[isalist] Re: 0x800733f5 error & order of polices issue

  • From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 16 May 2007 07:33:11 -0700

Actually, custom application developers use non-standard ports for any given 
protocol all the time.  In many cases, it has nothing whatsoever to do with 
"security by obscurity" or any other security mechanism, but rather, because 
they want to ensure that their listener doesn't conflict with another service 
that may be on the machine.  This is particularly true for smaller development 
houses who can't afford the IT staff required to help their customers figure 
out how to share  services on a single system where there may be contention.  
Putting HTTPS on 57017 is just fine- after all, it's just a port- and doing so 
can easily obviate connectivity issues, particularly when using such a common 
service as HTTPS. 

t
  ----- Original Message ----- 
  From: Jim Harrison 
  To: isalist@xxxxxxxxxxxxx 
  Sent: Wednesday, May 16, 2007 6:14 AM
  Subject: [isalist] Re: 0x800733f5 error & order of polices issue


  Granted, it's a thin layer at best, but given the statistics (you _do_ review 
your ISA logs on occasion, don't you? :-p), clearly show that the script 
kiddies (and old viruses still on the Internet) are scanning the common ports 
like 21, 25, 80, 135, 443, 445, 3389, ..you get the idea.

  Moving your services to a high port offers little more benefit than using a 
+1 port (i.e., RWW @ TCP:444) other than making them take more time to locate 
your listener.  Since a good scanner can sweep the entire 65K port range in 
only seconds, and feed the results to another app that performs the deeper 
analysis on the responding listener, using a high port is really no better than 
using a +1 port.



  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
  Sent: Wednesday, May 16, 2007 6:01 AM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: 0x800733f5 error & order of polices issue



  Security by obscurity.  Developers pick these ports based on their birthdate, 
house number, dart board. It's going to haunt us big time in the coming NAP era.



  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve Moffat
  Sent: Wednesday, May 16, 2007 8:47 AM
  To: ISA Mailing List
  Subject: [isalist] Re: 0x800733f5 error & order of polices issue



  And why would you say that??? A port is a port is a port...



  I look after many applications for clients that use strange ports.



  S



  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Amy Babinchak
  Sent: Wednesday, May 16, 2007 9:47 AM
  To: ISA Mailing List
  Subject: [isalist] Re: 0x800733f5 error & order of polices issue



  https 57017? Are you serious? If so, that developer should be fired.



  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve Moffat
  Sent: Tuesday, May 15, 2007 5:29 PM
  To: ISA Mailing List
  Subject: [isalist] Re: 0x800733f5 error & order of polices issue



  Add an https tunnel for that port and try it...



  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Danny
  Sent: Tuesday, May 15, 2007 5:42 PM
  To: ISA Mailing List
  Subject: [isalist] Re: 0x800733f5 error & order of polices issue



  Thanks, Amy. I have created an all outbound rule to the destination IP 
address and only see the connections to TCP 57017 denied by the last rule (SBS 
Internet Access). Unfortunately I am being challenged by:

  * The software developer insists the software must run on the server; which 
happens to be SBS 2003 Prem. 
  * The software developer (at this point) will not go beyond stating that TCP 
57017 is the only necessary network traffic to be permitted
  * The software is key this business and there really aren't many alternatives 
  * The software runs on the SBS server which is also the ISA server (which 
should still be possible to figure out)
  * ISA monitoring is not providing me anymore detail other than the denied TCP 
57017 connection; although I will run another test 
  * The software does not have any network settings or pseudo / non-compatible 
CERN Web proxy settings
  * The all Outbound rule you suggested did not work; although I will run 
another test
  * The software worked before the ISA firewall was installed because they 
simply had NAT router without true firewall functionality 

  Cheers,

  ...D

  On 5/15/07, Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: 

  Danny,



  The order of your policies is not being ignored. Isa will read them top down. 
Since you're hitting the SBS Internet Access rule this means that the traffic 
does not apply to the rule that you have created. When that's the case, ISA 
moves on down checks the next rule. Finally it reaches the SBS Internet Access 
Rule and since there's no authentication it is denied. 



  So, as I said before, the rule isn't configured correctly. You need to find 
out what that apps wants and the configure your rule accordingly or take my 
suggestion and set up a rule allowing all outbound to that specific IP address.



  Amy



  From: isalist-bounce@xxxxxxxxxxxxx [mailto: isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Danny
  Sent: Tuesday, May 15, 2007 1:07 PM


  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: 0x800733f5 error & order of polices issue



  Jim, 

  I appreciate your educational tidbits, but when you are dealing with humans 
and software sometimes assumptions are inevitable. In fact, it is clear that 
you are not immune to making assumptions.

