shared folder on dmz

Discussion in 'Computer Support' started by Todd, Apr 24, 2007.

  1. Todd

    Todd Guest

    I have a windows pc plugged into my dmz. I have shared a folder on it.
    I have a windows domained network. Does anyone know what ports I need
    opened on my firewall to be able to access the shared folder's UNC from
    inside of my network?
     
    Todd, Apr 24, 2007
    #1
    1. Advertising

  2. Todd

    Mr. Arnold Guest

    "Todd" <> wrote in message
    news:f0jicg$alb$...
    >I have a windows pc plugged into my dmz. I have shared a folder on it. I
    >have a windows domained network. Does anyone know what ports I need opened
    >on my firewall to be able to access the shared folder's UNC from inside of
    >my network?


    http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm

    Open ports 137-139 UDP and 445 TCP - (NT based O/S) on the FW to the LAN
    IP(s) on machines you want to share resources. But as far as you having a
    machine in the DMZ doing file sharing with machines in the protected zone
    accessing the machine in the DMZ is questionable to say the least about it.

    Maybe, you should look into a FTP site with only exposing ports 20 and 21
    TCP to the Internet to share files on the FTP site routing/port forwarding
    traffic on ports 20 and 21 to the LAN IP/machine that has the FTP site
    running , instead of sticking/exposing the entire machine in the DMZ to be
    attacked.

    If using a FTP site, the O/S must be secured to face the Internet. That
    would also hold true for a machine being exposed to the Internet in the DMZ
    doing some kind of file sharing, which is a no no in the first place.

    In either case, the machine is just hack bait that can be used to attack
    other machines on the Internet or a company private network, if the O/S is
    not harden to attack, such as the registry, user accounts, file system, FTP
    site using a Web server and the Web server itself being harden to attack.
     
    Mr. Arnold, Apr 24, 2007
    #2
    1. Advertising

  3. Todd

    Todd Guest

    Mr. Arnold wrote:
    >
    > "Todd" <> wrote in message
    > news:f0jicg$alb$...
    >> I have a windows pc plugged into my dmz. I have shared a folder on
    >> it. I have a windows domained network. Does anyone know what ports I
    >> need opened on my firewall to be able to access the shared folder's
    >> UNC from inside of my network?

    >
    > http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm
    >
    > Open ports 137-139 UDP and 445 TCP - (NT based O/S) on the FW to the LAN
    > IP(s) on machines you want to share resources. But as far as you having
    > a machine in the DMZ doing file sharing with machines in the protected
    > zone accessing the machine in the DMZ is questionable to say the least
    > about it.
    >
    > Maybe, you should look into a FTP site with only exposing ports 20 and
    > 21 TCP to the Internet to share files on the FTP site routing/port
    > forwarding traffic on ports 20 and 21 to the LAN IP/machine that has the
    > FTP site running , instead of sticking/exposing the entire machine in
    > the DMZ to be attacked.
    >
    > If using a FTP site, the O/S must be secured to face the Internet. That
    > would also hold true for a machine being exposed to the Internet in the
    > DMZ doing some kind of file sharing, which is a no no in the first place.
    >
    > In either case, the machine is just hack bait that can be used to attack
    > other machines on the Internet or a company private network, if the O/S
    > is not harden to attack, such as the registry, user accounts, file
    > system, FTP site using a Web server and the Web server itself being
    > harden to attack.
    >
    >


    The machine in the dmz has an ftp server running on it that only has 1
    account that can only write to 1 folder on the machine. The idea for me
    is to use windows file sharing to write a script to immediately
    copy/delete any files on that PC and move them into my network. Are you
    telling me that even though port 21/20 are the only one's available that
    this is hack bait?
     
    Todd, Apr 24, 2007
    #3
  4. Todd

    Todd Guest

    >
    > The machine in the dmz has an ftp server running on it that only has 1
    > account that can only write to 1 folder on the machine. The idea for me
    > is to use windows file sharing to write a script to immediately
    > copy/delete any files on that PC and move them into my network. Are you
    > telling me that even though port 21/20 are the only one's available that
    > this is hack bait?


    also forgot to mention I am only allowing certain IPs to even see the
    ftp server...
     
