Hi All,

We're getting a routine attempt to access one of our servers, its just an AD server and doesn't really do a lot other than DHCP and AD.. anyway, it appears that some Russian is bored and wants to see what's happening and has lots of login attempts. So, i've blocked the source IP on the firewall and am going to look through the open ports to close down whats open and doesn't need to be.

I wondered whether there were any free port-scanner tools you'd advise on using? Or is there anything else I need to look at?

cheers and many thanks in advance,
jt 😉

Try ShieldsUp at GRC.com, they'll port scan you and report back the results.

It's not really what you're asking but if it 'only' does DHCP and AD (i.e. core functions of your network) then why is it externally facing? What else is on there that needs to be open to all?

Matt

It's a windows server so it shouldn't even be on the internet. You're just asking for trouble doing that. Shut it down, completely. Unless you have a particularly good reason for wanting it there.

However, if you want it scanned I'll do it for you.

If you want to do it yourself then nmap is great but a bit techy, nessus is much better but still uses nmap as it's core tool.

+1 to what samuri said.

I'd add. it sounds to me like you really need to look at your general firewall policy & not just for this system. You should only be allowing access for externally initiated connections to services that require it. Everything else should be blocked. It doesn't sound like this is the case.

jon, if you want some proper help then I'll give you a bit of advice for free (email below) and then if we think you need some serious security consultancy we can talk about how much that would cost.

samur2@hotmail.com

Not sure what point Samuri is making – you certainly shouldn't have an unsecured host on the Internet but there's nothing wrong with a Windows host being there as long as it's secured.

its the terms "windows" and "secured" in the same sentence 😉

It's not secured, that's clear from the OP, so it shouldn't be there.

It needs to be visible because our remote control software works via an http port.

Thanks for the replies though, appreciated.

We use netsupport for helpdesk/remote control duties. Out of all the boxes we have online and visible via netsupport, this is the only one we'd had a report on so my intentions were to look over the open ports and see whats what. I'm new to the firm i'm working with so still getting my head around how they have things setup here (6th day in the new job today).

Samuri, will be in touch thanks.
jt

DHCP and AD on an unsecured network = very very bad

Awful lot of information there, and any escalation of privilege on a DC means your domain is theirs.

I would pull the plug now, and take samuri up on his offer – you can't just load up nmap and l0pthcrack and think you've nailed everything.

Windows works just fine in a DMZ as long as secured properly. But I still prefer to use BSD/linux there if there is an option… or an appliance of some sort, which suaully are linux anyway underneath.