Re: Audited an ISA 2000 - part I
From: Jack Peacock (peacock_at_simconv.com)
Date: 11/05/04
- Next message: Doug Fox: "Re: Audited an ISA 2000 - part I"
- Previous message: Tristan Kington [MSFT]: "Re: Audited an ISA Server - Part III"
- In reply to: Doug Fox: "Audited an ISA 2000 - part I"
- Next in thread: Richard M.: "Re: Audited an ISA 2000 - part I"
- Reply: Richard M.: "Re: Audited an ISA 2000 - part I"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 4 Nov 2004 16:24:42 -0800
"Doug Fox" <dfox168@hotmail.com> wrote in message
news:ek9wTFswEHA.3416@TK2MSFTNGP09.phx.gbl...
> Did an internal and an external port scan on a production ISA 2000 server
> and found the following ports opened, but seems quite unusual. Any
> comments/suggestions are appreciated.
>
> The external scan, i.e., scanning the server from the internet, which
> reported the following ports are open:
>
> TCP Ports
> 110 (POP3)
> 135 (DCE endpoint resolution)
> 139 (NETBIOS Session Service)
> 515 (Spooler
> 1027 (unknown or ICQ?)
> 3372 (Microsoft Distributed Transaction Coordinator (MSDTC) / TIP 2)
> 10000 Webmin / Network Data Management Protocol
>
> UDP Port:
> 137 (NETBIOS Name Service)
>
Make sure that Netbios, MS CLient, and MS File/Print sharing is removed on
the external NIC. Do you have a print spooler installed on the ISA server?
What applications do you have installed on ISA?
> The internal scan, i.e., scanning the server's internal interface, the
> result is:
>
> TCP Ports
> 135 (DCE endpoint resolution) (also appears on the external interface.)
> 139 (NETBIOS Session Service) (also appears on the external interface.)
> 445 (Microsoft-DS)
> 515 (Spooler) (also appears on the external interface.)
> 1027 (unknown) (also appears on the external interface.)
> 1080 (socks)
> 1745 (ISA Server proxy autoconfig / remote winsock)
> 3372 (Microsoft Distributed Transaction Coordinator (MSDTC) / TIP 2) (also
> appears on the external interface.)
> 8080 (HTTP/HTTP Proxy)
> 10000 Webmin / Network Data Management Protocol (also appears on the
> external interface.)
>
> UDP Ports
> 137 (NETBIOS Name Service)(also appears on the external interface.)
> 2967 (SSC-AGENT / Norton Anti-virus)
>
Why is Norton AV installed on the firewall? Are you using the ISA server as
a workstation? Take a long look at the installed programs in Control Panel
and start removing the junk.
Jack Pea***
- Next message: Doug Fox: "Re: Audited an ISA 2000 - part I"
- Previous message: Tristan Kington [MSFT]: "Re: Audited an ISA Server - Part III"
- In reply to: Doug Fox: "Audited an ISA 2000 - part I"
- Next in thread: Richard M.: "Re: Audited an ISA 2000 - part I"
- Reply: Richard M.: "Re: Audited an ISA 2000 - part I"
- Messages sorted by: [ date ] [ thread ]
