Kerio do i need these

Discussion in 'other firewalls' started by AAP, Aug 20, 2003.

Thread Status:
Not open for further replies.
  1. AAP

    AAP Registered Member

    Joined:
    Jul 30, 2003
    Posts:
    117
    Hello,To all

    Could someone tell me if i need these running or
    can i disable them in Kerio on Win2000Pro

    here they are

    Local Security Authority System service [LDAP] App =
    C:\Winnt\system32\lsass.exe UDP [Both] anyport,anyadress
    Remote port = [389]

    & Under the same name is this

    TCP [OUT] anyport, anyadress, anyport

    & this here

    Services & Controller App UDP/TCP [OUT] anyport, anyadress,anyport
    in C:\Winnt\System32\Services.exe

    & the last one is this

    Reply from DHCP
    UDP [In] Local [68] anyadress [67]

    Well if anyone can tell me if i need these or can i
    just disable them all or is this a bad idea

    Thanks all :)
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi AAP

    The LSASS rules you should be fine disabling or delete.

    The others (Services & Controller App and the DHCP rules) may or may not be required depending on the system rules you already have in place for things like DNS and DHCP (bootp/bootps). If you disable them, any prompts from the firewall should indicate more clearly what your rule set may require.

    Regards,

    CrazyM
     
  3. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Hello, take my answers with caution, I'm not a expert.


    "The LSA is the system component responsible for authenticating users to the [NT] system, and deciding what access and privilege the users are entitled to"

    This definitely does not need to connect outside your computer on a standalone and is unlikely to be used even in a normal home LAN network that uses ICS to share internet conection. You *might* need it if you are allowing remote MS networking logins, but that's rare for a homeuser.



    http://www.derkeiler.com/Mailing-Lists/securityfocus/security-basics/2002-02/0553.html

    Difficult to say depending on your setup, Kerio's FAQ says

    "DHCP is only required if you are connected directly to a modem from your NIC. If you have a router or a proxy server that you connect through, you will only need DHCP if you use it to assign a local IP address to your machine on your LAN.

    If your router, for example, is a DHCP server for your network, you need to first have your router's LAN IP address handy. Since most routers are installed with the default of 192.168.1.1, we'll use that address for this example. If you have a direct connection, you will substitute your ISP's DHCP server IP address for "192.168.1.1" in your own rules. The rules will be the same for a directly connected user; the IP address in the first rule will be the only variation. "

    To translate ,the answer is most probably yes (unless you are on a LAN in which case the answer is also yes in some cases) . You can tighten the rule up by allowing connecting only to your ISP's DHCP ip address

    http://www.broadbandreports.com/faq/security/all#2525
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    The default rules are loose, and very open so it wouldn't prevent some communications you might have needed. However you must get rid of them, and start from scratch.

    Here's a start for information.
    http://www.broadbandreports.com/faq/security/all#2720

    So basically all you should have from the start:
    DHCP
    DNS
    ICMP
    Loopback
    Windows Services Block
    -no application rules you didn't make yourself-

    Windows Services Block
    Protocol: TCP/UDP
    Direction: Inbound
    Local Port: List of ports 135, 137, 138, 139, 445, 500
    App: Any
    Remote: Any
    Deny
    Enable logging, but no alerting.

    So all of these rules go before your application rules. Those application rules you had when you first installed it, you can delete them all, and make blocking rules for them if you have to depending on the communication. As an example, svchost.exe(Generic Process Host for Win32) does time sync, but you need to make sure you keep the rule tight so it only uses port 123 on local and remote, while being assigned to the correct ip address. You will also have to edit the rule bi-directional after you make the rule from the prompt.

    Now if you use a software proxy, you make two loopback rules, if your proxy is on 8080, then the first rule has the remote port range of 1-8079, and the second rule has the port range of 8081-65535. Then you assign programs permission to access your localhost on 8080 so they can't just slip out.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.