the IP 8.8.8.8 is checking (connection try) on port 443 it can't (it couldn't) block this IP, but if this client in 1-2 seconds try the same thing on different port... well this is a scan ) There're other ways to scan (only with SYN, complete ACK, Christmas Tree, ...) and all of these technics are different and more or less complex. The built in FW in windows doesn't have so many settings to block specific ip on port scan. You should check other products (most of them are appliance...) but trust me, you don't really need this. Where I work right now, something I must go to clients to check network and security. Almost everyone receive a port scan but this is "normal", I mean, you must check if you are under attack, but a port scan could be only a bot which is trying to infect your pc via an open port... Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 10, 2012 Author Posted June 10, 2012 Im positive it not openning.. I have just open PORT 50000, public, domain and private. I check it here, ping.eu - port checker megahosting.co.nz port 50000 Thanks man! Quote
ICTCity Posted June 10, 2012 Posted June 10, 2012 And which program should work on that port? You would be able to reach it in this way= http://megahosting.co.nz:50000/ ? Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 13, 2012 Author Posted June 13, 2012 No program as such, im just trying to OPEN the port Does it require something to be listenning on that port before it will open?? I have simply created a entry in windows firewall for inbound rules, public, profile and domain. And chosen option "Port" Entered the port and chosen the protocol TCP. Then check to see if the ports open.... Thanks Quote
ICTCity Posted June 13, 2012 Posted June 13, 2012 Well no... but how can you check if the port is opened if there's nothing behind it? I can disable the firewall in my network, but if I don't have any WEBSERVER (example) if I write http://myhostname.whatever on my browser I simply have nothing! The port is opened but there's not a service running behind it... Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 20, 2012 Author Posted June 20, 2012 Again im stuck with this problem of the ports not openning I disabled the firewall on my DMZ to see if that works again Im trying to open 995, 585 and 485 which has services listenning. Again the ports dont open??? Any other ideas? Im correct when saying windows firewall controls whats ports are open/closed in a server 2008 DMZ correct?? Thanks Quote
ICTCity Posted June 20, 2012 Posted June 20, 2012 Any other ideas? Im correct when saying windows firewall controls whats ports are open/closed in a server 2008 DMZ correct?? I don't know... depends on WHICH level do you create your DMZ. Most of the router have the DMZ functionality so Windows doesn't know anything about the DMZ. At this point I think the problem is with routing and redirection on your router because if you disable the firewall in your DMZ (assasin!) and nothing works... the problem is not your firewall. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 20, 2012 Author Posted June 20, 2012 yea thats what i thought, was looking at a issue with the router. Im having issues with NAT on this router anyway hence the reason im using DMZ.. Thanks! Quote
ICTCity Posted June 20, 2012 Posted June 20, 2012 the problem with that router... it doesn't provide a serious debug / log like many "home" router :/ Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
iphonogasm Posted June 20, 2012 Author Posted June 20, 2012 yea ive just restored to default settings, and no luck so i updated firmware and i am again able to add forward in NAT.... HOWEVER, i cannot add the forward for port 21 FTP, no matter what i name it, i get the error Add virtual server named FTP failed. Check for duplicate virtual server rules. WEIRD!!! Quote
ICTCity Posted June 20, 2012 Posted June 20, 2012 stupid router... contact the assitance... I have no idea. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
Recommended Posts