Hi Simon, The internal interface is not exposed to firewall policy. If packet filtering was enabled, then that's how they got whacked. If they haven't enable packet filtering, then they have more than this exploit on their box :-) I'd check the FTP directory hierachy on that SBS box, you might be able to pick up some good movies. HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Simon Weaver [mailto:Simon.Weaver@xxxxxxxx] Sent: Tuesday, August 19, 2003 3:48 PM To: [ISAserver.org Discussion List] Subject: [isalist] Is TCP 135 clamped down? http://www.ISAserver.org Guys Just a very quick question! I met a new client that was infected by teh 2 latest worms going around the streets! They are running SBS2k with ISA setup, however the worm still got into the System. Is there a way to prove TCP135 was being protected? I have now patched the Server, and ALL workstations, as they were all infected! Finally, if the client PC's have the ISA Firewall Client turned OFF, are they still able to access teh Internet, WITHOUT Firewall Protection? Thanks for your help Simon Weaver Technical Consultant MCSE+Internet / MCSE Windows 2000 Integrated Solutions Corp. Ltd http://www.iscl.net <http://www.iscl.net/> ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')