 zacronThe nutterPremium
join:2008-11-26
York, ON
 ·TekSavvy DSL
·Bell Sympatico
| reply to R0CKY
Re: Argg.... UCEPROTECT... very frustrating! said by BonkersInc: While you're at it, can you consider blocking 135 139 and 445? They really have no business being on the public internet These ports don't happen to be used with Active Directory and such a thing... If so I would be another one who would pack as I have a couple of people who have been added to my domain over the internet. not using a vpn, which was my goal.
Cheers,
Zacron |
|
1 edit | 135 and 445 are used by AD. Not sure about 139.
I would imagine they could add exceptions the same way as for smtp.
Network Ports Used by Key Microsoft Server Products:
»www.microsoft.com/smallbusiness/···rod.mspx |
|
 fcislerPremium
join:2004-06-14
Riverhead, NY | reply to zacron
These ports (135, 139, 445) should NEVER be routed out of a LAN. It's absolutely one of the worst ideas. Security wise, you have opened yourself up to a HUGE hole. I would seriously be surprised if your machines aren't infected. You really do need a VPN....your domain controller should never be published directly to the internet. |
|
 NeTwOrKDawgNetworking is a lifestyle
join:2005-04-25
Brantford, ON | reply to zacron
said by zacron:said by BonkersInc: While you're at it, can you consider blocking 135 139 and 445? They really have no business being on the public internet These ports don't happen to be used with Active Directory and such a thing... If so I would be another one who would pack as I have a couple of people who have been added to my domain over the internet. not using a vpn, which was my goal. Cheers, Zacron Not to be too blunt, but, ARE YOU ON CRACK? Those ports should NEVER be accessible over the internet.  |
|
|
|
zacronThe nutterPremium
join:2008-11-26
York, ON Reviews:
·TekSavvy DSL
·Bell Sympatico
| reply to fcisler
No, The domain controller itself is not on the internet, just the one port, which I cannot remember is open to allow me to query the AD using LDAP from a remote location... It is fully protected and firewalled, and the exception is only made for the one remote ip address. (Thank god for linux).
Cheers,
Zacron |
|
 R0CKYTSI RockyPremium,VIP
join:2005-05-19
Chatham, ON | reply to NeTwOrKDawg
Alright boys.... Lets keep this constructive please. We're trying to figure the best scenario to not get listed against rogue/aggressive filters. |
|
 BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:3
 ·Bell Fibe
1 edit | said by R0CKY:Alright boys.... Lets keep this constructive please. We're trying to figure the best scenario to not get listed against rogue/aggressive filters. Blocking 25 for all dynamic and leaving static open as first step is my suggestion.
Next (if needed) block 25 for static with opt-out option. |
|
R0CKYTSI RockyPremium,VIP
join:2005-05-19
Chatham, ON | said by Brano:said by R0CKY:Alright boys.... Lets keep this constructive please. We're trying to figure the best scenario to not get listed against rogue/aggressive filters. Blocking 25 for all dynamic and leaving static open as first step is my suggestion. Next (if needed) block 25 for static with opt-out option. So far discussions are going to be as follows:
Dynamic IPs
- Block port 25
- Opt-out allowed
Static IPs
- Unblocked/open
We'll then sit back and have a look at where this brings us and should we need to change things around, we will.
Rocky
--
TSI Rocky - TekSavvy Solutions Inc.
Authorized TSI employee ( »TekSavvy FAQ »Official support in the forum )
|
|
 milnoc
join:2001-03-05
H3B
kudos:1 | said by R0CKY:So far discussions are going to be as follows: Dynamic IPs - Block port 25 - Opt-out allowed Static IPs - Unblocked/open We'll then sit back and have a look at where this brings us and should we need to change things around, we will. Rocky Much better than most ISPs who perform network modifications without even bothering to warn their customers about the upcoming changes. |
|
Reviews:
 ·TekSavvy Cable
·TELUS
| reply to R0CKY
said by R0CKY:So far discussions are going to be as follows: Dynamic IPs - Block port 25 - Opt-out allowed Static IPs - Unblocked/open We'll then sit back and have a look at where this brings us and should we need to change things around, we will. Rocky Sounds good to me.
--
Cheers! |
|
 TSI MarcPremium,VIP
join:2006-06-23
Chatham, ON
kudos:3 | For clarity;
one thing to note here is that blocking port 25 does not mean that we will block our own mail servers... it means that we will block port 25 to "other" mail servers that are not ours.
--
TSI Marc - TekSavvy Solutions Inc. |
|
| reply to fcisler
said by fcisler:These ports (135, 139, 445) should NEVER be routed out of a LAN. It's absolutely one of the worst ideas. Security wise, you have opened yourself up to a HUGE hole. I would seriously be surprised if your machines aren't infected. You really do need a VPN....your domain controller should never be published directly to the internet. I can remember when you could map network drives from microsoft.com... great for Windows software.
I can remember when I could add printers of random people and print off silly messages ... great for fun.
 |
|
