Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Server hardening by activating and
configuring local Windows firewalls
Trong Hieu Lam
Supervisor: Michael Brandi Andersen (adnovita IVS)
____________________________
Trong Hieu Lam
01/11/2016
1
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Table of Contents
Preface ..................................................................................................................................................... 4
Introduction ............................................................................................................................................. 5
Problem formulation and project scope .................................................................................................. 6
The Project ............................................................................................................................................... 8
Port and firewall .................................................................................................................................. 8
Network Port ................................................................................................................................... 8
Firewall ............................................................................................................................................ 9
Windows Firewall and rule direction ............................................................................................ 11
Implementation methods ................................................................................................................. 12
Manually ........................................................................................................................................ 12
Group Policy Object (GPO) ............................................................................................................ 12
The ‘netsh’ command.................................................................................................................... 13
PowerShell..................................................................................................................................... 14
Tools used ......................................................................................................................................... 15
The command prompt (cmd.exe) ................................................................................................. 15
Task Manager ................................................................................................................................ 17
Resource Monitor.......................................................................................................................... 17
Process Explorer ............................................................................................................................ 17
PowerShell ISE ............................................................................................................................... 18
PortQry .......................................................................................................................................... 18
Other tools .................................................................................................................................... 18
Port Assessments .............................................................................................................................. 19
Minimum ports required in Origio domain ................................................................................... 19
Domain Controller ......................................................................................................................... 25
Mail Server .................................................................................................................................... 29
File Server ...................................................................................................................................... 32
Citrix Servers ................................................................................................................................. 33
Port inventory process ...................................................................................................................... 34
The Process ................................................................................................................................... 35
Additional port needed ................................................................................................................. 42
2
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Interesting findings........................................................................................................................ 47
PowerShell Script creation ................................................................................................................ 50
Set up execution permission and WinRM ..................................................................................... 51
Enable or Disable the firewall ....................................................................................................... 52
Disable rules .................................................................................................................................. 54
Adding more rules ......................................................................................................................... 55
Resetting the Firewall.................................................................................................................... 58
Enable ping (ICMP traffic) ............................................................................................................. 59
Local machine and remote machines ........................................................................................... 59
Comments ..................................................................................................................................... 60
Putting the commands into one package ..................................................................................... 60
Other aspects: error handling, recovery and automation ............................................................ 61
Tests and Test Results ....................................................................................................................... 62
Testing the PowerShell scripts ...................................................................................................... 62
Testing the function of implementing server................................................................................ 65
Project Conclusion.................................................................................................................................. 73
References.............................................................................................................................................. 75
Appendixes ............................................................................................................................................. 79
3
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Preface
This project report is submitted as the report to the final exam in IT – Technology 4th semester. The
project is elaborated in collaboration with Origio A/S (www.origio.com). The project is 7 weeks long,
starting from 31st October to 16th December.
The main goal in the project is to harden the security in Origio’s server infrastructure by enabling
local firewalls in the running servers. There will be several security issues and methods that will be
taken into consideration. The project is a combination of practice and central applied theory, since it
contains both assessments and consideration and practical suggestion on the implementation
technique.
Readers may also encounter technical terms, since the project will be covering a variety of sub-topics
such as network protocols, network ports, firewalls, Windows technology, Windows PowerShell,
network domain and Active Directory, …
Also, I would like to thank to those who assisted and helped me along the project, as they are also
important contributors to it. One of them is Michael Brandi Andersen, my project supervisor, who
helped me a lot in forming the project ideas and guide me to the end of the project. I would like to
thank all of my teachers at KEA, for teaching me valuable knowledge since I started the education.
Last but not least, I would like to thank all of my colleagues at Origio, for your caring and support for
the project.
4
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Introduction
Security (network) is nowadays a big concern for businesses and enterprises, whether they are big or
small. We experienced security frauds and attacks daily all around the worlds such as DDOS, hacking
and penetrating into company’s systems, email phishing, and hundreds more forms of cyber-attacks.
It could cost a fortune if we take security for granted. A lot of efforts have been made to prevent
them from happens, including equipping systems’ infrastructure with firewalls (hardware), Intrusion
Prevention and Intrusion Detection System (IPS – IDS), Adaptive Security Appliance (ASA), antivirus
and much more methods. Although a system could not be 100% secured, but we could always try our
best to lower the threats to minimum level – we could harden it to have better protection.
And that is also the essential goal of this project – to harden the security in Origio’s server
infrastructure by enabling local firewalls in the running servers, since it is in the position where the
firewalls in more than 60 virtual servers have been disabled. In the project, several assisting tools and
methods will be used. Tools such as the “netstat” command is used as one of the assisting tool to
determine minimum ports needed in a running server, depending on its roles and services.
PowerShell scripts is another example of tool used to enable local firewalls and could be an option
for future implementation. The result of the project is a documentation about services/ software/
opening ports in a particular server, minimum required ports for that server, a suggestion whether
the servers should open a particular port, and PowerShell scripts as the implementation methods.
The project is a combination of practice and central applied theory. There will be several parts in the
project where various aspects will be discussed, assessed and taken into consideration. They could
be for example what the basic ports required for a machine to function well in a domain, what
special protocols needed in that server, or why we use PowerShell as a mean for future
implementation and so on. There will also be parts where practical steps in the exploring process will
be described in detail.
5
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Problem formulation and project scope
From Windows XP, Microsoft started to include an integrated firewall in all Microsoft operating
system. The reason was a series of attacks/exploits that took advantage of the fact that once you
have taken over one computer in the network, it was often easy to attack all the others by using
open services/ports with known weaknesses.
The idea is great, but with no central management potential (Group Policy can be used, but there are
a number of challenges when wanting multiple configurations over a large pool of clients and
servers), the firewalls are often simply disabled in a corporate environment for convenience reasons,
and hence do not provide the extra layer of protection that they were meant to, which is a real
shame; even if Microsoft has significantly improved the security of their unprotected OS’s.
Origio – a medical company whose IT headquarter is located in Måløv, Denmark, is in exactly this
position. Although it has its own security system such as firewalls, IDS, antivirus…, but in the same
time has the local firewall disabled on just about all of its 60+ virtual servers.
The essence of the project is to assess and analyze each server at Origio (with important roles and
currently in high usage), using various tools like netstat, etc. to determine what ports need to be
open on each server and create documentation from this work. Once all the servers are documented
a PowerShell script for configuring and activation the firewall for each server will be created, and as a
proof of concept, the script will be executed on several less critical servers. Next, the implemented
servers will be tested for full functionality after the implementation
Following the completion of the project, the following tasks will be accomplished:
1. Baselines for minimum ports required for a server to function normally in a domain will be
defined. Depends on the servers’ type, different more baselines will also be defined (for a
domain controller, for a file server, for the exchange server…)
2. An analyzation process will be described in detail. Analyzations will then be conducted on
each mentioned server to list services running and listening ports.
3. Additional ports required for a particular server will be defined, based on what have been
discovered.
4. PowerShell scripts for enabling local firewall with allowed ports will be created
5. Testing will be conducted and implement in less critical servers.
6
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
6. Documentations of the work and the result will be created as a submission to ORIGO
responsible person for further uses.
Upon enabling the local firewalls, the servers implemented should be able to function well in the
domain the same as before.
One thing to note is that the documentation and scripts will be handed over to the security
responsible, who will be in charge of doing the final installation on the critical servers. Because the
exercise has the potential of having operational impact for ORIGIO, it is preferred to handle the
implementation for critical servers internally in ORIGIO.
The project documentation afterwards could be used for various purposes. We might discover
unwanted software communication over the network, which will then be red flagged and analyzed to
determine if the functionality is intentional and secure, or if it should be removed. Origio system
administrator can use the documentation for future reference or for the development of their
Application Control.
7
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
The Project
Port and firewall
In this part I will provide a brief introduction about network port and firewall, since they are two
main concepts we are working with and they will be used often along the report. There will be more
protocols or concept that will be later explained when we work with them.
Network Port
Network port stays in the application layer in the OSI model. In short description, port acts as a
“door” to the application that a message is sent to.
Network application constantly contact, or talking with each other. When a package is sent to
another end, they are de-multiplexed to the upper layer. When it reaches to the transport layer,
whether it uses TCP or UDP, it should know the application that this message is sent to. However,
there are a lot of application or processes running inside a computer. To distinguish and send the
right information to the right application, port comes into use.
Port is normally a number between 1-65535. Depending on their type, they are used differently.
Well-known port is used for well-known application and application protocols and they have been
assigned by Internet Assigned Number Authority (IANA), for example port 80 is use for HTTP (web
server), port 25 is use for SMTP, port 20 and 21 is used for FTP and so on. There is also ports that are
not well known, but has been registered for a range of application protocols. Last but not least, there
are also dynamic ports that any application can use. Dynamic port ranges from 49152 to 65535 (from
Windows 7).
When an application is starting and running, it can open a port, receive and accept message directed
to that port – that is sometimes what we call “listening”. Depends on the protocol lays in the
transport layer, “listening” can be used or not. For example, TCP is a connection-oriented, reliable
protocol, as applications that implement it always need to establish a connection between two hosts
before exchanging messages. To do that, one has to send a SYN packet to particular port of the other
end. That is where “listening” come into use, because those application always listen on a port for
that SYN packet to establish a new connection. On the other hand, UDP is connectionless, unreliable
transport layer protocol, so there is no need to listen for a new connection, as segments can come in
any order and from any source.
8
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Lacking control of opening ports could result in a lot of problems. As mentioned earlier, several
exploits can be conducted using vulnerabilities that a ports or an application opening that port has. In
some cases, malicious application can open a port and make connection to a bad guy out somewhere
in the internet. The bad guy, if success, can do a lot of thing he wants such as stealing victim’s
information or any valuable information. If we are not conscious enough, it could be a big disaster.
That is where firewall come into use.
Firewall
Firewall is used as a security measure to protect a machine, or the whole network, from risks coming
from the outside network or the Internet (hackers, virus, worms, etc...). Firewall controls and
monitor network traffics by predefined security rules. For example, a firewall can be set to allow only
TCP connection to port 80 to a specific IP address in a network, and any packets that is heading to
another ports or same port but to another IP are dropped.
A network, or a machine without a firewall still functions well. However, all of the activities and the
traffic coming through (in and out) the network or the machine itself is not controlled. The machine
cannot know if there is any malicious communication from itself to another machine, or if it is being
exploited by its opening ports. And if there is no firewall inside a network, a bad guy can penetrate in
there and do all sort of exploitations, through port scanning, vulnerabilities scanning to host
enumeration without any difficulties. Introducing a firewall is more like putting up a layer between
the machine or the local network to other networks. In some cases, traffics coming in and out will be
examined and monitored by pre-defined rules. Firewall can then explicitly allow or block the traffic if
they match the rules.
In Computer Networking – A top-down approach by James Kurose, it has been stated that the three
main goals of firewall:
All inbound and outbound traffic should pass through the firewall
Only authorized traffic, as defined in the local policy, is allowed to pass
The firewall itself is immune to penetration
Firewall can be categorized into network firewall and host-based, or local firewall. Network firewall is
often placed in the front of a network to examine and filter traffic between it and another network.
Network firewall can be referred as both hardware and software. Hardware network firewall could
be computer appliances (nowadays there are a lot of products in the market for both small and big
9
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
enterprises), whereas software network firewall is a piece of software that runs on another
hardware.
Firewall can also be categorized based on their functionalities; they can be:
Packet filtering firewall: this type of firewall is very popular and usually be seen in a router
standing in the border of the network (in form of the Access Control List - ACL). Packet filter
examines each datagram coming in and out of the network, deciding whether a datagram
can pass through or not, based on the rules predefined by administrator. Filtering decision
can be based on:
o
IP source or destination address
o
Protocol type (TCP, UDP, ICMP…)
o
Source and destination port
o
And many more options
An example to a rule could be drop all packet to any IP address which has port 80, or drop all
UDP packet except for DNS traffic, or drop all ICMP ping traffic.
Packet filtering has a big advantage is that it is very popular and is located in just every
device on the network (routers, switches, access points…). When we need to quickly
implement some rules to mitigate an attack or protect against infected devices and so on.
However, this traditional packet filtering does not examine what is inside the IP payload. If
there is something malicious inside the payload, we could not spot that out. Another
disadvantage of this firewall is that the rules are predefined and static. Hackers can easily
craft a packet and penetrate through the firewall.
Stateful inspection firewall: this type of firewall solves the above mentioned problem by
having all of the on-going connections tracked and places them inside a table. That means, it
maintains all of the connection state in the network, making it harder for bad guys to craft a
packet and penetrate the network. This, however, requires more network performance.
Application gateway: this type of firewall can be implemented in a server through which
application data must pass. They filter traffic according the service they are intended to do
(by examine the destination port) – whether they are HTTP, FTP, email or so on - and look
deeper in the payload of it. One example could be a HTTP gateway sending request on
behalf of the client, receiving the web page and send it back to the client. The other way
round could be a Telnet gateway accepting request from the client, authenticate them and
10
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
acts as a proxy between the client and the real Telnet server. These type of application
firewall can be used as another security layer to the real server, reducing the risks from port
scanning or application attacks. The disadvantages of it can be that application server have to
be installed the specific application in order for it to handle, and it’s also typically slower than
traditional packet filter or stateful filter firewall.
There are more types of firewall nowadays, operating in all layer of the OSI model. They could be
really advanced with a lot of more function besides the basic functions mentioned, or they could be a
really small and simple piece of software.
Windows Firewall and rule direction
In this project, we will mainly work with host-based, local firewall. They are a piece of software layer
that can control and monitor network traffic incoming or outgoing to/from that machine. In
particular, we will work with the Windows built-in firewall.
Unlike perimeter firewall that are placed in the border of the network, Windows Firewall with
Advanced Security is installed in every computer running Windows operating system (at most from
Windows XP). It provides a layer of protection from network attack besides the perimeter firewall.
Windows Firewall is categorized as host-based, software, stateful packet filter firewall. To work with
it, simply open the Windows Firewall with Advanced Security under System and Security in Control
Panel. We can define our own rules based on:
Port number
Application name
Service name
Source and IP address
And other criteria
In this project, we will focus on firewall rules that examine the destination port of the traffic (to our
machine), since we want to have a better control on our application/software running on the servers
at Origio in regards to the ports they are opening and listening to.
Windows Firewall rules have 2 directions: inbound and outbound. Inbound rules apply for network
traffic that is coming to our machine. Inbound rules can explicitly block or allow traffic that matches
the criteria. That is what we are trying to aim at – to define our own inbound rules that open the
11
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
minimum port needed for a particular server. The inbound rules allowing a number of ports will be
defined, and all of those traffic that do not meet the criteria is blocked.
Outbound rules apply for network traffics that originates from the machine. Outbound rule can be a
rule to block traffic to a specific IP address in a network, while allowing connection to the other
machines. We will not touch any part of the outbound rule in this project, simply because:
Our main goal is to prevent traffic connecting to our port, not the other way round.
Outbound rules are difficult to define and manage. A connection to the outside network
could be anything, and trying to define the rule for each type of connection is simple
impossible, if we want to achieve a level of convenience.
Implementation methods
In a specific point in the project, we have to turn on firewall rules based on what have been decided.
Because there are many servers at Origio, there should be a way to enable the firewall that makes
the implementation phase a lot easier and faster. In this part, several implementation techniques will
be defined, discussed and chosen.
Because of the nature of our goal, we demand a method that is simple, fast to implement, automatic,
easy to be referred in the future and easy to implement in a large pool of servers.
Manually
The first one could be manually enable local firewall. We can look into the servers one by one, and
enable the firewall manually under “Windows Firewall with Advanced Security” snap-in. However,
doing by this way could cost us a lot of time and effort. We may eventually make some mistakes or
miss some important ports.
This method can only be used when there is not so many machine in the network, for example home
network or personal computer.
Group Policy Object (GPO)
Group Policy has been a useful feature that allows us to centrally manage configuration in an ADDS
domain. With its components residing in AD, on DCs, and on each Windows server and client, Group
Policy has for a long time help many administrators from tedious work.
Group Policy Object is an object that contains one or more policy settings (a group policy component
that defines a configuration change to apply) and thereby apply those settings to computer and
12
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
users. There are currently thousands of policy settings available, and depends on the organization’s
preference, they could implement a GPO that has settings such as disable desktop image, log off
time, network drive mapping, … Once a GPO is linked to a site or an OU, users and computers in that
site/OU will receive and apply the policy settings in that GPO.
It is possible to have a GPO that has a setting of enabling the firewall based on several criteria. The
setting is under configuration settings.
This method is good in a way that it provides a central place for GPO management. Administrators
only have to use their current GPO management console for adding or removing the settings for
firewalls. However, this method will not be chosen for implementation, especially for enabling
firewall, for several reasons:
Because of the diversity of the servers, it can create extra effort for the administrator and
there could be problems during the process.
GPO can only be linked to sites, domain or OU to take effect. Therefore, it could be difficult
to tailor a GPO and link to a specific server (Security Group can be used, but it requires much
extra work).
The re-applying or un-applying of a GPO, if we do something wrong, is an extremely tedious
task. In the first case (re-apply), we have to log off and log in again, or to force a GPO
update. And if we want to un-apply a GPO, we can simply disable it, but the configuration
remains unchanged until we explicitly apply a default one.
The ‘netsh’ command
The netsh is the command-line tool for that allows us to display or modify the configuration of a
computer in the network (locally or remotely). Netsh also allow scripting features, that is, to run a
group of command against a specific computer.
We can use netsh to work with several things: DHCP, IP, routing, firewalls… Every time we want to
work with a specific field, we have to type in a “context” – a set or a group of command specific to a
networking component, so that netsh can use the right library. The “advfirewall” context allows us to
work with Windows Firewall with Advanced Security. It helps us with the creation and administration
of Windows Firewall, in addition to the console-based management method.
The netsh advfirewall command is a good implementation method, as we can see:
13
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
It provides a full set of tool to add, delete, modified Windows Firewall and can be executed in
a simple way (just a line command)
It provides the ability of automation – that means, several command can be run at once in a
batch file, reducing the recurring work of the administrator.
It provides the ability to be executed in a remote computer or a group of remote computers
(through PsExec Utility by Windows Sysinternals)
With that benefits, netsh is one of our strong candidate. However, I will not choose it as our
implementation method. Recently in its operating systems, Windows inform that some of the netsh
commands will soon deprecated, and soon will not available anymore and be removed (configuration
of TCP/IP). A transition to Windows PowerShell is recommended. The second reason I do not choose
netsh is that PowerShell is a better tool regarding to its flexibility through parameters – that I will
explain in later parts. PowerShell is nowadays widely adopted and being developed to many versions
(current newest version is 5.0).
Again, netsh is a good tool, and can possibly be the implementation method of enabling the firewalls.
PowerShell
PowerShell is a task automation platform from Microsoft for Windows and Windows Servers. It
consisting of the command-line shell and its associated scripting language built on top of the .NET
framework. Therefore, it can provide a variety of objects and a full set of functionality for taking
control in the Windows environment. In 18th August 2016, PowerShell has been made to be opensource (available on GitHub) and cross-platform (available for Linux)1.
PowerShell commands are called the command-lets (cmdlets), which are specialized .NET classes
implementing a specific operation. The cmdlets can both understand basics commands from the
Windows command prompt (such as cls, dir, cd…) and Linux terminal (cd, ls…) by the use of aliases. A
group of cmdlets can be combined into PowerShell scripts (.ps1 extension) and can be executable
with parameters.
In this project, PowerShell will be choosing as an implementation method, for those reasons:
PowerShell is a powerful tool not only for working with firewall but also when working with
other Windows components.
1
https://azure.microsoft.com/da-dk/blog/powershell-is-open-sourced-and-is-available-on-linux/
14
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
PowerShell cmdlets in nature provides a parameter functionality, enable the flexibility for
making commands. We can later on create our own parameters for different purpose.
PowerShell provides the ability of executing in remote machines through the use of WinRM,
thereby reduces the task of administration.
PowerShell includes a scripting language and the use of script, thus it will reduce work by
script automation.
PowerShell includes an Integrated Scripting Environment (ISE), making the process of script
writing easier.
PowerShell includes many more benefits that are not mentioned. For example, it introduces the use
of Module, by importing modules, several cmdlets will be available for working with a particular field.
In PowerShell 3.0, a module called “Net Security” makes it a lot easy to work and interact with
Windows Firewall. However, we will mainly focus on PowerShell 2.0, which is shipped with Windows
Servers 2008 R2 as default PowerShell version.
Tools used
In this part, a description of tools used in the project will be provided. There will be tools which are
already packed with the Windows operating system, some other tools are downloaded from the
Internet. Most of the tools are served for the purpose of port and processes exploration.
Notice that I choose the most light-weight tool that requires no installation. I just have to run the
tool and then directly work from that. This is because I have limited admin access that cannot do
installation.
The command prompt (cmd.exe)
The command prompt is a command line interpreter available in most Windows operating system.
The command prompt helps us solving a lot of administrative tasks, troubleshoot and resolve other
kind of issues. It can also enable automation by the use of script and batch files. The command
prompt can be open by running “cmd.exe”.
There are several command available with the command prompt, but in this project we will focus
mainly on the netstat command and the net stop command.
The netstat command is used for displaying active TCP connection, ports on which the computer is
listening on, IPv4 and IPv6 statistics, IP routing table… etc. The netstat command is used with or
without parameters, which can display different results. Those parameters could be:
15
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
-a: use this parameter if we want to display all active TCP connections as well TCP and UDP
ports the computer is listening on.
-b: use this parameter to display the executable involved in creating each connection or
listening ports.
-e: use this parameter to display the Ethernet statistics (for example number of bytes and
packets sent and received).
-n: use this parameter if we do not want to resolve any names and leave the address in
numerical form.
-o: use this parameter to include process ID for each connection.
-p <protocol>: use the parameter to show only connections for the provided protocol (tcp,
udp, tcpv6, udpv6).
-s: use this parameter to display statistics by protocol.
-r: use this parameter to display the content in the routing table.
When using without any parameter, it will display active TCP connections.
?: there are more or less parameter available in the netstat command depending on the
version of Windows operating system we are having (for example in windows 2000, the –b
an –o will not be available). By using this parameter, a list of available command will be
display for reference.
In this project, we will mainly use those parameter: -a, -o, -n, -b in order to list all of TCP connection
and TCP/UDP listening ports, with the process ID included and the process name.
There is another useful command to be mentioned, that is the net stop command. This command is
used to stop a running service. Especially in our project we will use it to stop the HTTP service
(actually not to stop, but only to show the service which is using HTTP, and then cancel).
Besides I also use other command for testing purposes such as ping command and the nslookup
command. Ping is used to check if a machine is alive in the network, whether it can communicate
with the other machine. The command uses the ICMP protocol, which operates in the network layer
of the OSI stack. Nslookup is a tool to diagnose DNS2. I will use this command in the testing phase of
the project.
2
https://technet.microsoft.com/en-us/library/cc725991(v=ws.11).aspx
16
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Task Manager
Since we mostly work with Windows operating system, this is a really good tool. Task Manager
provides us a full and detailed view about computer performance, running application, processes,
system services, CPU usage, memory information, network activities and statistics and logged in
users. The Task Manager can be started in several ways, for example in recent Windows, we can start
it by pressing Windows button + R, and then type in “taskmgr.exe”, or by pressing Ctr + Alt + Del,
and then clicking Start Task Manager.
In this project, Task manager will be used to display the services in according to its process identifier
(PID) getting from the netstat command. A process can start many services, so there will be some
services with the same PID.
Resource Monitor
Unlike Task Manager, Resource Monitor is available from Windows Vista and later version. It is a
utility for displaying the use of hardware and software in real time. They could be CPU, memory, disk
and network activity. Resource Monitor can be open directly in Task Manager in the “Performance”
tab.
Resource Monitor are used to display network information such as network activities, TCP
connections and listening port. The tool is used in collaboration with the netstat command to
provide a better overview in the network, since it provides the information in a more understandable
way (by GUI).
Process Explorer
Process Explorer is a utility from Windows Sysinternals, which provides us information about which
handles and DLLs processes have opened or loaded. By making it useful for tracking down DLLversion problems and handle leaks, it can provide insight about how Windows and our application
works. Process Explorer can be downloaded from here3.
Process Explorer is used in this project to dig deeper about the process. For example, in some cases
netstat shows the PID, but cannot resolve the process name, and neither does Task Manager.
Process Explorer can help really much because it can display the process name and its execution path
(when the process is suspicious).
3
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
17
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
PowerShell ISE
The Windows PowerShell Integrated Scripting Environment (ISE) is an application for Windows
PowerShell. In ISE, we can write, test and debug our scripts with tab completion, syntax coloring,
selective execution and so on. We can also have the ability to run cmdlets directly here. In this
project, I will choose ISE as the environment for developing the scripts.
To open ISE, simply execute powershell_ise.exe in the Run box.
PortQry
Portqry is a tool for reporting a status of a TCP or UDP port of a particular machine. Portqry is used to
troubleshoot connectivity issues, such as when checking whether a port of a service is still opened
and listening. The tool is not considered as a port scanning tool, and it provide a more level of detail
in port status by analyzing the response from a process on a target port. Portqry can be used to
query a single port, multiple ports or a range of ports. More information about this tool can be found
at this website4.
Portqry can be used as a command-line tool or with user interface. In this project I will use the user
interface version of it to have better overview of the testing result.
Other tools
In this project I also used Control Panel to see the installed programs in the machine and compare
them to what I found using other tools. It is a good way to double check again if a program/service is
necessary to a server. However, I was not given the full admin permission, thus could not see any
program installed as a limited admin. There is another way to see the installed program in the server.
It can be done by Kaspersky Antivirus Center, which has a function to export installed programs in a
server to a text file. Origio admins will export the results and give them to me.
I also use Microsoft Excel as a documentation tool. Results from netstat will be output to a text file,
and then imported in to Excel for easier working. For example, I could filter out the state of a
connection to “Listening” and working only with those. The Excel sheet can be used for future
reference as well.
The Internet, for example, is also a useful tool that I utilized most. Some of its usages are to find the
port’s functionality as well as the services main roles. Search engines such as Google and Bing, are
4
https://technet.microsoft.com/en-us/library/cc776894(v=ws.10).aspx
18
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
used for these purposes. Official websites for the products, blogs, articles and forums are visited as a
mean of references.
Port Assessments
In this part I will elaborate in detail on the basic port needed – the ports that should be opened right
off the bat in the domain - as well as discussing their importance for the domain. I will further on
assess the additional ports for each server’s role and type. They are servers that is critical to the
domain and have the standard, well defined role, and importantly have sufficient documentation.
These servers can be such as domain controller, mail server, file server or citrix servers.
Minimum ports required in Origio domain
In this part I will define the minimum port required for a machine, at least, to function well in the
domain, especially at Origio. That means, all of the machine in the domain will use all these ports as a
baseline. Depending on the roles and services of them, in later part we will discover more port
needed.
This is a summary on basic ports needed as I have assessed:
Table 1: Summary of basic port needed in the domain
Protocol
Port number
Description
TCP
135
Remote Procedure Call
TCP & UDP
445
Server Message Block and relevant traffic type
UDP
123
Windows Time
TCP
3389
Remote Desktop Protocol
TCP
1550, 1551, 30523
Kaspersky Network Agent
UDP
15000
Kaspersky Network Agent
UDP
500, 4500
Internet Key Exchange and NAT Traversal
TCP
47001, 5985
Windows Remote Management
TCP
49152 - 65535
Dynamic ports
UDP
49152 - 65535
Dynamic ports
Port 135 (TCP)
Port 135 is used by the RPC Endpoint mapper for various purposes.
Remote Procedure Call (RPC) is an inter-process communication (IPC) method that is used by client
and server to communicate with each other’s. In other words, RPC enable the exchanging of data and
19
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
invocation of functionality located in different processes. By using RPC, a client machine can call a
procedure (a set of instructions) residing in a remote server program – that means, that it can
execute program, application or function remotely on a server computer. For example, the Microsoft
Outlook client communicate with the Microsoft Exchange server using RPC. When using RPC, the
client program sends a message to the remote server with specified arguments. When the server
receives the messages, it’s program execute the functions with the arguments, and then return back
to the client the results.
The port or a group of ports that the server processes use for RPC is called the endpoint. There are
several endpoints that a server is having. Every time a client wants to send an RPC request to the
server, it must first bind itself to the specific process in the server. Therefore, there should be a way
to identify the port that a process is running on (RPC uses dynamic port ranges – which will be
discussed in later part). That is where the RPC Endpoint Mapper (EPM) comes into use – to be
responsible for the clients’ requests to resolve dynamic endpoints (a mapping function). RPC
Endpoint Mapper uses port 135. RPC server programs associate their universally unique identifier
(UUID) with a dynamic port and register the combination with the RPC EPM.
When a client wants to send RPC request to a remote program but does not know the port number,
it makes an initial connection to the RPC Endpoint Mapper in the server running on port 135 (RPC 3way handshake). Once the binding process success, the client can send a request to the EPM,
including the programs’ UUID, to determine the port being used by that particular programs. The
server then returns the port to the client, and from that point the client can initiate a connection to
the server using that port.
RPC service is an essential service in Windows. System components and other Windows services
depends a lot on RPC. These includes:
COM+ Event System/System Application
Fax
Group Policy Client
IIS Admin Service
IKE and AuthIP IPsec Keying Modules
Message Queuing
Print Spooler
20
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Remote Desktops Service
Task Scheduler
Telnet
Windows Backup
Windows Firewall
Windows Update
A more detailed list can be found at:
In the OSI networking model, RPC lays in the session layer. However, in the TPC/IP networking model,
because there is no such session layer, RPC can be considered to lay both in the application layer and
the transport layer.
Seeing the importance of it, I will choose to open port 135 (TCP) for RPC and the RPC Endpoint
Mapper.
Port 445 (TCP & UDP)
Port 445 is used by the Server Message Block (SMB) protocol.
Server Message Block protocol is a network file sharing protocol. By using SMB, application can have
remote access to resources on other machines in the network, that means, it enables application to
read, write, update files on a remote server.
SMB is a client – server, request – response protocol. The servers make the file system and other
resources such as printers available in the network for the client. The client can connect to the server
if it wants to access other resources in the network in addition to its local hard disks. Once the
connection has been established, the client can send request to the server to have access to the file
system, and then it can open, read, write… to files.
In the OSI networking model, SMB is most used as an application layer or a presentation layer
protocol. SMB relies on lower level protocol – whether it can be used directly on top of TCP/IP port
445 or be used through NetBIOS over TCP/IP (NBT). The second option is the most often used, but
that SMB/NetBIOS combination is generally used for backward compatibility.
21
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Several variants of SMB has been developed time by time, which can also be preferred as dialect (the
set of message packets that defines a particular version of SMB). The Common Internet File System
(CIFS), for example, is one of SMB’s dialect.
In Windows, several services are using SMB port 445, including:
Fax Service
Print Spooler
Server
Remote Procedure Call locator
Distributed File System
Net Logon
Seeing the importance of SMB, I will open the port 445 for SMB communication.
Port 123 (UDP)
Port 123 is used by the Windows Time service and other time protocol that implement Network Time
Protocol (NTP).
Normally, computers which do not sync their time frequently, or are in the intermittent network
connection, or not joined in the domain, are configured by default to synchronized with
time.windows.com. However, all computer clocks in the domain, if the time service is enabled and
running, are synchronized with the time of an authoritative computer.
Windows Time service synchronized time using the most accurate computer clocks at the top, and
the less accurate down in the bottom (usually called time synchronization hierarchy). By default, we
do not have to configure Windows Time service for a computer in a domain, as it is acting as the time
client as default.
We can still disable the Windows Time service, if we want to choose a third-party time service that
also implement the NTP. However, UDP port 123 is still be opened, because all NTP servers still need
access to that port.
I will choose to open port 123 for the Windows Time service, as it is also an essential service in the
domain.
22
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Port 3389 (TCP)
Port 3389 is used by Remote Desktop Service (formerly Terminal Service) and the Remote Desktop
Protocol (RDP).
Remote Desktop Service (RDS) enable user (or multiple users) to access programs that are installed in
the Remote Desktop Session Host server, or to access the full Windows desktop using the Remote
Desktop Protocol. Users can use Remote Desktop to access a server inside a corporate network or
through the Internet. Only software user interface is transferred to the client, and all input from the
client are transferred back to the server, where all executions take place.
RDP is a client – server protocol, which employ an RDP client software (Remote Desktop Service in
Windows) and RDP server software. The server is always listen for client connection on port 3389.
When the client connects to the port, the server perform authentication and initiate the graphic
system that handle presentation of the graphical user interface. RDP driver presenting mouse and
keyboard also loaded. In the client side, once the connection is success, it also loads up the device as
well as mouse and keyboard driver. The interface received from the server is decoded and rendered,
whereas the keyboard and mouse input is intercepted by the driver and transmitted over RDP to the
server.
Remote Desktop Service is an importance service in the domain, especially at Origio, as admins need
access and interact with the server constantly. As the use of RDS is popular, I will choose to open the
port 3389.
Port 1550, 1551, 30523 (TCP) and 15000 (UDP)
Kaspersky Lab Network Agent is an antivirus program (klagent) installed in most of the server at
Origio. It enables installation and administration of corporate anti-malware, plus monitoring and
reporting on network infrastructure.
Kaspersky has opened some ports to communicate with the server running Kaspersky Security Center
(central point of management), which are port 1550, 1551, 30523 (TCP) and 15000 (UDP).
Port 500 and 4500 (UDP)
At Origio, there are Virtual Private Networks (VPNs) to other locations, such as India. The protocol
IPsec is used to create the VPNs.
In IPsec, before an entity wants to sending datagrams or communicate with the other end (through
VPN), it must first create a Security Association (SA) to that particular destination. The SA can be
23
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
thought as the logical connection between 2 entities before sending any data. SA is unidirectional,
that means, 2 entities have to create their own SAs from them to the other ends. In each SA, there
are state information about it to be maintained, for example the encryption key, the authentication
key, type of encryption, source and destination IP interface…
In small network where the VPN has a small number of endpoints, the administrator can enter the SA
information into the endpoints easily. Such manual keying is impractical for large VPN, which may
consist of hundreds or thousands of hosts. This is where Internet Key Exchange (IKE) comes into use,
which can provide the automatic mechanisms to create the SAs in large, distributed environment.
The IKE protocol uses UDP port 500 to create the SA on both sides. The results (negotiated keys) is
then passed for IPsec for it to perform encryption/decryption if required.
When a device is behind a firewall or a NAT, it’s IPsec packet has to be translated before being sent
outside the network. This, however, could be a problem if the IPsec packet (encrypted) does not
have a port number (indeed, it does not have a port number, simply because it is the Network layer
protocol and all of its payload is encrypted). Therefore, UDP port 4500 is used to encapsulate the
IPsec packet if a host is inside a network, so that it can traverse through the NAT.
Disabling these ports in the server could result in not being able to connect to a VPN. Seeing the
importance of this, I will choose to open these ports in the firewall.
Port 47001 and 5985 (TCP)
Windows Remote Management (WinRM) is a Microsoft implementation of the WS-Management
protocol. It can enable hardware and operating system, from different vendors, to interoperate. It
can also manage server hardware locally and remotely.
By default, no WinRM listener is configured, even if the service is running, WS-Management
messages cannot be received or sent. However, the WinRM services still listen for local requests on
port 47001. When a listener is created, it will still listen on port 47001, but it will also listen on TCP
port 5985.
WinRM is an important service in the organization, as admins depends on the remote management
of the computer very much. Additionally, in the implementation method mentioned before
(PowerShell), WinRM is required to be configured for remote management by PowerShell script.
24
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Without the help of WinRM, PowerShell script can only be run locally. Therefore, I decide to set
these 2 ports to be opened.
Port 49152-65535 (TCP & UDP)
As mentioned earlier, besides well-known ports and registered ports, there are also dynamic ports
(or private ports). Dynamic ports are available for use to any applications in the machine. They shortlived, automatically allocated (by the networking stack) and have high number (49152 to 65535 from
Windows Vista and above).
The dynamic port range is essential in every communication. Therefore, I will open the port range in
the firewall.
Domain Controller
The domain controller plays an importance role in the domain, this is a summary of ports needed for
the domain controller:
Table 2: Summary of ports needed in the domain controller
Protocol
Port number
Description
TCP & UDP
389
LDAP
TCP
636
LDAP SSL
TCP
3268
LDAP GC
TCP
3269
LDAP GC SSL
TCP & UDP
88
Kerberos
TCP & UDP
464
Kerberos change/set password
TCP & UDP
53
DNS
TCP
9389
Active Directory Web Service
UDP
67
DHCP
Port 389 (TCP & UDP) and 636 (TCP)
Port 389 is used by the Lightweight Directory Access Protocol (LDAP) and port 636 is used by the
LDAP over SSL (LDAPS).
LDAP is an application layer protocol for accessing, searching, modifying and maintaining distributed
directory services. In our organization, the directory service is Active Directory Domain Services.
ADDS uses LDAP as it accesses protocol.
25
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
LDAP is a client – server protocol. To start an LDAP session, a client has to connect to the server using
port 389 or 636 if it uses LDAPS. After that, the client can send the operation requests to the server,
and the server sends back the results. These operation includes: search (search for a directory entry),
compare (test if a name entry contains an attribute), add a new entry, delete an entry, modify an
entry…. An LDAP entry can consist of:
A list or a set of attribute (dn, cn, givenName, mail, manager…)
An attribute has a name and one or more values
Each entry has a unique identifier (dn)
LDAPS is an alternative method of securing LDAP using an SSL or TLS tunnel. Using LDAPS, every
communication will be encrypted.
Since LDAP and LDAPS is the most essential part for the directory services, their ports should be
open.
Port 3268 and 3269 (TCP)
Port 3238 is used for LDAP searching using the Global Catalog (LDAP GC) and port 3269 is used for
LDAP searching using Global Catalog over SSL (LDAP GC SSL).
Global Catalog is used in Active Directory Domain Services forest, especially in multi-domain forest,
to provide a central storing place of domain information in the forest by storing partial replicas of all
domain directory partitions. Global Catalog servers in the forest replicate the partial replicas. Using
global catalog, the directory structure in the forest appears to be transparent to the users who are
performing search. That means, even though a user is not a member of the other domains, he can
still search for all of the name, for example, of all the printers in the forest, using the Global Catalog.
Without it, the user has to perform search in each domain to have the full result.
Global Catalog is also used in the authentication process in a multi-domain forest, since it stores
information about the memberships of all universal groups. The domain controller needs this
information to grant authorization data for the user’s access token. A Global Catalog server is also
required for application such as Microsoft Exchange server.
Global Catalog server uses nonstandard LDAP port 3268, which directs queries to the Global Catalog.
That means, any queries to this port are formed the same way as any LDAP queries, but the search
behavior is changed: when port 3268 is queried, the global catalog directory partitions is target
26
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
(search operations). Global Catalog speed up the search by holding a selected copy of meaningful
attributes for all objects: first name and last name of the objects, location of printers, …
LDAP to Global Catalog traffic that uses the Secure Socket Layer (LDAP GC SSL) accesses port 3269.
Seeing the importance of the Global Catalog in domain controllers, I will choose to open port 3268
and 3269.
Port 88 (TCP & UDP)
Port 88 is used by the Kerberos client to communicate with the Kerberos server.
The Kerberos protocol is used to authenticate identities in an Active Directory domain. When a client
log on, the authentication request is sent to the domain controller, which acts as the Key Distribution
Center (KDC – Kerberos core component). After authenticating the users, KDC issues the client a
package of information known as Ticket Granting Ticket (TGT).
When a client wants to access resources in the domain, it must first need to obtain a session ticket to
that resource. It then returns to the KDC, along with its TGT (as a proof that it is already
authenticated), and asks for the session ticket to that resource. The KDC, seeing that the client is
authenticated, granted it another package of information called the session ticket for that specific
resource. The client can then contact to the server holding that resource, with its session ticket, and
then can have access to the resource.
Kerberos is an essential authentication service in the domain. I will open port 88 for client – server
(KDC) communication.
Port 464 (TCP & UDP)
Port 464 is used for the Kerberos change and set passwords protocol. The client, when wanting to
change the password, will have to send a request message to the server on port 464. The message
contains the password user want to change, which is encrypted. After checking the new password to
see if it is valid, the server proceeds to update it and send a reply message to the user.
The port 464 is important for the changing of passwords in Kerberos, thus I will choose to open the
port.
Port 53 (TCP & UDP)
Port 53 is used by the Domain Name System.
27
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Domain Name System is the popular name resolution method besides the NetBIOS and LLMNR name
resolution and is currently used at Origio. When client wants to resolve a name into an IP address, it
uses the DNS protocol, querying the DNS server for a record. DNS messages are also sent between
servers.
DNS messages are normally send over UDP port 53. The client, making a query from high-level source
port (from 49152) to the server with the destination port 53. Responses from server are sent back to
the high-level source port.
In some cases, however, DNS messages are sent over TCP. That could happen when the length of the
message for an UDP segment is so big, DNS server will try to put the information in the segment as
the best it can. The remaining result will be removed, and a flag will be set to indicate that this is a
truncated response. The client can then choose to query again using TCP port 53. This is an
interesting side of DNS, since we can also use TCP as a failover method if the results from UDP is not
enough.
DNS is a must-have part in the organization. For DNS server to function well, I will open port 53, both
UDP and TCP
Port 9389 (TCP)
Port 9389 is used by the Active Directory Web Services (ADWS).
ADWS is a Windows service that provides a web interface to the Active Directory domains. ADWS is
installed automatically when the ADDS role is added to the servers and is configured to run if this
server is promoted to a domain controller.
If the ADWS is disabled in the domain, several applications will not function well, including:
Active Directory module for Windows PowerShell
Active Directory Administrative Center
As ADWS is needed in our domain, I will choose to open port 9389.
Port 67 (UDP)
Port 67 is used by the Dynamic Host Configuration Protocol (DHCP).
DHCP dynamically distributes network configuration parameters, one of which is IP address, for
clients in the network. DHCP message exchanges have source port 67 (client side) and source port 68
(server side). They are as follow:
28
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
DHCP Discovery: the client broadcast the discovery message into the network.
DHCP Offer: once the server receives the discovery message, it then again broadcast another
message, offering the IP address for the requested client.
DHCP Request: in response to the DHCP offer, the client then broadcast a request message
with the IP address offered.
DHCP Acknowledgment: this is the final stage in the process, as the server send back the
acknowledgement message to the client, with the lease duration and other configuration to
the client.
The DHCP port is important in our domain. However, there should be only one domain controller,
which is running DHCP, to have this port open (we indeed have 3 domain controllers).
Mail Server
The mail server is an important server in the organization, as people use the service of it in daily
basis. The following table is the summary of the port needed for the mail server (running Microsoft
Exchange 2010):
Table 3: Summary of port needed in mail server
Protocol
Port number
Description
TCP
80
HTTP
TCP
443
HTTPS
TCP
25
SMTP
TCP
587
SMTP (mail submission)
TCP
110
POP3
TCP
995
POP3S
TCP
143
IMAP
TCP
993
IMAPS
TCP
808
Microsoft Mailbox Replication Service
TCP
6001
RPC Client Access
TCP
6002 and 6004
Address Book Service
Port 80 and 443 (TCP)
Port 80 is used by the Hyper-Text Transfer Protocol (HTTP). Port 443 is used by the HTTP over SSL
(HTTPS).
29
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
The Microsoft Outlook Web Access primarily uses this protocol to enable mail client to function in
browsers. That means, with this service, we can access our Exchange mail box from also any web
browser – instead of having an email client, such as Microsoft Outlook installed.
Without these port open, Outlook web access will not function well. I will choose to open these port.
Port 25 and 587 (TCP)
Port 25 is used by the Simple Mail Transfer Protocol (SMTP) and port 587 is used by the Mail
Submission Agent (MSA).
SMTP is the heart of the Internet electronic mail. SMTP transfer the mail from sender’s mail server
(acts as client) to receiver’s mail server (acts as server) using TCP port 25. Generally, after the TCP
connection is established between 2 SMTP mail servers, the following action will be performed:
The client and server introduce themselves before the mail transmission
SMTP client indicate the email address of the sender and the recipient
Once the SMTP server accepts the information, the SMTP client starts to send the message
The client can repeat this process over this TCP connection if it has more messages to send to
the server, otherwise it closes the connection.
Mail clients (such as Outlook) however generally do not use this port for sending mail. Instead it uses
the “submission” port, that is, port 587. Every times a user sends an email to the email server, its
mail client tries to send the email over TCP to port 587 of the mail submission service, using the
ESMTP (Extended SMTP) protocol. This is not always a must – a site still can choose port 25 as its
submission port.
I will choose to open both of these ports in our mail server as they are the core ports in the mail
server.
Port 110 and 995 (TCP)
Port 110 and 995 is used for the Post Office Protocol – version 3 (POP3) and POP3 over SSL (POP3S).
Unlike SMTP, which is a mail transfer protocol, POP3 is a mail access protocol (instead of transferring
mail between servers, POP3 helps user to pull the mails back to their mail client). POP3 is very simple
and has a limited functionality. POP3 client first establishes a TCP connection with the mail server to
port 110 of the POP3 server, and then progress through 3 phases:
30
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Authorization: users send name and password to authorize itself against the server
Transaction: user’s agent retrieve messages, or can mark message for deletion, remove
deletion marks or obtain mail statistics.
Update: user’s agent closes the connection; the server deletes messages which are marked
delete.
Encrypted POP3 connection is supported by POP3S, where the client connects to the server using
SSL or TLS on well-known port 995.
Our mail server also acts as the mail access server, so POP3 and POP3S port should be open.
Port 143 and 993 (TCP)
Port 143 and 993 is used for the Internet Mail Access Protocol (IMAP) and IMAP over SSL (IMAPS).
IMAP is also a mail access protocol like POP3, but has more features and is more complex. IMAP
enable users to create remote folders on server and assign messages to those folders. An IMAP
server will assign each newly arrived message in the INBOX folder. The recipient can then move the
message to a new, user-created folder, read or delete the message, etc… The IMAP protocol also
provides command for users to move messages, create new folders, search for messages, obtain only
a part of a messages…
With IMAPS using port 993, user can have their connection encrypted with SSL or TLS.
IMAP and IMAPS ports should be open, as they are important mail access protocols.
Port 808 (TCP)
Port 808 is used by the Microsoft Exchange Mailbox Replication Service. This services are responsible
for moving mailboxes, importing and exporting .pst files, restoring disabled and soft-deleted mailbox.
Since this service performs different important tasks, I will choose to open the port 808.
Port 6001, 6002 and 6004 (TCP)
Port 6001 is used for the Microsoft Exchange RPC Client Access service. This service provides data
access through a single, common path of the Client Access server, allowing some connections to be
handled by the Client Access server, instead of connecting directly to the Mailbox. In Exchange 2007,
when failover occurred, Outlook client will be disconnected from the server for a period of times. In
Exchange 2010, if one Client Access server failed, the client will be directed to another Client Access
server.
31
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Port 6002 and 6004 is used by the Address Book Service, which handles the directory access request.
When the Outlook client contact the Client access server, the service will direct the directory request
to the appropriate place, such as directly to the mailbox (if the mail box is Exchange 2003 or 2007) or
to the Client Access server (if the mail box is Exchange 2010).
I will open these 3 ports for Exchange to be functioning well.
File Server
The file server has the Network File System (NFS) Services installed. NFS provides a file sharing for
organizations that have a mixed Windows - UNIX environment. With services for NFS, we can transfer
the files between a Windows machine and a UNIX machine using the NFS protocol.
These are the summary of the port needed for NFS, as stated here:
Table 4: Summary of ports needed in file server
Protocol
Port number
Description
TCP & UDP
111
Port mapper
TCP & UDP
1039
Status
TCP & UDP
1047
Nlockmgr
TCP & UDP
1048
Mountd
TCP & UDP
2049
NFS server
There is a hardly any detail description about the functions for those services, but generally, this is a
brief explanation I found for those services:
Port mapper: this works exactly the same way as the RPC Endpoint mapper, which is
contacted by other machines to know the port and other information a process is running.
However, port mapper is an Open Network Computing RPC (ONC RPC) that is developed by
Sun Microsystem and run on port 111 instead of port 135 (RPC), so other non-Windows
system can contact easily.
Status: this service when running, can notify the NFS client when an NFS server is restarted
without being brought down. Its process is started automatically and does not require user
configuration.
Nlockmgr: allows NFS client to lock their files on the NFS server. (a mandatory service)
Mountd: the service receives mount request from client and verify the requested file system
is currently exported.
32
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
NFS server: in NFSv4, the port mapper, status, nlockmgr and mountd is eliminated. Instead
only one port (2049) is used. Other services have also been replaced with the V4 protocol.
At Origio there is a mixed environment where Windows and non-Windows coexists, I will open those
port on our File Server in order for the file sharing process becomes easier.
Citrix Servers
At Origio we have an implementation of Citrix (version 6.5)- a product/tool that enable the
organization to centrally host application and desktops and remotely deliver to clients (Windows or
non-Windows). There are several components in a Citrix environment, and it is quite complicated to
dig all way down to the whole setup. Moreover, access to the full set of servers is sometimes
restricted in this project. Therefore, I choose to focus only on the Citrix Virtual Delivery Agent (VDA) –
the Citrix component that hosted application and desktops that deliver to the clients through their
Receiver. Another component that needs to be mentioned is the Citrix License Server, which issues
license to the clients.
This article provides the full description of ports requirement for Citrix products (published by the
Citrix Support Knowledge Center). However, hardly any of the requirement is explained into detailed.
As I have researched, this is the summary of the port needed for the Citrix VDA:
Table 5: Summary of ports needed in Citrix servers VDA
Protocol
Port number
Description
TCP
1494
Access to application/virtual desktops by ICA/HDX
TCP
2598
Access to application/virtual desktops by ICA/HDX, if the
Citrix Gateway Protocol is enabled, this enables session
reliability
UDP
16500 - 16509
Port range for ICA/HDX audio
TCP
2512
Independence Management Architecture (IMA)
TCP
2513
Citrix Management Console through WCF
Port 1494 and 2598: when never a Citrix client connects to one of the VDA, it uses one of
those port to communicate with the VDA. Client will choose to connect on port 2598 if the
Citrix Gateway Protocol is enabled to have session reliability. Two of this ports are important,
because without them the clients could not initiate any connections.
33
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Port 16500-16509: this port range enables Citrix host to exchange audio packet data over
Real-time Transport Protocol (a protocol for delivering audio and video over an IP network)
and UDP.
Port 2512 and 2513: the dependence Management Architecture (IMA) provides the
framework for server to server communication (port 2512) to perform functions such as
licensing and server load updates. It is also used for communication to the data store (port
2513) to exchange information about published application, load balancing configuration,
security rights…
This is the summary of the port needed for the Citrix License Server:
Table 6: Summary of ports needed in Citrix Web License
Protocol
Port number
Description
TCP
7279
Check in/check out of Citrix licenses
TCP
8082
Web-based administrative console
TCP
8083
Simple License Service Port
TCP
27000
Handle initial points of contact for license requests
Port 2700: the connection to this ports is made from the servers or any Citrix components as
the initial points of contacts for license requests.
Port 7279: this port is used by the Citrix daemon vendor to track the licenses that are
checked out and which products are using them.
Port 8082 and 8083: those two ports are used by administrative purposes. Port 8083 is used
to allocate and install license files on a license server using a web interface.
Port inventory process
In this part I will perform and describe a detail analyzation to explore more ports needed, besides the
ports that were assessed before. Several interesting findings will also be described.
The process will be conducted mainly in the Windows environment. A very good Linux port
exploration process can be found at this article5.
5
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Security_Guide/s1-serverports.html
34
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
The Process
Connecting to the machine through Remote Desktop Connection
As mentioned before, at Origio we have around 60 virtual servers. As an intern, I do not have
permission to access some servers. In this analyzation I will perform in a server that I have access
permission. It is a Citrix server that is under testing environment and is hosting many clients. The
server is a Windows 7 server and is set to accept RDP connection.
For the first part, I will connect to the server through Remote Desktop Connection. After open
Remote Desktop Connection and specify the server name, I am now having direct access to the
server.
Performing netstat command and starting resource monitor
The first thing I want to do is to have an overview of the TCP connections, networking as well as the
listening ports. For this, I could do with the following options:
Use the netstat command: under Start, I right click the “Command Prompt” button. I choose
“Run as Administrator”.
The Command Prompt appears. I execute the netstat command with the additional flag “aonb”, so I can list all of the connections and listening ports currently in the machine, with
the processes’ name as well (a list of netstat flags is provided in the above part of the
project).
Use the Resource Monitor windows: I can start Resource Monitor by search for “resource
monitor” under Start or typing “resmon” directly to the search box.
Once the Resource Monitor window appears, I navigate to the Network tab. There will be
several panes to look at, including the Network Activities, Listening Ports and TCP
connections.
Let’s start with the netstat results. There are 5 columns we should notice:
Proto: this column shows the protocol for the connection/listening port. If there is a “-b”
flag, the processes having the port are also shown below the protocol. In the picture we can
see that there are TCP protocols, running by the svchost.exe process and some other process
that “cannot be obtained ownership information” – this will be explained in later.
35
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Local address: this is the address of the local end of the connection (normally to your
machine), along with the port it is listening/having connection on (after the “:”). These local
addresses, sometimes, could be:
o
*: the star symbol indicates that the port is listened by all of the interfaces and
addresses in the machine. In case when this symbol is after the “:” instead of a port
number, it means the local address will listen to all ports.
o
0.0.0.0: this indicates that all of the IPv4 addresses will listen for the port
o
127.0.0.1: this loopback address indicates that the port will be listened on local host
only.
o
192.168.1.3: this indicates that the port will be listened on external IPv4 address.
o
[::]: this indicates that all of the IPv6 addresses will listen for the port
o
[::1]: this is the IPv6 loopback address. This indicates that the port will be listened on
local host only.
o
[fe80::6595:3a80:1579:f455%14]: this indicates that the port will be listened on
external IPv6 address.
Foreign Address: this is the address of the other end of the connection (normally from a
remote host). The foreign address has the same format as the local address (an address
following by “:”, and following by a port). The foreign address has also all of the address type
mentioned above. However, the direction is from the other end. There should be something
we have to notice:
o
0.0.0.0:0: this indicates that there is no foreign address and port assigned to the
connection yet. This is a normal thing when a port is on “LISTENING” state.
o
[::]: 0: the same thing applies in this case, but with IPv6 address.
State: the state of the connection. They could be LISTENING (the machine is listening on a
port and ready to accept connection), ESTABLISHED (client received the server SYN and the
connection is established), CLOSED (server received ACK message from client and the
connection is closed) or it could be blank, etc.… A full list of netstat state can be found in this
website6.
Here we only focus on the listening port, which has the LISTENING state and the blank state.
Recall in previous section, we have mentioned that TCP is a connection oriented, reliable
protocol, and it always listen for a SYN packet to initiate the connection. That is why we have
6
https://technet.microsoft.com/en-us/library/bb490947.aspx?f=255&MSPPError=-2147217396
36
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
a LISTENING state. UDP, on the other hand, do not listen to any thing. The ports using UDP
just receive any packet coming to it. That is why we have the “blank” state with any of the
UDP connection. Therefore, I will say that UDP in some way “listen” to a port.
PID: This column shows the process identifier. By looking to this information, we can go to
task manager or process explorer to identify and gather more information about the process
that is listening on a port.
Now that we are familiar with the netstat results, I will give an example of how we comprehend one
row of the result:
Proto
TCP
TermService
[svchost.exe]
Local Address
0.0.0.0:3389
Foreign Address
0.0.0.0:0
State
LISTENING
PID
2572
This row indicates that all of the IPv4 address in the machine is listening on the port 3389. This port is
opened and listened by the TermService of the svchost.exe process. The process has the PID of 2572.
The fact that this port is open usually happens when Remote Desktop is enabled and the RDP
protocol is running.
The command prompt is sometimes really hard to follow with. In this case, we can easily change to
Resource Monitor and have a better interface.
Listening ports in Resource Monitor are updated constantly and can provide a better overview on the
listening port. It shows almost the same result as the netstat command, with 5 columns:
Image: this tab shows the current process that is listening to a port. Recall that in netstat
there is some process that cannot be obtained ownership information; we can now see it
here. The PID 4 is mainly the process that cannot be obtained information from. That is the
SYSTEM process, which takes care of network input/output, disk input/output…
PID: the process identifier for a specific process.
Address: the address that listen to a port. It is slightly different from what we have in netstat,
but we can see that:
o
When it is not specified, it will listen on all of the IPv4 and IPv6 addresses
o
When it is loopback, it will listen on local host IPv4 or IPv6 addresses
o
When it is specified, it will listen on the external IPv4 or IPv6 addresses.
37
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Port: the port number a process is listen on.
Protocol: the protocol that is used
From here I also can sort the result based on the column. I found this very useful to navigate around.
In the project, I mainly use 2 of the tool side by side, simply because each of them has advantages. I
use netstat first to show the result, and then I can export the result to a text file to easily analyze in
later part. Resource Monitor gives me a constant update and a better interface so I could easily
follow.
Exporting the result for analyzation
When I have already had an overview on the listening port, I continue to go on and analyze the
result. To do this, I should have some way to document the results to somewhere, and from then I
can easily work with it. The result can then be a useful documentation for future usage.
There is a way to do it, by exporting the results from the netstat command. From that, I will import
the result again into Excel for further processing task. To be able to do that, the export file should be
in a good format (delimited by tab, spaces or any other thing) so that Excel can read it easily.
I open Command Prompt again, and then I will execute the following command:
C:\Windows\system32> netstat –aon > C:\netstat.txt
Notice that I do not include the –b flag here in the command, simply because it will make the export
format harder to process (by adding the processes on one or two more lines). What I need is a result
with good format, clear line by line, so that I can then import it to Excel.
After executing the command, I got a text file. It looks better and really good right now. Sometimes
the result is a little bit scale – because there are some rows that contains IPv6 addresses and they are
too long. In those case I will do a quick format in the text file again, fixing the column to form in their
lines (I do it with Notepad++).
Next step is to import the text file to Excel. Open Excel, choose File, and then Open, and then
navigate to the destination text file (remember to choose the filter to be All Files, otherwise it will
only look for the Excel files). Choose open. A text import wizard will appear, simply click Next until it
finishes. Excel will automatically find the columns, rows and suitable format for us.
38
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
After that, right click on the State box and choose Filter -> Filter by Selected Cell’s value. This
function is the main reason I do it in Excel. My purpose of doing this is to have a filter that can easily
filter out the requirement that I need. In this case, I will filter out only the State, which has
“LISTENING” and “blank” cell. This means that I will only work with listening ports, not with all of the
connections exported from netstat. The filter is quite useful when the netstat report is big (especially
from the domain controller), or when we only want to find and work with a specific state. Of course I
can apply another filter on the PID cell and sort it from smallest to largest. This provides a better
overview on the process’s listening state. Sometimes it is hard to keep track of all of the ports a
process is listening on. Applying a filter from smallest to largest or the other way, could sort them in
group for easy processing.
Before doing the applying filter phase, I could add one more column name next to the PID. I call it the
“Description” tab. I can then put some explanation on each port without messing around with the
filter (there is a different putting the Description tab before and after doing the filter).
We can see that there is no way to filter out port number. This function can be easily done in
Resource Monitor, where port numbers are stored in a single column. I tried to find other ways of
processing and documenting the result, but until now I can only prefer this way of approach.
From now on we can easily start to analyze the result, as the environment is set up really well. I
started with the well-known, registered ports first, and will come back to the dynamic ports, as it is
not my priority to spend so much time on dynamic ports.
