Easy way to block specific ports Windows 2000 Server

[Zoom]

Hi,

We recently had our Windows 2000 Server hacked via VNC. I was wondering if
any experts could provide advise on the following. Forgive my naive
understanding of this process.

(1) How does one get access via VNC? Does one need to have a VNC Server on
the server end or does Windows 2000 have an inherent VNC built in?

(2) We were thinking of blocking all ports except 80,8080,443, 3389 (for
remote desktop), 5631 (For PcAnywhere), 21 and 25. Is this a reasonable
approach? I saw a few articles on using IPsec to do this but I can't find
any straightforward instructions how to block specific ports. Can anyone
provide any instructions / links to articles that show how to do this?

Thanks for any help anyone can provide,

Zoom

 

[Steven L Umbach]

No Windows 2000 does not have VNC built in. It was somehow installed on your
server. Checking the time that the folder was created and the owner of that
folder may give you a clue as to what happened and I would seriously
consider rebuilding the server operating system if there is no good
explanation as who knows what else is installed on the server copying
keystrokes, etc.. A perimeter firewall is your best first line of defense
particularly one that has a default block all rule for inbound and outbound
and you define the authorized exceptions. Yes an ipsec filtering policy can
be used to manage port access as an additional layer of defense but it was
not really meant to replace a real firewall and lacks any meaningful logging
particularity in Windows 2000. For Windows 2000 be sure to also run the
IISLockdown/URLscan tool from Microsoft on your server since you have not
done so since it as a web server assuming you are describing inbound ports
you want to manage in your list. Running the MBSA tool would also be a great
idea to check for basic server security configuration and be sure to
regularly check your security log via Event Viewer for any suspicious
activity. The links below may help. --- Steve

http://www.securityfocus.com/infocus/1559 --- example of ipsec filter
policy. Be sure to get the source and destinations right.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.microsoft.com/technet/security/tools/locktool.mspx --- IIS
Lockdown tool
http://www.microsoft.com/technet/security/topics/serversecurity/avdind_4.mspx
--- this chapter can help show you how to check for and track down
malicious activity.

 

[Roger Abell [MVP]]

Hi,

We recently had our Windows 2000 Server hacked via VNC. I was wondering
if
any experts could provide advise on the following. Forgive my naive
understanding of this process.

(1) How does one get access via VNC? Does one need to have a VNC Server
on
the server end or does Windows 2000 have an inherent VNC built in?

Access must first be obtained sufficient to allow install of the software
that will listen for connections

(2) We were thinking of blocking all ports except 80,8080,443, 3389 (for
remote desktop), 5631 (For PcAnywhere), 21 and 25. Is this a reasonable
approach?

It is reasonable to limit a machine's exposure to the network, so that
only what is a defined need is allowed. For example, tcp 3389 for only
a specific set of IPs, etc.. Personally I do not see a need for PcAnywhere,
and believe that running either telenet or ftp in the forms supplied with
Windows server (outside of an encrypted IPsec connection) is one way
to ask for trouble.

I saw a few articles on using IPsec to do this but I can't find
any straightforward instructions how to block specific ports. Can anyone
provide any instructions / links to articles that show how to do this?

As you are one W2k you should be aware of the predefined exceptions
in the W2k IPsec filtering that exist in order to allow initial Kerberos IKE
negotiation and the ways to tighten in this regard.
http://support.microsoft.com/kb/811832/en-us

As you have not indicated the nature of the needed connections, whether
with known machines, etc. all in domain or not, etc. there are many unknowns
that would impact the types of use you could make of IPsec.
http://support.microsoft.com/kb/313190/en-us
http://support.microsoft.com/kb/813878/en-us
might be a starting point for you
http://www.microsoft.com/technet/itsolutions/network/ipsec/default.mspx
keys you into some of the MS public doc on use of IPsec

 

[rndinit9]

First off some info about VNC:

http://en.wikipedia.org/wiki/VNC <-- Read this first

www.realvnc.com/
www.tightvnc.com/
ultravnc.sourceforge.net/

From what I understand you want to run the following services:

ftp
RDP (3389)
web (80, 8080, 443)
PC Anywhere (5631)

I would recommend the following firewalls:

http://www.agnitum.com/products/outpost/
http://www.tinysoftware.com/home/tiny2?s=2583689172949401699A0&&pg=content05&an=tf6_home
www.looknstop.com/

Some notes:

I think you could use win2k firewall to block all ports except the ones
that you want open, I think this largely depends on wether or not you
have the latest SP installed. (Im by far no MS expert)

Otherwise you have the option of using software firewalls (listed
above). They are all easy to configure and are well documented.
Ofcourse you can also use hardware/applience firewalls.

One thing I have noticed though:

Why are you using remote desktop & Pc Anywhere? Just choose one
solution and use it.
Using both is surely not wise, form a security point of view. (As they
both accomplish the same task)

Hope this sheds some light on your situation.

 

[rndinit9]

I forgot to add, you might want to look into replacing your FTP server
with Secure FTP.
More info can be found at http://vandyke.com

http://vandyke.com/products/vshell/index.html

 

[Guest]

Hi,

We recently had our Windows 2000 Server hacked via VNC.

If you didn't install VNC, then it was hacked via another method. Most
hacking methods are because of not installing Microsoft patches fast enough,
and sometimes due to misconfiguration of security settings or architecture.
Lack of good firewall rules definitely does not help matters.

(2) We were thinking of blocking all ports except 80,8080,443, 3389 (for
remote desktop), 5631 (For PcAnywhere), 21 and 25. Is this a reasonable
approach?

Depends. First, keep in mind that there are outbound ports and inbound
ports, and we can't really comment on the security of this without more
information about this. You do not need to open TCP 80, 21 and 25 inbound to
your server, unless it is acting as a Web, FTP and Internet email server that
is servicing clients from the Internet. It is not ideal security to be
running all those different services all on one server... it is more secure
to install those on separate servers, if you have the money. If your server
is not running those services, then you only need to open those ports
outbound.

As you may know, a TCP session has two ports, one on both sides of the
connection, like so:

[TCP Request] client: source port 5678 --> server: destination port 80
[TCP Reply] server: source port 80 --> client: destination port 5678

Opening TCP port 21 may not be enough to get your FTP working, because there
is a second port used by FTP for transferring data. TCP 21 is just the
control session used to transfer commands. The port used for the data
session varies depending on whether Active or Passive FTP is configured and
negotiated. You also need UDP 53 and TCP 53 open for DNS requests to the
Internet. Remote Desktop and PC Anywhere are not things you generally want
to allow from the Internet, it is better to use a firewall that has VPN
functionality, like www.netscreen.com, or use your Windows server as a VPN
endpoint, just be sure to configure it securely.

I really think you are asking for trouble if you try to configure your own
firewall without having a good understanding of how these various protocols
work and in what direction the firewall rules need to be written. I
recommend hiring some consulting help for the initial setup. It will pay for
itself if it keeps you from being hacked again.

I saw a few articles on using IPsec to do this but I can't find
any straightforward instructions how to block specific ports. Can anyone
provide any instructions / links to articles that show how to do this?

IPSec is not a firewall, especially not on Windows 2000. It has very
inadequate logging, which is a problem when troubleshooting things not
working because you didn't open up a necessary port, and also when trying to
determine if someone has hacked you. And in Windows 2000, you have to enable
a setting to make it secure [or at least you did, prior to Windows 2000
Service Pack 4]. If you still want to pursue this, see here:

http://www.securityadmin.info/faq.asp?ipsec

There are inexpensive firewalls, such as www.netscreen.com, starting around
$600 US.

kind regards,
Karl Levinson, CISSP, CCSA, MCSE, MS MVP