Discussion
Just been playing with my mail server and I need to understand the security issues.
The Server is a Win 2000 server running IIS.
The mail server has port 25 open to the web for mail...risk I beleive is very low.
However to use the webmail functionality I need to open port 80 or whatever and allow access to what is essentially a web page. I've looked at putting authorisations on it through IIS but this only highlights all the inbuilt functionality which needs to be controlled.
Any thoughts how I make it secure.
The Server is a Win 2000 server running IIS.
The mail server has port 25 open to the web for mail...risk I beleive is very low.
However to use the webmail functionality I need to open port 80 or whatever and allow access to what is essentially a web page. I've looked at putting authorisations on it through IIS but this only highlights all the inbuilt functionality which needs to be controlled.
Any thoughts how I make it secure.
For better security, use a hardware firewall, NAT the server, then move the Webmail program to a different port...
ie port 8910
then, when you need to access your webmail from the road simply use the following.
http://fish.com:8910/webmail
This will reduce the vulnerability to kiddie scripts which are set to scan on generic ports for generic weaknesses.
The best bet would be to Firewall Block the port on top, to only approved ranges (ie if you know you will only access BT Openworld, and Vodephone GPRS, only allow these ranges and block the rest...)
GL
ie port 8910
then, when you need to access your webmail from the road simply use the following.
http://fish.com:8910/webmail
This will reduce the vulnerability to kiddie scripts which are set to scan on generic ports for generic weaknesses.
The best bet would be to Firewall Block the port on top, to only approved ranges (ie if you know you will only access BT Openworld, and Vodephone GPRS, only allow these ranges and block the rest...)
GL
That is sort of the lines I was thinking of. Is port 25 relatively okay then it is just port 80 which is dodgy. If I restrict the IPs that can log in is it the origionating IP or the ISPs Ip if you see what I mean. And yes I have two hardware firewalls both running NAT etc So it can get complictated
All good advice above, you may also want to have a look at the microsoft web site to make sure you have protected/ correctly configured your web and e-mail servers on whichever ports they end up on. I'd suggest you have a look at:-
check windowsupdate and the Microsoft IIS web pages there are security patches out for IIS on Win2K.
IIS Lockdown Wizard/ Tool - www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp
IIS Security advice - www.microsoft.com/technet/security/prodtech/iis/default.mspx
Exchange Security best practice - www.microsoft.com/exchange/techinfo/security/ExSecurityBP.asp
Good Luck
check windowsupdate and the Microsoft IIS web pages there are security patches out for IIS on Win2K.
IIS Lockdown Wizard/ Tool - www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp
IIS Security advice - www.microsoft.com/technet/security/prodtech/iis/default.mspx
Exchange Security best practice - www.microsoft.com/exchange/techinfo/security/ExSecurityBP.asp
Good Luck
fish said:
That is sort of the lines I was thinking of. Is port 25 relatively okay then it is just port 80 which is dodgy. If I restrict the IPs that can log in is it the origionating IP or the ISPs Ip if you see what I mean. And yes I have two hardware firewalls both running NAT etc So it can get complictated
Alas you will need to leave the SMTP server on port 25, if you dont it wont recieve any incoming mail, as the Rest OF World will try to deliver to 25.
You could stick the SMTP server behind the Firewall, and PostFix it.
Something like a Cisco PiX has the ability to 'hide' the mail servers versions / banners, making a version dependant hack that much harder.
The IPs that login will typically be the IP of the persons PC that is connecting (tho in some cases transparent proxying may well cause it to appear to be NTL Cache for example) tho this is where moving the port is good.
You should be aware tho, that by moving the port, some people on restricted connections may not be allowed to access the 'unusual port'
It all depends if the Webmail is just for you, or for lots of others.
If just you, then firewall it to death
The webmail is just for the Chairman so he can get his mail from his laptop in the med. I'm going to setup VPN for myself so I can get in from home this will also have VNC on it. With the VPN I can block all other IP address other than home so that should be fine. Theres no problem in changing the port for webmail as well.
The complicated bit will be teaching him how to use IMAP instead of POP3....
The complicated bit will be teaching him how to use IMAP instead of POP3....
If you leave port 25 open without blocking mail relay, you'll find yourself shutdown within a week 
The moment you open port 25 up, every port scanner and his dog will be all over you. Port 25 is the root of all evil and spam!
All you wanted to know should be here
http://support.microsoft.com/default.aspx?scid=kb;EN-US;304897
The moment you open port 25 up, every port scanner and his dog will be all over you. Port 25 is the root of all evil and spam!
All you wanted to know should be here
http://support.microsoft.com/default.aspx?scid=kb;EN-US;304897
fish said:
Just been playing with my mail server and I need to understand the security issues.
The Server is a Win 2000 server running IIS.
The mail server has port 25 open to the web for mail...risk I beleive is very low.
However to use the webmail functionality I need to open port 80 or whatever and allow access to what is essentially a web page. I've looked at putting authorisations on it through IIS but this only highlights all the inbuilt functionality which needs to be controlled.
Any thoughts how I make it secure.
All good advise, though instead of moving the web service to a random port I'd be tempted to install a certificate on the server, enable SSL and allow access to port 443 through the firewall. Noone ever tries to hack HTTPS because it's too much effort for the script kiddies.... 443 is open for just about all internet connections too...
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff