ZAP and inetinfo.exe

[sims]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

Hi,

Over the last few days I have been beefing up my security and I have learned
how to close my ports properly.
I have also upgraded to Zone Alarm Pro, (well I am still using the
evaluation period ).

So now according to www.grc.com, (thanks Paul Lynch), all my ports are
closed and it appears that everything is ok.
My local internet project is also running fine, (inetinfo.exe has ZA access
to the internet), so it all seems like my little website/PC is closed to the
outside world.

But then while using phpMyAdmin, (a MySQL db administration tool written in
php ), I got a crash in inetinfo.exe.
Cleverly enough inetinfo.exe restarted itself right away and all seemed ok.

But to my horror Zone alarm was now allowing connections to all the ports
used by IIS.
Somehow inetinfo.exe had changed something that now allows access to the
ports, (80, 135 etc...)... I made no change to ZA.

I can reproduce the problem quite easily so I know it is inetinfo.exe.

Does anybody know what the problem might be? And how it can be resolved?
Should I set ZA to block outside access to inetinfo.exe, (my current
setting).

Sims

 

[Guest]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

"Sims" <siminfrance@hotmail.com> wrote in
news:c686gg$8t34r$1@ID-162430.news.uni-berlin.de:

> Hi,
>
> Over the last few days I have been beefing up my security and I have
> learned how to close my ports properly.
> I have also upgraded to Zone Alarm Pro, (well I am still using the
> evaluation period ).
>
> So now according to www.grc.com, (thanks Paul Lynch), all my ports
> are closed and it appears that everything is ok.
> My local internet project is also running fine, (inetinfo.exe has ZA
> access to the internet), so it all seems like my little website/PC is
> closed to the outside world.
>
> But then while using phpMyAdmin, (a MySQL db administration tool
> written in php ), I got a crash in inetinfo.exe.
> Cleverly enough inetinfo.exe restarted itself right away and all
> seemed ok.
>
> But to my horror Zone alarm was now allowing connections to all the
> ports used by IIS.
> Somehow inetinfo.exe had changed something that now allows access to
> the ports, (80, 135 etc...)... I made no change to ZA.
>
> I can reproduce the problem quite easily so I know it is inetinfo.exe.
>
> Does anybody know what the problem might be? And how it can be
> resolved? Should I set ZA to block outside access to inetinfo.exe, (my
> current setting).
>
> Sims
>
>

Whatever the *Hell* Gibson is talking about, you need to dump it.

I suggest you get yourself a NAT router an put it in front of the machine
to protect IIS and SQL Server and whatever else you have running on that
machine along that nature.

You should learn how to secure those services and the NT based O/S as well.
If they are not secure, then whatever you're trying to do here is moot.

There is tons of information out on Google and the MS Knowledge Base on how
to secure things.

http://www.homenethelp.com/web/explain/about-NAT.asp

A NAT router cost as much as paying for ZA. I am not say to not use ZA
behind the router.

http://www.uksecurityonline.com/index5.php

You should go to the NT based O/S and secure the O/S and the services such
as IIS.

Duane

 

[sims]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

Hi,

> Whatever the *Hell* Gibson is talking about, you need to dump it.

Ok so who do I believe now?
If his site tries to access my machine and cannot then surely it is good
enough.

>
> I suggest you get yourself a NAT router an put it in front of the machine
> to protect IIS and SQL Server and whatever else you have running on that
> machine along that nature.

Yes, I am going to get a NAT router. But until then I want to have some
protection.
A good firewall should be good enough for a few days/weeks.

> You should learn how to secure those services and the NT based O/S as
well.
> If they are not secure, then whatever you're trying to do here is moot.
>
> There is tons of information out on Google and the MS Knowledge Base on
how
> to secure things.
>
> http://www.homenethelp.com/web/explain/about-NAT.asp
>
> A NAT router cost as much as paying for ZA. I am not say to not use ZA
> behind the router.
>
> http://www.uksecurityonline.com/index5.php
>
> You should go to the NT based O/S and secure the O/S and the services such
> as IIS.
>
> Duane

Thanks for the links, I will look at them ASAP.

Sims

 

[sims]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

>> Somehow inetinfo.exe had changed something that now allows access
>> to the
>> ports, (80, 135 etc...)... I made no change to ZA.

> inetinfo runs on port 80

> John Cesta

Well, just that. using www.grc.com i can test that _all_ my common ports are
'stealth', (in fact according to the test all my ports are 'stealth').
And then as soon as i allow access to innet.exe, (after a crash not at
normal startup of innet.exe), then the ports that are shown as open are
21, 25, 80, (sorry it was not 135 as i said above).

Sims

 

[Guest]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

> normal startup of innet.exe), then the ports that are shown as open
> are
> 21, 25, 80,

Here's what it looks like to me.

When inetinfo starts up it may be starting web(80) ftp(21) and
mail(25)

When those ports grc.com sees them as it should. If you don't want
those ports open shutdown the ftp and mail server in IIS.

As to why they didn't show up before I couldn't tell you I am not on
site and controlling the testing. But, I would reboot. Run grc.com,
see what ports are open, close some or open some depending on what
services you need.

Check out as well program called: gsnetscan it will scan your ports,
trojans and services. Nice. But, grc.com is the most convenient way to
test your server.

John Cesta

---------------------------------
The CPU Checker - Maximize Server Uptime
LogFileManager - The only IIS Logfile Management Tool
DomainReportIt PRO - Helps Convert IIS Installs
http://www.serverautomationtools.com


On Thu, 22 Apr 2004 09:11:44 -0400, Sims wrote:
>>> Somehow inetinfo.exe had changed something that now allows
>>> access
>>> to the
>>> ports, (80, 135 etc...)... I made no change to ZA.
>
>> inetinfo runs on port 80
>
>> John Cesta
>
> Well, just that. using www.grc.com i can test that _all_ my common
> ports are
> 'stealth', (in fact according to the test all my ports are
> 'stealth').
> And then as soon as i allow access to innet.exe, (after a crash not
> at
> normal startup of innet.exe), then the ports that are shown as open
> are
> 21, 25, 80, (sorry it was not 135 as i said above).
>
> Sims

 

[Guest]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

"Sims" <siminfrance@hotmail.com> wrote in
news:c68fon$95mbi$1@ID-162430.news.uni-berlin.de:

> Hi,
>
>> Whatever the *Hell* Gibson is talking about, you need to dump it.
>
> Ok so who do I believe now?
> If his site tries to access my machine and cannot then surely it is
> good enough.

Not on a machine that has IIS and SQL Server sitting there. ZA is not
integrated into the O/S. So, there is always that lag with a third party
host based FW solution to get to the TCP/IP first and it can be beaten at
system boot.

The host based FW can be taken down by malware or can be easily
circumvented by it.

As opposed to a NAT router that is a standalone device that sits in front
of the machine.

>
> Yes, I am going to get a NAT router. But until then I want to have
> some protection.
> A good firewall should be good enough for a few days/weeks.
>

Well, until such time you purchase a NAT router, you can use IPsec to
supplement ZA on the machine. IPsec will get to the TCP/IP connection first
during the boot. And IPsec is hard to take down.

You should consider your machine to be in the DMZ, until you get the
router. Use Google and search on *network DMZ* for what it means.

http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm

Gibson is for the average home user that doesn't have high risk services
running on the machine. And you don't seem to be that, not with all that
you have running on the machine.

If you're doing some Web programming using IIS, then don't use the IIS
Lockdown tool as it will make things very difficult for you to run even
using the localhost.

You can use the tools in the link to look around from time to time.

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_R
ootkit_Tools_in_a_Windows_Environment.html

It starts with the O/S and everything else is secondary to it.

Duane

 

[Guest]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

Hello,

ZoneAlarm has some "user friendly" behavior, and i think that this was not
so user friendly in your case. It sounds like ZA thinks it is okay to open
all ports used by IIS (in your case, you have FTP, SMTP and HTTP installed).

You need to reconfigure your firewall to not open these ports. Also, if you
are not using FTP or SMTP, uninstall it. That is the safest thing to do.

--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
http://www.ilopia.com/


"Sims" <siminfrance@hotmail.com> wrote in message
news:c68gaq$8sehj$1@ID-162430.news.uni-berlin.de...
> >> Somehow inetinfo.exe had changed something that now allows access
> >> to the
> >> ports, (80, 135 etc...)... I made no change to ZA.
>
> > inetinfo runs on port 80
>
> > John Cesta
>
> Well, just that. using www.grc.com i can test that _all_ my common ports
are
> 'stealth', (in fact according to the test all my ports are 'stealth').
> And then as soon as i allow access to innet.exe, (after a crash not at
> normal startup of innet.exe), then the ports that are shown as open are
> 21, 25, 80, (sorry it was not 135 as i said above).
>
> Sims
>
>
>

 

[sims]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

> during the boot. And IPsec is hard to take down.
>
> You should consider your machine to be in the DMZ, until you get the
> router. Use Google and search on *network DMZ* for what it means.
>
> http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
> http://www.analogx.com/contents/articles/ipsec.htm
>
> Gibson is for the average home user that doesn't have high risk services
> running on the machine. And you don't seem to be that, not with all that
> you have running on the machine.
>
> If you're doing some Web programming using IIS, then don't use the IIS
> Lockdown tool as it will make things very difficult for you to run even
> using the localhost.
>
> You can use the tools in the link to look around from time to time.
>
>
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_R
> ootkit_Tools_in_a_Windows_Environment.html
>
> It starts with the O/S and everything else is secondary to it.
>
> Duane
>

Hi,

Thanks for all the useful information, I do have a bit to look at now.

