Mad Irish . net

NT Port Filtering

30 November -0001

Basic firewalling of an NT server is as easy as defining a set of ports you wish to allow remote access to. Several ports are open on an NT server by default that don't need to be, especially on a stand alone server. Ports like the ms-sql service (port 1433) aren't necessary if the machine is a stand alone server. Now if the SQL server is part of a domain and is accessed remotely using Query Analyzer or by other web servers, then this port is necessary, but often this is not the case. Many services (like SMTP and FTP) can be turned off by selecting the services under the Control Panel and changing the start-up properties to 'Manual', but often services will need to be accessed locally. If this is the case then there is no reason for a server to offer the service on a port for remote access. The internal processes that use, say SQL Server, don't need port access to get to the databases. In this case, and many others you will find it necessary to close down ports on your machine.

Microsoft allows for TCP, UDP and all traffic port filtering. The process is one in which an administrator can select acceptable ports, leaving only those services available which s/he chooses. This is much simpler than specifying every port that an Administrator doesn't want. Most servers won't need to allow traffic on any port other than the most common ones: 21 for ftp, 80 for HTTP and 443 for SSL. Keep in mind that these filters only apply to incoming requests. This allows all ports to be closed, but local to remote ftp sessions and pop will still function.

To secure NT 3.5 & 4.0 machines so that they only accept requests to specified ports:

Right click Network Neighborhood
Select Properties
Select Protocols Tab -> TCP/IP -> select properties
Under IP Address Tab -> click 'Advanced' button
Check the 'Enable Security' checkbox -> Click 'Configure' button
Select Radio Button 'Permit Only' -> Add acceptable ports

To secure Windows 2000 machines:

Right click My Network Places -> select Properties
Right click 'Local Area Connection' -> select properties
select 'Internet Protocol (TCP/IP)' -> click 'Properties' button
Click 'Advanced' Button at the bottom
Select 'Options' tab
Select 'TCP/IP Filtering'
Check 'Enable 'TCP/IP Filtering (All adapters)' checkbox
Select Radio Button 'Permit Only' -> Add acceptable ports

-----------------------------------------------------------------
MACHINES WILL BE REQUIRED TO REBOOT IN ORDER FOR CHANGES TO OCCUR
-----------------------------------------------------------------