Hello,To all Could someone tell me if i need these running or can i disable them in Kerio on Win2000Pro here they are Local Security Authority System service [LDAP] App = C:\Winnt\system32\lsass.exe UDP [Both] anyport,anyadress Remote port = [389] & Under the same name is this TCP [OUT] anyport, anyadress, anyport & this here Services & Controller App UDP/TCP [OUT] anyport, anyadress,anyport in C:\Winnt\System32\Services.exe & the last one is this Reply from DHCP UDP [In] Local [68] anyadress [67] Well if anyone can tell me if i need these or can i just disable them all or is this a bad idea Thanks all
Hi AAP The LSASS rules you should be fine disabling or delete. The others (Services & Controller App and the DHCP rules) may or may not be required depending on the system rules you already have in place for things like DNS and DHCP (bootp/bootps). If you disable them, any prompts from the firewall should indicate more clearly what your rule set may require. Regards, CrazyM
Hello, take my answers with caution, I'm not a expert. "The LSA is the system component responsible for authenticating users to the [NT] system, and deciding what access and privilege the users are entitled to" This definitely does not need to connect outside your computer on a standalone and is unlikely to be used even in a normal home LAN network that uses ICS to share internet conection. You *might* need it if you are allowing remote MS networking logins, but that's rare for a homeuser. http://www.derkeiler.com/Mailing-Lists/securityfocus/security-basics/2002-02/0553.html Difficult to say depending on your setup, Kerio's FAQ says "DHCP is only required if you are connected directly to a modem from your NIC. If you have a router or a proxy server that you connect through, you will only need DHCP if you use it to assign a local IP address to your machine on your LAN. If your router, for example, is a DHCP server for your network, you need to first have your router's LAN IP address handy. Since most routers are installed with the default of 192.168.1.1, we'll use that address for this example. If you have a direct connection, you will substitute your ISP's DHCP server IP address for "192.168.1.1" in your own rules. The rules will be the same for a directly connected user; the IP address in the first rule will be the only variation. " To translate ,the answer is most probably yes (unless you are on a LAN in which case the answer is also yes in some cases) . You can tighten the rule up by allowing connecting only to your ISP's DHCP ip address http://www.broadbandreports.com/faq/security/all#2525
The default rules are loose, and very open so it wouldn't prevent some communications you might have needed. However you must get rid of them, and start from scratch. Here's a start for information. http://www.broadbandreports.com/faq/security/all#2720 So basically all you should have from the start: DHCP DNS ICMP Loopback Windows Services Block -no application rules you didn't make yourself- Windows Services Block Protocol: TCP/UDP Direction: Inbound Local Port: List of ports 135, 137, 138, 139, 445, 500 App: Any Remote: Any Deny Enable logging, but no alerting. So all of these rules go before your application rules. Those application rules you had when you first installed it, you can delete them all, and make blocking rules for them if you have to depending on the communication. As an example, svchost.exe(Generic Process Host for Win32) does time sync, but you need to make sure you keep the rule tight so it only uses port 123 on local and remote, while being assigned to the correct ip address. You will also have to edit the rule bi-directional after you make the rule from the prompt. Now if you use a software proxy, you make two loopback rules, if your proxy is on 8080, then the first rule has the remote port range of 1-8079, and the second rule has the port range of 8081-65535. Then you assign programs permission to access your localhost on 8080 so they can't just slip out.