    Todd, Apr 24, 2007
    #4
  5. Todd

    Mr. Arnold Guest

    "Todd" <> wrote in message
    news:f0jmd3$ifk$...
    > Mr. Arnold wrote:
    >>
    >> "Todd" <> wrote in message
    >> news:f0jicg$alb$...
    >>> I have a windows pc plugged into my dmz. I have shared a folder on it.
    >>> I have a windows domained network. Does anyone know what ports I need
    >>> opened on my firewall to be able to access the shared folder's UNC from
    >>> inside of my network?

    >>
    >> http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm
    >>
    >> Open ports 137-139 UDP and 445 TCP - (NT based O/S) on the FW to the LAN
    >> IP(s) on machines you want to share resources. But as far as you having a
    >> machine in the DMZ doing file sharing with machines in the protected zone
    >> accessing the machine in the DMZ is questionable to say the least about
    >> it.
    >>
    >> Maybe, you should look into a FTP site with only exposing ports 20 and
    >> 21 TCP to the Internet to share files on the FTP site routing/port
    >> forwarding traffic on ports 20 and 21 to the LAN IP/machine that has the
    >> FTP site running , instead of sticking/exposing the entire machine in the
    >> DMZ to be attacked.
    >>
    >> If using a FTP site, the O/S must be secured to face the Internet. That
    >> would also hold true for a machine being exposed to the Internet in the
    >> DMZ doing some kind of file sharing, which is a no no in the first place.
    >>
    >> In either case, the machine is just hack bait that can be used to attack
    >> other machines on the Internet or a company private network, if the O/S
    >> is not harden to attack, such as the registry, user accounts, file
    >> system, FTP site using a Web server and the Web server itself being
    >> harden to attack.
    >>
    >>

    >
    > The machine in the dmz has an ftp server running on it that only has 1
    > account that can only write to 1 folder on the machine. The idea for me
    > is to use windows file sharing to write a script to immediately
    > copy/delete any files on that PC and move them into my network. Are you
    > telling me that even though port 21/20 are the only one's available that
    > this is hack bait?


    Yes, I am telling you that machine is hack bait and possibly a jumping off
    point to compromise other machines on the Internet and private networks,
    because it takes a lot more to secure a NT based O/S in that situation,
    which there are entire books on how to secure the NT based O/S to face the
    Internet.

    What about the other accounts on the O/S such as the Admin account, Everyone
    and others that can be used to attack the machine, once it has been
    compromised? What about services and O/S programs you have running on the
    machine that must be disabled or shutdown closing the attack vector on the
    O/S for a NT based O/S that's being exposed to the Internet, like you are
    doing?

    Here is an example of what should be done to just secure a NT based O/S such
    as XP or Win 2k for everyday usage by the Joe Blow home user, let alone
    having a machine and the O/S that's exposed to the Internet as you are
    doing.

    http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

    Nothing against you personally but that's the problem with the Joe Blow home
    user that wants to do what you are doing exposing the NT based O/S to the
    Internet. They don't know to do the homework, configure and secure the O/S
    properly and in general don't have a clue about it, the risk and in general
    don't even know that the machine has been compromised.
     
    Mr. Arnold, Apr 24, 2007
    #5
  6. Todd

    Mr. Arnold Guest

    "Todd" <> wrote in message
    news:f0jmnd$j7m$...
    >>
    >> The machine in the dmz has an ftp server running on it that only has 1
    >> account that can only write to 1 folder on the machine. The idea for me
    >> is to use windows file sharing to write a script to immediately
    >> copy/delete any files on that PC and move them into my network. Are you
    >> telling me that even though port 21/20 are the only one's available that
    >> this is hack bait?

    >
    > also forgot to mention I am only allowing certain IPs to even see the ftp
    > server...


    And in the meantime, you have the entire machine and the O/S setting in the
    DMZ exposed. Security experts put machines with secured and harden to attack
    O/S(s) into the DMZ for a reason, which is not to be doing some kind of file
    sharing. You should look up and understand what the DMZ is about and why a
    machine would be setting in the DMZ, which the DMZ on a typical NAT router
    for home usage is NOT even a DMZ.
     