  1) By stating the obvious that "Assumptions get you nowhere", you assume that 
assuming is my favorite activity and always gets me positive results 
  2) By providing a WSUS and AU 101, you assume that I did not understand the 
difference between a WSUS client and an Internet-based Automatic Update client, 
did not read the KB's, was not the one who installed WSUS, and have no clue 
  3) By challenging my knowledge of who Amy is, you assume that I had no idea 
who Amy is and didn't care. First of all, where did I not show respect to Amy? 
Secondly, do you want all ISA list posts to begin with "Yes, I know who Amy is, 
so um don't ask me"? 

  Anyway, yes, I did bring up some Microsoft pain points and I will respond to 
any further responses offline. As you know this list has been very flexible 
with OT posts, so my addition is nothing to call home about. 

  Re: cutting off the thread, I would say 70% of the reply content is redundant 
and has no value in the conversation. The archives should be stored by threaded 
conversation, but I will respond in the format you request. 

  I will analyze the ISAINFO output, but for future reference, can you please 
direct me to documentation that will explain why the order of polices is being 
ignored OR why I would not see all denied traffic in the ISA 2004 SP2 
monitoring default state (Log record type = Firewall or Web Proxy & Log time = 
LiveConnection Status = live)? 

  Thanks,

  ...D


  On 5/15/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:

    http://www.ISAserver.org
    -------------------------------------------------------

    Assumptions get you nowhere.
    You brought up the plethora of pain-points - expect someone to answer 
    them.
    WSUS and the Internet-based updates process works very differently,
    because the WSUS server determines for the client what is required and
    what is not.  Amy has a clue (several, actually); this is a rare 
    commodity in the SBS community and you should feel free to take
    advantage of it when it appears.

    Also, please stop cutting off the thread.  It makes archive searches
    very nearly meaningless.

    Regarding the "custom app", the log snips you provide clearly indicate 
    that your rule is not being applied, since the denying rule is quoted as
    "SBS Internet Access Rule".
    The best way to express your ISA policies is to use ISAInfo.
    You can respond offline if you like. 

    Jim

    -----Original Message-----
    From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] 
    On Behalf Of Danny
    Sent: Tuesday, May 15, 2007 7:53 AM
    To: isalist@xxxxxxxxxxxxx
    Subject: [isalist] Re: 0x800733f5 error & order of polices issue


    On 5/15/07, Amy Babinchak < amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

            Your rule must not be configured correctly. What does your
    custom rule look like? The only reason that the SBS Internet Access Rule 
    would deny anything outbound is if the app isn't authenticating. It's
    not uncommon. My bet is that the app doesn't only require that specific
    TCP high port but a range of them. I'd base the rule on the IP address 
    it's trying to reach instead.


    The policy is: Custom Protcol TCP 57017 Outbound, from Local Host, to
    External, All Users.


    Warning the following section is OT:


            Yes, the SVCHOST issue is a nuisance. The screeching is loud on 
    the mailing lists. It took me a while to figure out what everyone was
    complaining about then I realized that I use WSUS everywhere.  Implement
    WSUS you'll be much happier.

    You imply that WSUS clients are immune to this? Most of our affected 
    systems are part of WSUS installs. My understanding is the Automatic
    Update service (aka part of svchost.exe) scans the same way a non-WSUS
    client does, therefore they are both affected.


    Sorry for bringing this OT item into the conversation, but the last two 
    months in particular have been difficult to support Microsoft
    environments when dealing with DNS RPC mgmt vulnerability, ISA 2004 SP3
    install woes, a publicly unavailable (two hours MS PSS phone call) KB
    for restoring the ability to publish Outlook forms to the Organizational 
    Forms Library in Exchange, and this AU/svchost issue - but looks like
    there is a follow-up:
    http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follo 
    w-up.aspx

    Anyway, can we focus on what I am doing wrong with this ISA issue, that
    would be much appreciated.


    ...D


    All mail to and from this domain is GFI-scanned.

    ------------------------------------------------------ 
    List Archives: //www.freelists.org/archives/isalist/
    ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
    ISA Server Articles and Tutorials: 
http://www.isaserver.org/articles_tutorials/
    ISA Server Blogs: http://blogs.isaserver.org/ 
    ------------------------------------------------------
    Visit TechGenix.com for more information about our other sites:
    http://www.techgenix.com
    ------------------------------------------------------ 
    To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
    Report abuse to listadmin@xxxxxxxxxxxxx




  -- 
  CPDE - Certified Petroleum Distribution Engineer
  CCBC - Certified Canadian Beer Consumer 


  ExchangeDefender Message Security: Check Authenticity 




  -- 
  CPDE - Certified Petroleum Distribution Engineer
  CCBC - Certified Canadian Beer Consumer 


  ExchangeDefender Message Security: Check Authenticity 


  ExchangeDefender Message Security: Check Authenticity 

  All mail to and from this domain is GFI-scanned.

Other related posts: