All Ports open on IIS Server?

I was involved in a security audit recently in which I scanned from outside
the organization the Web Server. It reported no ports responded (even port
80)! This was grc.com saying that everything was in "stealth" mode.

The web page immeadiately comes up as an HTTPS page so it obviously
responds to Port80 and then goes into a secure page mode but even this
isn't the oddest thing I found.

On the inside of the firewall, the server reported to NMAP that 100's of
ports were open. It is running Microsoft IIS webserver.

In all my teachings the idea of a layered defense seems to go against the
grain of this. Obviously, the firewall is effective in blocking outside
entry on these ports but inside is wide open!

Additionally, I don't understand how all these ports could be opened
without the appropriate "services" that should be running on this host to
use the ports?

What am I missing?
-

Sqezins

Sqezins wrote:
> I was involved in a security audit recently in which I scanned from outside
> the organization the Web Server. It reported no ports responded (even port
> 80)! This was grc.com saying that everything was in "stealth" mode.
>
> The web page immeadiately comes up as an HTTPS page so it obviously
> responds to Port80 and then goes into a secure page mode but even this
> isn't the oddest thing I found.
>
> On the inside of the firewall, the server reported to NMAP that 100's of
> ports were open. It is running Microsoft IIS webserver.
>
> In all my teachings the idea of a layered defense seems to go against the
> grain of this. Obviously, the firewall is effective in blocking outside
> entry on these ports but inside is wide open!
>
> Additionally, I don't understand how all these ports could be opened
> without the appropriate "services" that should be running on this host to
> use the ports?
>
> What am I missing?
> -
>
>

If the services aren't set to manual or to disabled (e.g. server service)
it will listen on those ports. So if you say that there are ports listening
you should check the server itself on active services. Remember that a
standard Windows server implementation has al lot of services enabled on
default (it's a little better with Windows 2003)

Wimbo

Wimbo

In article <Xns957C83A16833Dggregorcsicom@204.127.199.17>,
says...
> I was involved in a security audit recently in which I scanned from outside
> the organization the Web Server. It reported no ports responded (even port
> 80)! This was grc.com saying that everything was in "stealth" mode.

GRC will only scan the IP you are sitting at, not some other IP.


> The web page immeadiately comes up as an HTTPS page so it obviously
> responds to Port80 and then goes into a secure page mode but even this
> isn't the oddest thing I found.

HTTPS is not using port 80, HTTPS uses port 443.

> On the inside of the firewall, the server reported to NMAP that 100's of
> ports were open. It is running Microsoft IIS webserver.

The server is going to have many ports open, that's why it's behind a
firewall. If you want to lock the server down, inside your protected
network, you are going to need more than a firewall.

> In all my teachings the idea of a layered defense seems to go against the
> grain of this. Obviously, the firewall is effective in blocking outside
> entry on these ports but inside is wide open!

You didn't tell us what type of firewall - if it's an appliance then you
have nothing blocking the server on the LAN, why would you expect there
to be any security INSIDE the LAN. If you installed a personal firewall
application on the server, many of those allow full access by anything
in the same subnet - that's why you don't use personal firewall
applications to protect servers.

> Additionally, I don't understand how all these ports could be opened
> without the appropriate "services" that should be running on this host to
> use the ports?

If a port is open and listening, it's got something in the OS (or
application) running to allow it to be open/listening - it could not
respond if there wasn't something down.

As for internal/external - it's not really bad to have your server open
inside your private network, as long as you follow proper security
measures to restrict access from the server to your network systems.

--
--

(Remove 999 to reply to me)

Leythos

Leythos <> wrote in
news::

>
> GRC will only scan the IP you are sitting at, not some other IP.

Yep, and the webserver was where I was sitting at when I asked for the
scan to happen. The IP that they (grc) ID'd me at though isn't the same
one that I find when I'm in the outside world and say "ping
clientdomain.com" . The DNS servers hit 3 of the 4 octet's right and the
fourth is off by 4. Close, but no cigar.
>

> HTTPS is not using port 80, HTTPS uses port 443.

Agreed, but when you hit the website for the first time at
clientdomain.com, aren't you defaulting to port 80 and then redirected
to an https page using 443?


