Re: Protocol rules access

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Wed, 8 Mar 2006 14:19:07 -0600

Yep. We call that least privilege 'round these parts.

Sent via ISA firewall protected Exchange 2003 Windows Mobile


-----Original Message-----
From: "Jim Harrison"<Jim@xxxxxxxxxxxx>
Sent: 3/8/06 1:57:12 PM
To: "[ISAserver.org Discussion List]"<isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Protocol rules access

http://www.ISAserver.org

That would be the smart thing.
Even smarter (much easier to manage) would be to allow nothing except what they 
want to. 


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Wednesday, March 08, 2006 09:28
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Protocol rules access

http://www.ISAserver.org

Hm, time for him to restrict the allowed destionations if his concern is that 
anyone can access http://host.domain.tld:weirdport
 
Right?

 
Tiago de Aviz
SoftSell - Curitiba
(41) 3340-2363
www.softsell.com.br 
 
Esta mensagem, incluindo seus anexos, tem carÃter confidencial e seu conteÃdo 
à restrito ao destinatÃrio da mensagem. Caso vocà tenha recebido esta 
mensagem por engano, queira por favor retornÃ-la ao destinatÃrio e apagÃ-la 
de seus arquivos. Qualquer uso nÃo autorizado, replicaÃÃo ou disseminaÃÃo 
desta mensagem ou parte dela à expressamente proibido. A SoftSell nÃo à 
responsÃvel pelo conteÃdo ou a veracidade desta informaÃÃo.


>>> Jim@xxxxxxxxxxxx 8/3/2006 14:30 >>>

http://www.ISAserver.org

Not necessarily - see my other post. 


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Wednesday, March 08, 2006 09:10
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Protocol rules access

http://www.ISAserver.org

Hah! My bad. Got so used to this kind of question that I didn't read it right.

Then, he will need to create a protocol definition allowing traffic for port 
9080. Then add it onto your Protocol rule.



Tiago de Aviz
SoftSell - Curitiba
(41) 3340-2363
www.softsell.com.br 

Esta mensagem, incluindo seus anexos, tem carÃter confidencial e seu conteÃdo 
à restrito ao destinatÃrio da mensagem. Caso vocà tenha recebido esta 
mensagem por engano, queira por favor retornÃ-la ao destinatÃrio e apagÃ-la 
de seus arquivos. Qualquer uso nÃo autorizado, replicaÃÃo ou disseminaÃÃo 
desta mensagem ou parte dela à expressamente proibido. A SoftSell nÃo à 
responsÃvel pelo conteÃdo ou a veracidade desta informaÃÃo.


>>> Jim@xxxxxxxxxxxx 8/3/2006 14:07 >>>

http://www.ISAserver.org

Sorry - that's a different question.
What he's talking about is someone having the ability to hit 
http://host.domain.tld:port The script you describe helps alleviate the pain of 
finding https://host.domain.tld:port blocked.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Wednesday, March 08, 2006 08:48
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Protocol rules access

http://www.ISAserver.org

Negative; Need that special tool from Jim to allow SSL tunnels against weird 
ports.

It is available at www.isatools.org



Tiago de Aviz
SoftSell - Curitiba
(41) 3340-2363
www.softsell.com.br 

Esta mensagem, incluindo seus anexos, tem carÃter confidencial e seu conteÃdo 
à restrito ao destinatÃrio da mensagem. Caso vocà tenha recebido esta 
mensagem por engano, queira por favor retornÃ-la ao destinatÃrio e apagÃ-la 
de seus arquivos. Qualquer uso nÃo autorizado, replicaÃÃo ou disseminaÃÃo 
desta mensagem ou parte dela à expressamente proibido. A SoftSell nÃo à 
responsÃvel pelo conteÃdo ou a veracidade desta informaÃÃo.


>>> rrocha@xxxxxxxxxxxxxxx 8/3/2006 12:14 >>>

http://www.ISAserver.org

IÂve a protocol rule access that permit only port 80 and 443; but users can 
access internet socket application and sites like www.xxx.com:9080 for example. 
There is a bug in isa server 2000?

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tiago@xxxxxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tiago@xxxxxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tiago@xxxxxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Protocol rules access
• » Re: Protocol rules access
• » Re: Protocol rules access
• » Re: Protocol rules access
• » Re: Protocol rules access
• » Re: Protocol rules access
• » Re: Protocol rules access
• » Re: Protocol rules access
• » Re: Protocol rules access

1. Home
2. isalist
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---