However, for ISP's that use MS DNS servers and do remote management
from the inside - their customers could potentially exploit them.
I have worked with folks who run services other than mail on their DNS
servers. One example is FTP. With passive ftp high ports 1024+ need
to be open both ways. So if they are using standard ACL's and not a
firewall this could lead to some trouble as well.
Stateful firewalls don't need to open these ports for passive FTP. The
FTP connection is established on the standard port after which the
passive port is shared with the client and the firewall tracks this and
allows the connection.
As a rule of thumb, RPC should never be exposed to untrusted IP space.
It is also odd and possibly grossly incompetent of Microsoft to choose
to use ports 1024+ for such purposes, but I'm thinking that they have
some weakly justifiable reason to do this as a "feature".
Matt
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