One more question, looking at
http://www.dabs.com/uk/search.htm?searchPhrase=NAT+router, what router would
you get?
(I am just worried that I might get something fairly useless).
My budget is fairly flexible, I just don't want to get something that is not
so good just to save a few quids.

Considering that my main machine is a WinXp and my second network machine is
Win98?

Many thanks again.

Sims

 

[Guest]

Archived from groups: comp.security.firewalls,microsoft.public.inetserver.iis (More info?)

"Sims" <siminfrance@hotmail.com> wrote in
news:c6bi5a$9ugva$1@ID-162430.news.uni-berlin.de:

>> during the boot. And IPsec is hard to take down.
>>
>> You should consider your machine to be in the DMZ, until you get the
>> router. Use Google and search on *network DMZ* for what it means.
>>
>> http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
>> http://www.analogx.com/contents/articles/ipsec.htm
>>
>> Gibson is for the average home user that doesn't have high risk
>> services running on the machine. And you don't seem to be that, not
>> with all that you have running on the machine.
>>
>> If you're doing some Web programming using IIS, then don't use the
>> IIS Lockdown tool as it will make things very difficult for you to
>> run even using the localhost.
>>
>> You can use the tools in the link to look around from time to time.
>>
>>
> http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_a
> nd_R
>> ootkit_Tools_in_a_Windows_Environment.html
>>
>> It starts with the O/S and everything else is secondary to it.
>>
>> Duane
>>
>
> Hi,
>
> Thanks for all the useful information, I do have a bit to look at now.
>
> One more question, looking at
> http://www.dabs.com/uk/search.htm?searchPhrase=NAT+router, what router
> would you get?
> (I am just worried that I might get something fairly useless).
> My budget is fairly flexible, I just don't want to get something that
> is not so good just to save a few quids.
>
> Considering that my main machine is a WinXp and my second network
> machine is Win98?
>
> Many thanks again.
>
> Sims
>
>
>

It all depends on what you're looking for in a NAT router some have more
features than others. One thing you may want to look at is a router that
has Stateful Packet Inspection (SPI) in the firmware.

You may also want to look at routers that can block on inbound IP(s), in
case you open port 80 on the router (*port forwarding* a port to a machine
that needs the port on the router open to the public Internet). You may
need to block an IP with the router to an IP that may be doing a DoS attack
to the Website on port 80 as an example.

But if you're just looking to use the router for basic protection of the
LAN, then a simple NAT router will do supplemented by something like IPsec
or a host based FW on the machines to stop inbound or outbound if needed.

You may want to look at the Linksys BEF model routers www.linksys.com. I
say that because I use a BEF model router currently with (free) Wallwatcher
to review what traffic is coming to and leaving the LAN on a routine basis.

http://computertips.toups.info/WWService/WWService.html

The cheap NAT routers do not have FW(s) and don't meet the specs in the
link.

http://www.firewall-software.com/firewall_faqs/what_does_firewall_do.html

What meets the specs is a FW appliance such as a low-end WatchGuard Firebox
III as an example. It's around $350 at www.cdw.com. That will be my next
move on my quest for knowledge.

But in your case, you should go with the NAT router as a starter.

Also, you may want to look into using the HOST, which is about any
application/program running on the machine such as spyware ability to use a
hard coded URL in code to access a site. If the HOST file is active on the
O/S, then it will use the IP for the Website based on the IP found for the
site in the HOST file; otherwise it will go to the IPS's Domain Name Server
to resolve the url to IP.

If the IP for the site is 127.0.0.1, then access to the site will be
blocked. The Loop back IP is also used by an application such as IE to keep
itself ready. You can watch this happen by using Active Ports (free) and
starting IE and let it sit for awhile. You'll see IE switch to the Loop
Back IP keeping itself ready.

http://compnetworking.about.com/library/weekly/aa042400c.htm
http://www.mvps.org/winhelp2002/hosts.htm
http://www.snapfiles.com/get/hoststoggle.html

You may want to put a short-cut for Active Ports in the Start folder as it
will give a clear picture of what is making connections at system boot.

HTH

Duane