TCP/IP filtering, can't get DNS resolution

Dear Sir,
we have an Windows 2003 Web Server directly connected to
the Internet without any firewall/proxy in between. To
decrease the risc of getting it hacked we have applied
TCP/IP filtering. Obviously a little to good as we can't
browse the Internet due to lack of DNS resolution.

This means that we, at the moment are not able to update
the server as it can't find the Windows Updated service,
which, I'd say, qualifies as a problem. ;-)

Ports open on the server are as following.
TCP: 20, 21, 53, 80, 3389
UDP: 53,123
IP: 8

Any help would be appreciated.

best regards


Rikard

I figured it out myself. Port filtering does only apply to
incoming traffic. DNS uses a free port above 1023 for
resolution issues. Therefor, to be able to resolve web
adresses UDP has to be opened up.
In our solution this means far beyond acceptable limits.
We will manually download WU-updates and apply them.

Why don't you just harden the server using the proper practices instead of
depending on "ports" (and the blocking of them) for security. There's more
to life than Layer4.

Microsoft Security Guidance Center: Security Checklists Index
http://www.microsoft.com/security/gu...s/default.mspx

Securing a Windows 2003 Server
[Baseline]
http://www.microsoft.com/technet/sec...secmod119.mspx
http://www.microsoft.com/technet/sec...secmod211.mspx

Microsoft Security Guidance Center: Windows Server 2003 Index
http://www.microsoft.com/security/gu...erver2003.mspx


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Rikard" <(E-Mail Removed)> wrote in message
news:171cb01c448a0$2a94d260$(E-Mail Removed)...
> I figured it out myself. Port filtering does only apply to
> incoming traffic. DNS uses a free port above 1023 for
> resolution issues. Therefor, to be able to resolve web
> adresses UDP has to be opened up.
> In our solution this means far beyond acceptable limits.
> We will manually download WU-updates and apply them.

Agreeing with Phillip and adding some more comments...

1. You have 20 & 21 open which are FTP ports...are they needed? Are you
running a DNS box on this server? Does it need to be there? Do you need
terminal services to manage this box? Disable the services youre not using
including any NetBIOS stuff, Computer Browser etc. Ensure that processes on
IIS 6.0 run under least privilege required also.

2. Windows Server 2003 SP1 when it ships will have the same style of
firewall that Windows XP SP2 has which will give you a lot more granularity
and control over port blocking.

3. As an interim measure, have you thought of using a third-party firewall
product? Automating Windows Update should be a goal here and not compromised
by our lack of firewall capability in the base product unless you have
really great processes to ensure patch management is done in a methodical
manner.

Kind Regards


Michael Kleef
Microsoft


"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> Why don't you just harden the server using the proper practices instead of
> depending on "ports" (and the blocking of them) for security. There's
> more
> to life than Layer4.
>
> Microsoft Security Guidance Center: Security Checklists Index
> http://www.microsoft.com/security/gu...s/default.mspx
>
> Securing a Windows 2003 Server
> [Baseline]
> http://www.microsoft.com/technet/sec...secmod119.mspx
> http://www.microsoft.com/technet/sec...secmod211.mspx
>
> Microsoft Security Guidance Center: Windows Server 2003 Index
> http://www.microsoft.com/security/gu...erver2003.mspx
>
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Rikard" <(E-Mail Removed)> wrote in message
> news:171cb01c448a0$2a94d260$(E-Mail Removed)...
>> I figured it out myself. Port filtering does only apply to
>> incoming traffic. DNS uses a free port above 1023 for
>> resolution issues. Therefor, to be able to resolve web
>> adresses UDP has to be opened up.
>> In our solution this means far beyond acceptable limits.
>> We will manually download WU-updates and apply them.
>
>