From the mailbag comes today a question about ports open and what not:


Joe had a peer to peer network before and on the Grc.com web site was fully ‘stealth’.  Now that he has a network he is listing ports 80 and 25 open.  Closed is port 21.  He was used to having everything “stealth” before and now it’s slighly freaking him out that ports are open.  He’s concerned about being an open relay and all that.


First off Joe, a couple of things.  “Stealth“ is a GRC.com terminology and it doesn’t mean that you weren’t out there on the internet not able to be nailed before and now you have a server sitting out there on the Internet with a bulls eye.  Like anything in life there’s a bit of things that you have to do in order to ‘do business’.  If you want mail coming in via SMTP with gives you the ability to be the most flexible in spam filtering with IMF and what not, port 25 must be open.  If you are using POP, while you then don’t need either port 25 or port 110 open, know that with the SBS 2003 pop connector it CANNOT go less than a every 15 minute pull. [And please, please, please, please… make sure you patch your server!!]


We normally say just to be a smidge more paranoid that you can easily close up port 80 and then just train your employees to type in https://yourdomainname.com/remote and get to the Remote Web Workplace.  While in SBS 2000 we were [heck I was] quite the nervous Nellie around IIS 5, IIS6 has been extremely solid.  While they are already working on IIS7,  I’ve personally been very very pleased with IIS6 and the fact that while I’ve been putting down my Mountain Dew and dashing off to the Shavlik to patch Internet Explorer these days, I’ve been quite pleased with IIS 6’s track record.


Joe was also concerned about being a mail relayer and remember that OUT OF THE BOX SBS 2003 is not a mail relayer when you use SMTP  [unfortunately I cannot say the same for SBS 2003 when using an unpatched POP connector setup….for POP see the comment and link about how we indeed are a mail relayer when using POP and cc’ing a large email]


There are some things you ‘can’ do to tighten yourself up a bit especially when you are using full SMTP mail…



Mark O’Shea had a couple of articles on security in SBS 2003 and I had a prior post about the ports needed for SBS.


Remember to only open up those minimal ports you need for ‘doing’ business.  If you are using POP and you want external remote access you can get away with merely ports 443 and 4125 open through your router/firewall.  443 is the port you need for secure web access to the Remote Web workplace web site, 4125 is the ‘control’ port.  Remember that port 4125, while needing to be ‘poked’ through your firewall, is a dynamic port that ‘only’ opens up after you authenticate on your system.


And I hate to sound like a broken record here but PASSWORDs, I cannot stress how important that password are in any firm.  Chose them wisely, and make the Administrator account passwords a ‘passphrase’.


Oh and one last thing….that Pop connector patch?  It ISN’T on Windows update because unfortunately SBS is a bit of an oddball.  We’re not just the Server OS ,we’re just about the entire product line of Microsoft on one box and at the present time, patches that don’t have to do with the base operating system won’t come down on Windows Update. 


Now personally, I don’t quite understand out Sharepoint patches are on Windows update, but our pop patch is not, nor do I understand how our SBS 2003 QFE that enabled the controlling of the firewall is on Windows update and not our pop patch, but at the present time, that’s unfortunately the way the WU….WU’s. 


I cannot stress enough to all those consultants out in SBSland …if all you use to update your system is Windows Update, you still have an unpatched box.  In the near future SBS 2003 will be getting SP1 which will include all these fixes, but in the time being, click on www.microsoft.com/sbs and then click on downloads.


And Joe?  I hope I see you in the Communities of SBS!  Welcome to SBSland!

 

Comments are closed.