Re: Opening port 80&443 not only opens OWA but also Companyweb access?


What's amazing to me, is that the statement "Can we simply agree that
that is your opinion and therefore should not be stated as fact?" seems
to be so difficult for some of you?.

Do you really believe that you've somehow cornered the market on the
multitude of usages of SBS that you can factually make statements on
this issue with the words 'never', etc.? I thought I made it clear I
had no desire for a debate? I also think it's pretty clear that if the
manufacturer of the product that you service decides that if you want to
use port 80 that it's ok with them, but you disagree, that it must be a
matter of opinion....(otherwise no disagreement right?).

You seem to believe that *I* think it's a good practice to leave open
80 if you don't need it. I don't.

That doesn't change the fact that it's our *opinion*. The reason *we*
as a community (as far as I know) don't think it's a good idea is the
simple fact that it's easier to attract attention with port 80 open.
Although, I guess someone could argue that since many port scans these
days *start* on 443 to try and find commerce sites, that that point is
debatable. That said, I also don't believe that there is anything
inherently insecure about leaving the default SBS config on port 80,
nor do I believe that putting a redirect on an ISP site helps one bit
(it still attracts the same attention, and any scan utilizing dns
records, will simply follow the ports to the IP they reside at. Not
sure what it gains you in the long run.)

Now perhaps you guys are more arrogant than I am in regards to your
opinions, but unless you're prepared to say that IIS is simply insecure
in its own right, and therefore RWW, and anything else you choose to run
through it should be shutdown, I can't truthfully tell a client anything
other than "*I believe* it could attract unnecessary attention to your
box, and therefore increase your likelihood of attacks". I can't say
that it increases the hackers likelihood of *success*, nor can I say
that if they are willing to still do so after being advised that they
are idiots. If they're informed, I'll happily open it up.

If you can show me however where the SBS config for redirect on port 80
can be more easily hacked into than 443 then by all means do so and I'll
advise my clients (and Microsoft, since it's in all their documentation)
to that effect. Until then, yes, I say it is our OPINION and should not
be stated as some sort of fact nor should we treat others who choose do
so as somehow unintelligent about the so-called 'facts' unless you're
willing to back that up. In the end, ports are ports. I don't like 80
simply because it's so common, that has nothing to do with making it
insecure however, I'd just prefer not to announce my presence so loudly
that others might take notice. It's *after* they take notice that you
have to worry about ports...and 80 typically isn't the one to worry
about. I'd start with POP, IMAP, etc. personally but you do what you
want.

If you want to advise others here about the potential risks of doing so
on the other hand, awesome, that's a welcome service to all. Why it is
that it appears to offend some of you that someone might not agree with
your opinion is beyond me.

p.s. - it appears no matter how hard I tried to avoid a debate here,
it's impossible amongst us geeks. think about what I asked in my post,
and then look at the responses. And here I thought 'proportional
response' was something only discussed in the circles of warfare


--
admin

Matt Ridings - MSR Consulting
------------------------------------------------------------------------
admin's Profile: http://forums.msrportal.com/member.php?userid=1
View this thread: http://forums.msrportal.com/showthread.php?t=14484

.

Relevant Pages

  • Re: Opening Ports on Norton 2002
    ... > proceed to rubbish everyones opinion believing yours to be the only ... >> blocking the port and it's not some other problem. ... If by that you mean "here's my problem, anyone got an advice" then yes. ... Both of whom seem incapable of being civil. ...
    (comp.security.firewalls)
  • Re: Notifying user of open Internet access
    ... I believe the Port 139 was for Netbios shares, ... In my opinion, ... serious flaw in the whole computing market. ... I always use a NAT box, before putting a Windows box on the Internet. ...
    (alt.computer.security)
  • Re: "Professional" does not = "High End"
    ... >> It's an opinion, but I'm willing to retract taking back the second bit ... > I believe I did exactly that with regard to the port. ... > Your justification for ridicule was rationalization. ... Ridicule is an effective way to expose weak arguments. ...
    (rec.audio.opinion)
  • Re: p5 model 520 - overly complex and unreliable?
    ... out there has any similar or different opinion? ... the good port beside it, but can't find where this sort of thing is ... are connecting to a GB switch, leave the settings at the default; if not, then get the switch port and the respective ethernet port set to the same capabilities. ... p.s. WRT OP's "overly complex" comment - I've found ANYTHING new appears "overly complex" at first...if you think the "520" is overly complex, then I guess you'd be best advised to stay away from the JS20 blade servers which is aimed at the SMB market:-P ...
    (comp.unix.aix)
  • Re: Connect to SQL Server
    ... MS-SQL db and invited anyone who claimed this was insecure ... to login and create a table named after himself or herself. ... Almost all server sites will shut down anyone who tries a brute force ... Server port 1433 on their firewall (of course after properly ...
    (comp.databases.ms-access)