    Mr. Arnold, Apr 24, 2007
    #6
  7. Todd

    Todd Guest

    Mr. Arnold wrote:
    >
    > "Todd" <> wrote in message
    > news:f0jmnd$j7m$...
    >>>
    >>> The machine in the dmz has an ftp server running on it that only has
    >>> 1 account that can only write to 1 folder on the machine. The idea
    >>> for me is to use windows file sharing to write a script to
    >>> immediately copy/delete any files on that PC and move them into my
    >>> network. Are you telling me that even though port 21/20 are the only
    >>> one's available that this is hack bait?

    >>
    >> also forgot to mention I am only allowing certain IPs to even see the
    >> ftp server...

    >
    > And in the meantime, you have the entire machine and the O/S setting in
    > the DMZ exposed. Security experts put machines with secured and harden
    > to attack O/S(s) into the DMZ for a reason, which is not to be doing
    > some kind of file sharing. You should look up and understand what the
    > DMZ is about and why a machine would be setting in the DMZ, which the
    > DMZ on a typical NAT router for home usage is NOT even a DMZ.


    Would this setup be secure given a strong business-class firewall and
    not your typical NAT router?
     
    Todd, Apr 24, 2007
    #7
  8. Todd

    Mr. Arnold Guest

    "Todd" <> wrote in message
    news:f0jsev$s3d$...
    > Mr. Arnold wrote:
    >>
    >> "Todd" <> wrote in message
    >> news:f0jmnd$j7m$...
    >>>>
    >>>> The machine in the dmz has an ftp server running on it that only has 1
    >>>> account that can only write to 1 folder on the machine. The idea for
    >>>> me is to use windows file sharing to write a script to immediately
    >>>> copy/delete any files on that PC and move them into my network. Are
    >>>> you telling me that even though port 21/20 are the only one's available
    >>>> that this is hack bait?
    >>>
    >>> also forgot to mention I am only allowing certain IPs to even see the
    >>> ftp server...

    >>
    >> And in the meantime, you have the entire machine and the O/S setting in
    >> the DMZ exposed. Security experts put machines with secured and harden to
    >> attack O/S(s) into the DMZ for a reason, which is not to be doing some
    >> kind of file sharing. You should look up and understand what the DMZ is
    >> about and why a machine would be setting in the DMZ, which the DMZ on a
    >> typical NAT router for home usage is NOT even a DMZ.

    >
    > Would this setup be secure given a strong business-class firewall and not
    > your typical NAT router?


    If you want to do this and protect the O/S, its services, file system,
    registry, user accounts, etc etc and the machine as much as possible, then
    take the machine out of the DMZ period and harden the NT based O/S Win 2K,
    XP or Vista as much as possible that will face the Internet under your
    conditions. There are articles out on Google and books for a NT class
    machine that's exposing an FTP or Web Site to the Internet.

    The NAT router is fine as long as you keep the machine out of the DMZ of the
    router, because that machine is using a LAN IP on the router and it can
    easily access other LAN IP(s) on the LAN.

    The router protects O/S services and those Windows Networking ports by
    default. If you want to network machines using the Windows O/S, you do it in
    a LAN situation. You do not want to do file sharing with any machine on the
    WAN/Internet period.

    You use FTP on the machine using the router's port forwarding feature to
    port forward or open the FTP ports 20 and 21 TCP to the Internet, forwarding
    the traffic on those ports to the LAN/IP/machine that has FTP running on it.
    This way the entire machine is not exposed to the Internet reducing the
    attack vector to the machine.

    If you want to use a host based FW/packet filter on the machine to limit the
    WAN/IP(s) that can access the open ports on the router and access the FTP
    site on the machine, then implement that if you want.

    What you should do is get a high-end FW router or low-end FW appliance that
    blocks by WAN or LAN IP(s) inbound or outbound based.

    *What is a firewall? *What does a firewall do?* It's being explained in the
    link. That would be a software host based or hardware based solution that's
    a network FW solution, not a personal FW.

    http://www.vicomsoft.com/knowledge/reference/firewalls1.html
    http://www.more.net/technical/netserv/tcpip/firewalls/
     
    Mr. Arnold, Apr 24, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    867
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,902
    Walter Roberson
    Sep 25, 2005
  3. morten
    Replies:
    4
    Views:
    1,234
    Tilman Schmidt
    Sep 4, 2007
  4. Replies:
    0
    Views:
    1,698
  5. Talista
    Replies:
    1
    Views:
    490
    VanguardLH
    Jan 23, 2009
Loading...

Share This Page