Yep. We call that least privilege 'round these parts. Sent via ISA firewall protected Exchange 2003 Windows Mobile -----Original Message----- From: "Jim Harrison"<Jim@xxxxxxxxxxxx> Sent: 3/8/06 1:57:12 PM To: "[ISAserver.org Discussion List]"<isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Protocol rules access http://www.ISAserver.org That would be the smart thing. Even smarter (much easier to manage) would be to allow nothing except what they want to. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Wednesday, March 08, 2006 09:28 To: [ISAserver.org Discussion List] Subject: [isalist] Re: Protocol rules access http://www.ISAserver.org Hm, time for him to restrict the allowed destionations if his concern is that anyone can access http://host.domain.tld:weirdport Right? Tiago de Aviz SoftSell - Curitiba (41) 3340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem carÃter confidencial e seu conteÃdo à restrito ao destinatÃrio da mensagem. Caso vocà tenha recebido esta mensagem por engano, queira por favor retornÃ-la ao destinatÃrio e apagÃ-la de seus arquivos. Qualquer uso nÃo autorizado, replicaÃÃo ou disseminaÃÃo desta mensagem ou parte dela à expressamente proibido. A SoftSell nÃo à responsÃvel pelo conteÃdo ou a veracidade desta informaÃÃo. >>> Jim@xxxxxxxxxxxx 8/3/2006 14:30 >>> http://www.ISAserver.org Not necessarily - see my other post. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Wednesday, March 08, 2006 09:10 To: [ISAserver.org Discussion List] Subject: [isalist] Re: Protocol rules access http://www.ISAserver.org Hah! My bad. Got so used to this kind of question that I didn't read it right. Then, he will need to create a protocol definition allowing traffic for port 9080. Then add it onto your Protocol rule. Tiago de Aviz SoftSell - Curitiba (41) 3340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem carÃter confidencial e seu conteÃdo à restrito ao destinatÃrio da mensagem. Caso vocà tenha recebido esta mensagem por engano, queira por favor retornÃ-la ao destinatÃrio e apagÃ-la de seus arquivos. Qualquer uso nÃo autorizado, replicaÃÃo ou disseminaÃÃo desta mensagem ou parte dela à expressamente proibido. A SoftSell nÃo à responsÃvel pelo conteÃdo ou a veracidade desta informaÃÃo. >>> Jim@xxxxxxxxxxxx 8/3/2006 14:07 >>> http://www.ISAserver.org Sorry - that's a different question. What he's talking about is someone having the ability to hit http://host.domain.tld:port The script you describe helps alleviate the pain of finding https://host.domain.tld:port blocked. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Wednesday, March 08, 2006 08:48 To: [ISAserver.org Discussion List] Subject: [isalist] Re: Protocol rules access http://www.ISAserver.org Negative; Need that special tool from Jim to allow SSL tunnels against weird ports. It is available at www.isatools.org Tiago de Aviz SoftSell - Curitiba (41) 3340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem carÃter confidencial e seu conteÃdo à restrito ao destinatÃrio da mensagem. Caso vocà tenha recebido esta mensagem por engano, queira por favor retornÃ-la ao destinatÃrio e apagÃ-la de seus arquivos. Qualquer uso nÃo autorizado, replicaÃÃo ou disseminaÃÃo desta mensagem ou parte dela à expressamente proibido. A SoftSell nÃo à responsÃvel pelo conteÃdo ou a veracidade desta informaÃÃo. >>> rrocha@xxxxxxxxxxxxxxx 8/3/2006 12:14 >>> http://www.ISAserver.org IÂve a protocol rule access that permit only port 80 and 443; but users can access internet socket application and sites like www.xxx.com:9080 for example. There is a bug in isa server 2000? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx