If I shut down almost everything else is NT 4.0 (fully patched) secure
enough to run FTP and www on one box that has no other job function.
I have it in a DMZ with firewall on each side.  I can access it from inside
net via FTP if that is necessary to maintain security
I thought about blocking all but:
80 udp
80 tcp
21 tcp
21 udp
on the adapter advanced properties.
On adapter advanced propertis there is a udp ports tcp ports and protocols
list with allow/deny for each, and protocols expects an interger between 0-9
I think it was.

Q:  What values in protocols should be allowed or blocked.  Default on NT4.0
is of course allow all.

Q:  Should I leave more ports open for FTP passive mode?

Q:  If so what ports?

Q:  What ports need to be open if I wanted to use explorer from another
machine to access the server from inside the DMZ to post files to be
downloaded, if that isn't too risky.

TIA

Sam

[ Post a follow-up to this message ]

These are the ports required in relate to IIS, if the service is installed,
you can skip it.
INFO: Inetinfo Services Use Additional Ports Beyond Well-Known Ports
http://support.microsoft.com/?id=327859

You need tcp for http and ftp.
As for your question.

1) refer the above kb
2) the range is between 1024 - 5000. read
Information About the IIS File Transmission Protocol (FTP) Service
http://support.microsoft.com/?id=283679
but it can go higher if client uses higher ephemeral port
3) refer 2)
4) Bad idea, as this required netbios session and rpc is needed.

--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



"Yosemite Sam" <Yosemite.Sam@gsaa.com> wrote in message
news:eiVAokqpEHA.3980@TK2MSFTNGP12.phx.gbl...
> If I shut down almost everything else is NT 4.0 (fully patched) secure
> enough to run FTP and www on one box that has no other job function.
> I have it in a DMZ with firewall on each side.  I can access it from
inside
> net via FTP if that is necessary to maintain security
> I thought about blocking all but:
> 80 udp
> 80 tcp
> 21 tcp
> 21 udp
> on the adapter advanced properties.
> On adapter advanced propertis there is a udp ports tcp ports and protocols
> list with allow/deny for each, and protocols expects an interger between
0-9
> I think it was.
>
> Q:  What values in protocols should be allowed or blocked.  Default on
NT4.0
> is of course allow all.
>
> Q:  Should I leave more ports open for FTP passive mode?
>
> Q:  If so what ports?
>
> Q:  What ports need to be open if I wanted to use explorer from another
> machine to access the server from inside the DMZ to post files to be
> downloaded, if that isn't too risky.
>
> TIA
>
> Sam
>
>

[ Post a follow-up to this message ]

On Thu, 30 Sep 2004 00:51:30 -0400, "Yosemite Sam"
<Yosemite.Sam@gsaa.com> wrote:

>If I shut down almost everything else is NT 4.0 (fully patched) secure
>enough to run FTP and www on one box that has no other job function.
>I have it in a DMZ with firewall on each side.  I can access it from inside
>net via FTP if that is necessary to maintain security
>I thought about blocking all but:
>80 udp
>80 tcp
>21 tcp
>21 udp
>on the adapter advanced properties.
>On adapter advanced propertis there is a udp ports tcp ports and protocols
>list with allow/deny for each, and protocols expects an interger between 0-
9
>I think it was.
>
>Q:  What values in protocols should be allowed or blocked.  Default on NT4.
0
>is of course allow all.
>
>Q:  Should I leave more ports open for FTP passive mode?
>
>Q:  If so what ports?
>
>Q:  What ports need to be open if I wanted to use explorer from another
>machine to access the server from inside the DMZ to post files to be
>downloaded, if that isn't too risky.

Why don't you handle this in your firewall rules?

Jeff

[ Post a follow-up to this message ]