Greetings!
Warren van Eyssen schrieb:
> Can anybody tell me if their is any danger with the following log entry on a
> firewall-1 server?
>
> Action Port Source Destination Proto.
> > accept 135 c7-ndf-77.dail-up.net mail server tcp
First a general answer: firewall rules MUST be documented. Non-documented rules
should be disabled immediately.
The reason behind this rule is that each rule punches a hole through the FW -
and this risk has to be shouldered by
some manager (it's HIS head that should roll in case of problems - not the
administrator's). Short: no access until there is a business need AND some
manager signing responsible for use and misuse of that specific protocol. And
before opening a protocol there should be a risk assessment so the manager can
weigh risk and achievement.
Specifically: your MS-Exchange server is WIDE open to that dial-up number -
maybe even to all internet addresses. It seems you allow MS-RPC thus full access
(network-layerish) to server remote control and MS Exchange. If you can not
verify 280% that this was one of your administrators, chances are good that your
system already has been compromized. Check your MS-Exchange server thoroughly
(file through every directory and the registry - manually!) - and at the
slightest sign of intrusion or compromize back up the data and re-install your
system from scratch. If so, check your NT domain controllers which have trust
relationship to the Exchange system (and vice-versa). If there are signs, back
up the data and re-install from scratch. As it is quite possible that user
accounts were compromized even if you do not find indicators for a full
break-in, verify each and every user account on the local server(s) and for the
NT-Domain to belong to an employee and force a password change.
Do NOT put the MS-Exchange server back to internet without verifying that the
network access to that system is limited to the ports you have (signed!)
management clearance for. Make sure your system has all current SPs and hotfixes
installed - and keep it current.
Sorry
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