> You didn't tell us what type of firewall -
>
Sorry, it's an appliance firewall. Watchguard Firebox.

> If a port is open and listening, it's got something in the OS (or
> application) running to allow it to be open/listening - it could not
> respond if there wasn't something down.
>
That was my conclusion too. It seems odd for to me that the "web
server" should be reporting that ports 1-1024 are all open when some of
the ports are still considered "unknown". Nmap didn't declare this as
the case on another server within the trusted network.

> As for internal/external - it's not really bad to have your server
> open inside your private network,
>
Well it doesn't allow regular log-ins or anything like that (except
admin) and it isn't in the same subnet as the rest of the machines. I
just scratch my head about how all those ports are being described as
"open".

Greg Smith

In article <Xns957CC4F5E5172ggregorcsicom@204.127.204.17>,
says...
> > GRC will only scan the IP you are sitting at, not some other IP.
>
> Yep, and the webserver was where I was sitting at when I asked for the
> scan to happen. The IP that they (grc) ID'd me at though isn't the same
> one that I find when I'm in the outside world and say "ping
> clientdomain.com" . The DNS servers hit 3 of the 4 octet's right and the
> fourth is off by 4. Close, but no cigar.

Then you have a HTTP Proxy configured and your web server is actually
going outbound on the Firewalls IP when you browse the web from the web
server.

You wont get a good GRC scan this way.

>
> > HTTPS is not using port 80, HTTPS uses port 443.
>
> Agreed, but when you hit the website for the first time at
> clientdomain.com, aren't you defaulting to port 80 and then redirected
> to an https page using 443?

If you type HTTP://WWW.MYSITE.COM the connection is via 80.
If you type HTTPS://WWW.MYSITE.COM the connection is via 443

> > You didn't tell us what type of firewall -
> >
> Sorry, it's an appliance firewall. Watchguard Firebox.

If you have a firebox, and I have many of them, and your rules are setup
properly, the only exposure you have is 80/443 inbound on a HTTP Proxy
rule mapping public IP to LOCAL Ip via NAT.

Having something exposed on the LAN does not mean it's exposed through
the firewall - you have to open holes in the firewall to expose it.


--
--

(Remove 999 to reply to me)

Leythos

On Fri, 08 Oct 2004 20:27:03 GMT, Leythos <> wrote:

>You didn't tell us what type of firewall -
##################
He also didn't tell us what version of IIS. IIRC it wasn't until
version 6 that security was worth anything.
donnie

donnie

>He also didn't tell us what version of IIS. IIRC it wasn't until
>version 6 that security was worth anything.

In my experience, security is fine in earlier versions if you set it up
properly.
--
Dave "Crash" Dummy - A weapon of mass destruction
?subject=Techtalk (Do not alter!)
http://lists.gpick.com

\Crash\ Dummy

In article <>,
says...
> On Fri, 08 Oct 2004 20:27:03 GMT, Leythos <> wrote:
>
> >You didn't tell us what type of firewall -
> ##################
> He also didn't tell us what version of IIS. IIRC it wasn't until
> version 6 that security was worth anything.

Donnie, you must not have any experience with IIS 4 or 5. We've had
hundreds of public IIS servers running without a single compromise or
problem that was security related.

You can easily secure IIS 4 and IIS 5, and IIS 6.

--
--

(Remove 999 to reply to me)

Leythos

On Sat, 09 Oct 2004 14:23:24 GMT, Leythos <> wrote:

>In article <>,
> says...
>> On Fri, 08 Oct 2004 20:27:03 GMT, Leythos <> wrote:
>>
>> >You didn't tell us what type of firewall -
>> ##################
>> He also didn't tell us what version of IIS. IIRC it wasn't until
>> version 6 that security was worth anything.
>
>Donnie, you must not have any experience with IIS 4 or 5. We've had
>hundreds of public IIS servers running without a single compromise or
>problem that was security related.
>
>You can easily secure IIS 4 and IIS 5, and IIS 6.
>
>--
#####################
That's correct, I haven't used IIS. It was something that I read and I
understand that many vulnerabilities are due to mis-configuration.
donnie

donnie

Are you sure that nmap reported that the ports were open, and not
"filtered" or "closed"? Show us a copy of the scan, if you can.

-ds

David Shaw