Exploring the PID and service names in Task Manager
This is an example of the step I do when conforming to a row:
I look into the local address column, find the port numbers and see if they need to be
process. Take rows 72 and 73, for example. When looking into it, I can see that it has port
135 and is listened by all of the IPv4 and IPv6 addresses. Recall from what I have assessed on
previous section, I can see that this should be the port for Remote Procedure Call. However, I
will look into that.
Searching further along the row, I notice that process ID is 1040. I wonder what process is
having this port. I could come back to the netstat windows (Command Prompt), execute the
netstat command with the –b flag to show the process name, do a manual search for the
39
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
process 1040 and find out what it is. The method is a little bit time-consuming and I do not
want to do that, I want a better way of finding process PID.
A good tool is Task Manager. I open Task Manager, navigate to the services tab. Here in this
tab I can see all of the services running in the machine. I do a quick sorting of the PID and
soon find out PID 1040. The process is running two services: RpcSs (RPC) and RpcEptMapper
(RPC Endpoint mapper) – now I am sure what I have assessed is currently in this machine.
I will write my findings in the description tabs and going on to the next row
The “net stop” command
Sometimes I could not find what I want in Task Manager. The PID 4, 880 and 992 could be examples.
Let’s start with the SYSTEM process with port 80. I wonder how a Citrix Server can have port 80
running. I could not find more information, however, since Task Manager is not showing some of the
PID, neither Resource Monitor – it shows only name of the process, not describing in detail what the
process is actually running as services.
Back to the command line, I will issue the command:
C:\Windows\system32> net stop http
And then press N to deny the execution. The reason I do this is because I want it to show the HTTP
services (port 80) running in this machine. By executing that command, the machine will ask me to
confirm that I want to stop the services, following by a list of services using HTTP. They are as follow:
Windows Remote Management (WS-Management)
Citrix Print Manager Service
Print Spooler
Function Discovery Provider Host
As I observed, none of these services is suspicious. I will then document all of them in the excel sheet
for further consideration.
A more in-depth view with Process Explorer
Besides the PID 4, there is also PID where Task Manager cannot show. The processes could listen on
some dynamic ports, but it is worth finding out what are they. Let’s have a look at PID 880 and 992.
40
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
First I will fire up Process Explorer that I have downloaded before. A new window will appear; by a
quick look I could notice that there are columns with:
Process: this column shows the process names
PID: this column shows the process identifier
Description: the description of the process
And many more available columns. We can enable more column to display, for example the
Path to execution or the command line for opening the process
With this tool, I can also sort the list by PID. Then I can see the process name of PID 880 and 992.
They are wininit.exe (Windows Start-up Application) and services.exe (Services and Controller app),
respectively.
Now that I can see the hidden process name, I can also check what is actually going on in that
process, such as what connection the process is making, or what port that process is listening on. I
can go further on to double click them to see in more detail. A new window will appear when double
clicking the process name. In the TCP/IP tab of this Properties window, we can see the listening port
or the current TCP connection to the other ends. This can be of course referred in our Excel sheet,
but in Process Explorer we have another function to resolve addresses.
Using the Internet to search for ports and their functionalities
There is an excessive usage of the Internet in the analyzation process to find information about a
port, especially when they are a registered port for some sort of application. Take the PID 2572, for
example. After searching in Task Manager and Process Explorer, I know that this process is the
svchost.exe, running the terminal service and is listening on port 1494 and 2598 (TCP).
After a quick search on Google, I found out that two of these ports are actually opened by the Citrix
VDA in order for client to make connection to, that is why it has the terminal service running. The
terminal service makes it possible for a machine to host multiple session simultaneously.
I continue to document all of the rows in the excel sheet using all of the tools and method I have
described above. After I finished doing that, I will have a more detailed overview on the server. I will
then consider:
If the server matches the basic ports needed that I defined in previous section. If not, write
them down.
41
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
If there is a missing port or redundant ports in our server in regard to the documentation
that I found on the Internet.
o
If a port is missing while it states in the documentation, but the server is still running
well, there is no need to worry about.
o
If there are redundant ports besides the basic port needed and the documentation, I
will consider if those ports are needed
For example, in our case, the Citrix server after analyzation has been found that:
There are redundant ports 137, 138, 139 besides the basic port needed and the Citrix
documentation for VDA. Those ports are the unnecessary NetBIOS ports and will be
explained in later sections.
The new port (41380) found running by PID 2036 (Canon Driver Information Assist Service) is
also needed to be considered. This might be a port for a printer driver, but then why it listens
on a port is not explained. After some searching Google, I found out that the Citrix server
uses the port when performing get device status through a print server to the Canon driver. I
will not block the port.
There are many more examples and considerations during the process. However, these steps above
are the main steps that I do when confronting to a server. In some server I do not have access to, I
will ask the admin to execute the netstat command and export into 2 text files in 2 versions, -aon
flags and -aonb flags. Then I have the basic information needed to do my work.
Using installed program list to compare with the findings
After finding out the ports needed in the server and their functionality, I will continue to compare the
result with the installed program list I received from Origio admin (Control Panel). If they are
matched, then I will know that I am on the right track and can prove that my findings can be trusted.
I will gather the final results in the final documentation, and the findings or suspicious connection in
the other documentation for future references.
Additional port needed
Domain controller
After the process, I have found more ports listening on the domain controller, besides the ports that I
have already listed in the baseline. However, I decided letting only the RADIUS ports listening.
42
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Remote Authentication Dial-In User Service (RADIUS) is an access authenticating and accounting
protocol. In most communication, RADIUS client typically a network access server, contacting the
RADIUS server to authenticate the client.
Table 7: Additional ports needed for the domain controller
Protocol
Port number
Description
UDP
1645
RADIUS
UDP
1646
RADIUS
UDP
1812
RADIUS
UDP
1813
RADIUS
File Server
There is port 161, which is Simple network management (SNMP) protocol running in the file server7.
It is a protocol for collecting and monitoring network resources. Port 161 is used for the SNMP agent,
which reports its current state to SNMP server (helpdesk server)
Helpdesk server
The helpdesk server provides a platform for ticket resolving in the organization through the web
interface. It runs also the SNMP protocol and is a manager server, collecting information from other
SNMP agent. There is also a Trivial File Transfer Protocol (TFTP) service run by the helpdesk
program8.
Table 8: Sumarry of ports needed for the helpdesk server
Protocol
Port number
Description
TCP
80
HTTP
TCP
443
HTTPS
UDP
69
TFTP
UDP
161
SNMP
UDP
162
SNMP TRAP
Print server
There is nothing suspicious in the print server. It has port 6160 for the print spooler services and a
port for the Cannon driver9.
7
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
https://www.spiceworks.com/free-tftp-server-for-network-configuration-management/
9
http://download.canon.it/soluzioni_faq/files/TCP-IP%20Ports_rev%2003-01-09.pdf
8
43
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Table 9: Summary of ports needed for the print server
Protocol
Port number
Description
TCP
6160
Print Spooler
TCP
41380
Canon Driver
SharePoint server
There is nothing suspicious in the SharePoint server, which is currently used for the intranet.
Although there are many ports listened by the server, they are all well documented and for a
particular purpose10.
Table 10: Summary of ports needed for the SharePoint server
Protocol
Port number
Description
TCP
80
HTTP
TCP
16500 - 16519
Ports used by the search index component
TCP
22233, 22234, 22236
Ports required for the AppFabric Caching Service
TCP
808
Ports required for Windows Communication Foundation
communications
TCP
32843
Ports required for communication between Web servers
and service applications (HTTP binding)
TCP
32844
Ports required for communication between Web servers
and service applications (HTTP binding)
TCP
32846
Microsoft SharePoint Foundation User Code Service (for
sandbox solutions)
TCP
2103, 2105, 2107
Message Queuing
TCP
1801
Message Queuing (including HTTP messaging) message
traffic and internal session management traffic between
Queue Managers.
UDP
10
161
SNMP
https://technet.microsoft.com/en-us/library/cc262849.aspx?f=255&MSPPError=-2147217396
44
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Antivirus server
As before, the antivirus server also opens a lot of ports. However, those ports are opened for a
particular reason and they are all well documented in the official website11.
However, there is an unknown port 7271 and 2 other suspicious ports open by TeamViewer.
Table 11: Summary of ports needed for the Antivirus server
Protocol
Port number
Description
TCP
5939
TeamViewer Port
UDP
5353
TeamViewer Port
TCP
17000
Required for secure SSL connection to the activation
proxy server
TCP
17100
Required for connection to the activation proxy server
when activating mobile hosts
TCP
8060
Required for connection to the web server, which allows
managing Kaspersky Security Center Web Console and
organizing the internal company portal
TCP
8061
Required for connection to the web server, which allows
managing the work of Kaspersky Security Center Web
Console and organizing the internal company portal. The
connections are encrypted
TCP
13111
Required for connecting to the KSN proxy server
TCP
13000
Required for receiving data from client computers,
connecting update agents, connecting slave
Administration Servers using the secure SSL connection
UDP
13000
Required for reporting on computer’s shutdown
TCP
13191
Required for the SSL connection between the
Administrative Console and the Administration Server
TCP
13292
Required for connecting mobile devices
TCP
14000
The same requirement as TCP port 13000
11
https://support.kaspersky.com/9297#block1
45
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Remoting server
This server has a lot of programs installed and a lot of ports open. By a quick look, I can identify some
programs:
TeamViewer
Veeam backup service12
Ports used by UniFi products13
All in all, they are not suspicious, but UniFi products seems to open a lot of ports.
Table 12: Summary of ports needed for the remoting server
Protocol
Port number
Description
TCP
80
HTTP
TCP
443
HTTPS
UDP
3702
Web Services Dynamic Discovery (WS-Discovery)
TCP
5939
TeamViewer Port
UDP
5353
TeamViewer Port (multicast DNS)
TCP
6160
Default port used by the Veeam Installer Service
TCP
6162
Default port used by the Veeam Data Mover Service
TCP
6190
Port used for communication with the guest interaction
proxy
TCP
6290
Port used as a control channel for communication with
the guest interaction proxy
TCP
6170
Port used for communication with a local or remote
mount service
TCP
8080
UniFi port for UAP to inform controller
TCP
8443
UniFi port for controller GUI/API
TCP
8843
UniFi port for HTTPS portal redirect
TCP
8880
UniFi port for HTTPS portal redirect
UDP
1900
UniFi simple service discovery protocol (SSDP)
UDP
3478
UniFi port used for STUN
12
13
https://www.veeam.com/kb1518
https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used
46
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
UDP
10001
UniFi access point broadcast to 255.255.255.255:100001
(UDP) to locate the controller
TCP
27117
UniFi local-bound port for DB server
TCP
27341
UniFi Dbus-deamon
SMS2 server
This server is responsible for authenticating Citrix logins outside Origio’s network. I have found these
following ports open and decide to open them, since they are important for the authenticating
process. A list of ports required by SMS2 can be found here14.
