|
Home > Archive > IIS FTP Server > September 2004 > FTP and www on NT 4.0
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
FTP and www on NT 4.0
|
|
| Yosemite Sam 2004-09-30, 10:45 am |
| If I shut down almost everything else is NT 4.0 (fully patched) secure
enough to run FTP and www on one box that has no other job function.
I have it in a DMZ with firewall on each side. I can access it from inside
net via FTP if that is necessary to maintain security
I thought about blocking all but:
80 udp
80 tcp
21 tcp
21 udp
on the adapter advanced properties.
On adapter advanced propertis there is a udp ports tcp ports and protocols
list with allow/deny for each, and protocols expects an interger between 0-9
I think it was.
Q: What values in protocols should be allowed or blocked. Default on NT4.0
is of course allow all.
Q: Should I leave more ports open for FTP passive mode?
Q: If so what ports?
Q: What ports need to be open if I wanted to use explorer from another
machine to access the server from inside the DMZ to post files to be
downloaded, if that isn't too risky.
TIA
Sam
| |
| Bernard 2004-09-30, 10:45 am |
| These are the ports required in relate to IIS, if the service is installed,
you can skip it.
INFO: Inetinfo Services Use Additional Ports Beyond Well-Known Ports
http://support.microsoft.com/?id=327859
You need tcp for http and ftp.
As for your question.
1) refer the above kb
2) the range is between 1024 - 5000. read
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679
but it can go higher if client uses higher ephemeral port
3) refer 2)
4) Bad idea, as this required netbios session and rpc is needed.
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"Yosemite Sam" <Yosemite.Sam@gsaa.com> wrote in message
news:eiVAokqpEHA.3980@TK2MSFTNGP12.phx.gbl...
> If I shut down almost everything else is NT 4.0 (fully patched) secure
> enough to run FTP and www on one box that has no other job function.
> I have it in a DMZ with firewall on each side. I can access it from
inside
> net via FTP if that is necessary to maintain security
> I thought about blocking all but:
> 80 udp
> 80 tcp
> 21 tcp
> 21 udp
> on the adapter advanced properties.
> On adapter advanced propertis there is a udp ports tcp ports and protocols
> list with allow/deny for each, and protocols expects an interger between
0-9
> I think it was.
>
> Q: What values in protocols should be allowed or blocked. Default on
NT4.0
> is of course allow all.
>
> Q: Should I leave more ports open for FTP passive mode?
>
> Q: If so what ports?
>
> Q: What ports need to be open if I wanted to use explorer from another
> machine to access the server from inside the DMZ to post files to be
> downloaded, if that isn't too risky.
>
> TIA
>
> Sam
>
>
| |
| Jeff Cochran 2004-09-30, 10:45 am |
| On Thu, 30 Sep 2004 00:51:30 -0400, "Yosemite Sam"
<Yosemite.Sam@gsaa.com> wrote:
>If I shut down almost everything else is NT 4.0 (fully patched) secure
>enough to run FTP and www on one box that has no other job function.
>I have it in a DMZ with firewall on each side. I can access it from inside
>net via FTP if that is necessary to maintain security
>I thought about blocking all but:
>80 udp
>80 tcp
>21 tcp
>21 udp
>on the adapter advanced properties.
>On adapter advanced propertis there is a udp ports tcp ports and protocols
>list with allow/deny for each, and protocols expects an interger between 0-9
>I think it was.
>
>Q: What values in protocols should be allowed or blocked. Default on NT4.0
>is of course allow all.
>
>Q: Should I leave more ports open for FTP passive mode?
>
>Q: If so what ports?
>
>Q: What ports need to be open if I wanted to use explorer from another
>machine to access the server from inside the DMZ to post files to be
>downloaded, if that isn't too risky.
Why don't you handle this in your firewall rules?
Jeff
|
|
|
|
|