Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Port forwarding & security RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

     

    Hi All,

     

    I found the following (for remotly accessing my WHS): " set port forwarding on your router for port 80 / 443 and 4125."

     

    The problem however is the following : I have a "combined" router/firewall (aXsguard) at home to connect (via VPN) to our company network.  Our admins refuse to allow the port forward on port 80 (and the other ports) "because any hacker on the internet sniffs that port and via your WHS they get trough the VPN and on to our netwerk".

     

    So I have 2 questions :

    1° can I change the ports, (lets say 443 to 2347)  (I know I then have to use https://myhomeserver.homeserver.com:2347), but will this work? and how can I do this on the WHS?

     

    2° What about security.  I know that most (home) people don't use VPN's  (or maybe they will, since most early WHS adopters will probably be ICT'ers)...but even in a 'common' scenario (a WHS connected to the internet via a firewall/router and to the LAN (with some client computers ) via a hub/switch), the question remains how safe is this ??? Any ideas ??

     

    greetz

    Geert

     

    Wednesday, November 21, 2007 11:29 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote
    While you can change the ports, it may interfere with the installation of the client software on additional PCs in your home. The security risk to your corporate network is low, however, as long as you allow WHS to patch itself automatically and don't use it as a desktop machine. As for the security risk in general, once again you should allow WHS to patch itself as required and don't use it as a desktop machine. Then your vulnerability is mostly to so-called "zero day" exploits against IIS.

    I will confess that I'm a little surprised at the home/office network configuration you have; in general I wouldn't expect a corporate IT department to be willing to establish a permanent link from your home network to your corporate network. That gives all your networked home devices access to the corporate network, which is a much larger security risk, IMO. And I note that your IT group is aware of this risk. A much better solution is a corporate VPN server to which you connect with an SSL or client software based VPN. That would allow you to put only one machine on the Corporate VPN.
    Wednesday, November 21, 2007 5:56 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Is the VPN tunnel to your work up 24/7? If so there may be no way around this issue. Most corporate, and many personal VPN servers including my own when I ran OpenVPN, VPN tunnels are configured to disable split tunneling as a security precaution. If the VPN is disconnected you should be able to access your home WHS from a remote location via the required ports.

     

    Of course many residential ISP accounts, including mine, do not permit web servers (ie. TCP Port 80) to be run on those type accounts anyway and block that port. You still might be able to access your home WHS via TCP Port 443 and have TCP Port 4125 open for Remote Desktop access. I know I can.

     

    Anytime you open a port on your firewall/router its a potential security risk. With that said, even if I could use TCP Port 80 I would only allow access to my WHS via TCP Port 443 and TCP Port 4125. Only create remote access accounts and passwords (strong of course) for trusted individuals.

    Wednesday, November 21, 2007 5:22 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Is the VPN tunnel to your work up 24/7? If so there may be no way around this issue. Most corporate, and many personal VPN servers including my own when I ran OpenVPN, VPN tunnels are configured to disable split tunneling as a security precaution. If the VPN is disconnected you should be able to access your home WHS from a remote location via the required ports.

     

    Of course many residential ISP accounts, including mine, do not permit web servers (ie. TCP Port 80) to be run on those type accounts anyway and block that port. You still might be able to access your home WHS via TCP Port 443 and have TCP Port 4125 open for Remote Desktop access. I know I can.

     

    Anytime you open a port on your firewall/router its a potential security risk. With that said, even if I could use TCP Port 80 I would only allow access to my WHS via TCP Port 443 and TCP Port 4125. Only create remote access accounts and passwords (strong of course) for trusted individuals.

    Wednesday, November 21, 2007 5:22 PM
  • Question
    Sign in to vote
    1
    Sign in to vote
    While you can change the ports, it may interfere with the installation of the client software on additional PCs in your home. The security risk to your corporate network is low, however, as long as you allow WHS to patch itself automatically and don't use it as a desktop machine. As for the security risk in general, once again you should allow WHS to patch itself as required and don't use it as a desktop machine. Then your vulnerability is mostly to so-called "zero day" exploits against IIS.

    I will confess that I'm a little surprised at the home/office network configuration you have; in general I wouldn't expect a corporate IT department to be willing to establish a permanent link from your home network to your corporate network. That gives all your networked home devices access to the corporate network, which is a much larger security risk, IMO. And I note that your IT group is aware of this risk. A much better solution is a corporate VPN server to which you connect with an SSL or client software based VPN. That would allow you to put only one machine on the Corporate VPN.
    Wednesday, November 21, 2007 5:56 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Both thanks for the answer.

     

    to Ken : I understand your surprise....and the best has yet to come : in fact most our developpers (about 10), technicians (3) and staff (5) have such a permanent VPN tunnel and most of them use it in conjunction with a wireless access point WITHOUT any security (not wep, not WPA) setup.....

     

    greetz

    Geert

     

    Wednesday, November 21, 2007 7:07 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    In general, I would characterize that as a disaster waiting for a time to happen. I mean, the entire world potentially has access to your corporate network...

    In any case, I agree with Al that you may just not be able to get it to work with the VPN up. How about when you take the VPN down? Do you have the ability to open up port 80 then? Does your employer pay for your broadband connection? If not, I would ask for a traditional VPN connection using a software or SSL client. (I might do that anyway...)
    Wednesday, November 21, 2007 9:24 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Ken,

     

    I know what you mean....we are lucky we are a small company in a small country, where hackers don't lure around every corner (I hope Wink.  Personally, I don't use wireless because of this, and I'm now configuring a second firewall (smoothwall on old pc), to put behind my "company sponsored" firewall (the company pays about the half of my internet fee) to keep my colleges out of my homenetwork, or mayby next to my "company sponsored" firewall. (which will also solve the port problem).

     

    If I've read Al's post correctly, I don't need port 80 if I don't want to use the WHS website, (or access it via https: on port 443).  What I do want to do it remotely access it, and then I only need 4125 ...is this correct ??

     

    greetz

    Geert

     

    Wednesday, November 21, 2007 9:40 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
     Gedisoft wrote:
    Hi Ken,

     

    I know what you mean....we are lucky we are a small company in a small country, where hackers don't lure around every corner (I hope .  Personally, I don't use wireless because of this, and I'm now configuring a second firewall (smoothwall on old pc), to put behind my "company sponsored" firewall (the company pays about the half of my internet fee) to keep my colleges out of my homenetwork, or mayby next to my "company sponsored" firewall. (which will also solve the port problem).

     

    If I've read Al's post correctly, I don't need port 80 if I don't want to use the WHS website, (or access it via https: on port 443).  What I do want to do it remotely access it, and then I only need 4125 ...is this correct ??

     

    greetz

    Geert

     

    The first thing I would do if I were you in that situation is completely disable all VPN connections to your corporate network.  If their understanding of security is as pourous as you make it sound, they couldn't pay me enough to connect my computers to their network.  But I digress...

     

    The minimum ports needed to access WHS are 443 and 4125 (80 is not necessary if you type https://........... in the address bar).

    Wednesday, November 21, 2007 10:59 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
     Gedisoft wrote:

     

    I know what you mean....we are lucky we are a small company in a small country, where hackers don't lure around every corner (I hope . 

     

    The problem with the Internet is that they do not have to lurk around the corner - anyone can go anywhere.

     

    Even if you change the ports, a good sniffer can test them and find out what you have open and then work from there.  Have a look at GRC.COM and the shieldsup! test to see how good the firewall is.

     

    You still need a https port open to give you the sign-on screen - from what I can tell the http port just server local pages and links to the sign-on.

     

    Andrew

     

    Thursday, November 22, 2007 1:49 AM