Table 13: Summary of ports needed for the SMS2 server
Protocol
Port number
Description
UDP
1645
RADIUS
UDP
1646
RADIUS
UDP
1812
RADIUS
UDP
1813
RADIUS
TCP
9060
SMS2 core services requirement: AuthEngine Service
TCP
9070
SMS2 core services requirement: CloudSMS Service
TCP
9991
SMS2 core services requirement: OATHCalc Service
Interesting findings
In this section I will describe some of my interesting findings in the project.
DNS server listens on many UDP ports
When I was checking the domain controllers, which are also holding DNS role, I notice that all three
of them have a long range of UDP ports listening (more than 1500 dynamic ports). They are opened
by the process dns.exe. As far as I know, normally DNS only listen on UDP port 53 for incoming DNS
query.
After doing a research on the Internet, I found out that this is the way to prevent DNS spoofing – or
DNS cache poisoning attack15.
14
http://www.wrightccs.com/support/documentation/
47
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
The DNS cache poisoning attack aims at the DNS servers. Attackers attempt to insert a fake DNS
record into the DNS. If the attempt succeeds, then the fake DNS record will be stored in the DNS
server’s cache. Future queries about the target domain will be responded with the fake record. The
record will stay in the cache until the Time to live (TTL) value in the record is expired. This can be a
really big problem, if the user is directed to a malicious site without notice.
To be able to do this, the attacker must wait until the victim DNS server send a DNS query request for
a domain. While waiting for the response from the legitimate authoritative DNS server, the attacker
will create a fake query response message to the victim, hoping that the message arrives to the
victim first. This, however, require that the attacker should be quick enough. Second, the attacker
should guest the correct query parameter values (identifier of the transaction).
To make it harder to fake a DNS response, people introduce an additional method besides the 16-bits
identifier. It is the source port randomization. Basically DNS query will not use a fixed port anymore
for querying DNS record. Instead it will pick a source port from a socket pool of available sockets.
Source port randomization makes it more difficult for attackers because they have to guess both of
the transaction ID and the source port of the querying packet in order to forge a response.
So it is fine if the DNS servers (3 of our domain controllers) open a range of UDP ports.
Dynamic port range in mail server
When checking the listening port in the mail server, I notice that some of the services/processes
normally using dynamic ports are now using the registered port range (some of them still use
dynamic ports besides that), they include:
Wininit.exe
Svchost.exe
Lsass.exe
Services.exe
All of those above process never uses registered port range as its listening port as I had observed in
our environment. Additional exchange services/processes also use registered port range; these
includes:
15
MSExchangADTopologyService.exe
https://en.wikipedia.org/wiki/DNS_spoofing
48
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
MSExchangeMailSubmission.exe
Msexchangerepl.exe
Microsoft.Exchange.RpcclientAccess.Service.exe
Microsoft.Exchange.ServiceHost.exe
And many more
The document I have for references, however, stating that all of those services use dynamic port
(RPC). These acquisition of registered port instead of dynamic ports makes it harder for me to decide
which port should be open. Maybe a short check of RPC dynamic port range in the mail server could
help to identify this problem a little bit. This could be done by issuing this command in cmd.exe:
C:\Windows\system32> netsh int ipv4 show dynamicport tcp
C:\Windows\system32> netsh int ipv4 show dynamicport udp
After issuing the command, a range of TCP dynamic port is shown. What interesting is that the
dynamic port range starts at 6005, which is quite strange. This is the only server that has the dynamic
port range starts at port 6005 in our environment.
LLMNR and NetBIOS
Port 137 (TCP & UDP), 138 (UDP) and 139 (TCP)
During the process of port exploration, I notice that most of the server have these port enabled and
listened on: 137, 138 and 139. These port respectively used by:
NetBIOS Name services: a name resolution method other than DNS. NetBIOS namespace is
flat, meaning that all name in the namespace must be unique. NetBIOS name query is used
to solve a name into an IP address, thus enable it to locate the resource.
NetBIOS Datagram services: the datagram services provide the ability to send a message to a
specific name or a group name.
NetBIOS Session services: the service enable file sharing between 2 machines. Once the
session has been established, client and server can begin to start file sharing using SMB.
As mentioned earlier, SMB can also run directly on top of TCP – direct hosting. If both of the NetBIOS
Session and direct hosting is enabled, both will be implemented at the same time, and the first to
respond is used. (this is useful when we have several machines in the environment which do not
support direct hosting of SMB traffic).
49
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
However, I will not choose to open these port, and I suggest Origio administrator to disable NetBIOS,
for the following reasons:
To lower the traffic in the network: NetBIOS is an old name resolution method and we are
actually using DNS these days for name resolution. NetBIOS broadcast traffic should be
removed.
Without NetBIOS, we can still able to use file sharing through direct hosting via port 445.
Reduce the attack surfaces: several Trojan and backdoor are using these ports, including
Chode, God Message worm, Msinit16…
Port 5355 (UDP)
Port 5355 is used by the Link-local multicast name resolution. It is another resolution method besides
DNS and NetBIOS. Unlike NetBIOS, LLMNR uses multicasting instead of broadcasting for its resolution
process. In responses to queries, responders listen on UDP port 5355 on a specific multicast address.
As I want to have DNS as the name resolution method, opening port 5355 is not a must, although I
have noticed that several servers are actually listening on that port. Moreover, the service that is
listening on that port is svchost.exe with the name “DNScache”. This is somewhat strange to me,
since the DNScache and LLMNR is two different things.
PowerShell Script creation
In this part I will elaborate the process of PowerShell script creation. After the documentation of
ports needed for the server has been created, we can now create the scripts base on what we have
defined.
Our aim here is to take advantage of the flexibility of PowerShell to create scripts. That means, that
we will create scripts that can run both remotely and locally. An executing machine can execute the
script to make changes to the other machine
The scripts are separated into 5 parts, each for different steps and purposes. They are scripts that:
Enable or disable the firewall: the first and foremost thing to do is to find out how to enable
or disable the firewall. At Origio all of the local firewall is disabled, so enable firewall is an
essential thing.
In addition, the script should be able to disable the firewall again with different parameter.
16
http://www.speedguide.net/port.php?port=137
50
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Disable the default firewall rules: inbound default rules or inbound rules added before the
firewall is turned off should be disabled. After executing this script, all of the inbound
connection to the machine should be blocked, since the rules that allowing any traffic is
disabled (except some rules to continue the remote management).
Adding rules: this script is an essential script and step in our process. With this script, ports
one by one will be opened for traffic to come through. After successfully executing the script,
we are basically done.
Resetting the firewall: sometimes things are not as we expected. In case we add or disable
wrong rules, or make changes that are hard to fix, we need the firewall back to its original
stage.
Enable pinging: we also have to worry about the network layer. Blocking all traffics is not a
good idea, since the network layer traffics are also important. For example, ICMP traffic is
extensively popular (ping and echo reply) in Origio.
In the script, we are using PowerShell version 2. Since most of the server in our environment is
Windows Server 2008 R2, everything firewall related is managed through the HNetCfg.FwPolicy2
COM object.
In later version (PowerShell version 3), Microsoft introduced the Network Security modules, enable
us to work with firewall easily. A brief introduction to the module is described in later section.
Notice that all of the developing process will be conducted in Windows PowerShell ISE.
Set up execution permission and WinRM
Before being able to execute the script, administrator should make sure:
They have enabled execution PowerShell script in the machine. Windows PowerShell has 4
different policies:
o
Restricted: no script can be run.
o
AllSigned: only script published by a trusted publisher can be run
o
RemoteSigned: Downloaded script must be signed by a trusted publisher before they
can run
o
Unrestricted: all script can be run
They can modify those policies and enable running all script by typing:
PS C:\ Set-ExecutionPolicy Unrestricted
51
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
WinRM should be enabled in remote computer. This could be done by opening the cmd.exe
and type:
C:\Windows\system32> winrm quickconfig
Enable or Disable the firewall
The first part is to find out the way to enable or disable the firewall. After opening PowerShell ISE, a
blank page will appear. I choose to maximize the pane for easy usage.
The first thing I do is to create a firewall object (this step will be a must-have step in every script,
since creating the firewall object enable us to work with the firewall). I will type in:
$firewall = New-Object -ComObject HNetCfg.FwPolicy2
The line above can be understood as: create a new COM HNetCfg.FwPolicy2 object and stores it in
the variable named “firewall”. Notice that there is a “$” before the variable name, indicating that this
is a variable.
After this, I set in:
$firewall.FirewallEnabled(1) = $True
$firewall.FirewallEnabled(2) = $True
$firewall.FirewallEnabled(4) = $True
Windows Firewall has 3 different profiles: domain, private and public. Each of the number is
represented for a profile. 1 is for domain, 2 is for private and 4 is for public. The lines tell the firewall
object to enable the firewall in those 3 profiles. After these line, I can go on to run the script and get
the firewall enabled. However, I also want to disable the firewall using the same script.
PowerShell has a powerful function that it can takes parameter. I will then type this above all line to
define a parameter:
param(
[Parameter(Mandatory=$True)]
[ValidateSet("Enable","Disable")]
[String]$Action
)
The parameter has a “String” type and its name is “Action”. When specify the parameter, user can
only set in “Enable” or “Disable”. This parameter is mandatory.
I will then modify:
if($Action -match "enable")
{$firewall.FirewallEnabled(1) = $True}
else
52
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
{$firewall.FirewallEnabled(1) = $False}
The line above can be understood as: if the parameter “Action” is set in by user as “enable”, please
enable the firewall in profile 1. Otherwise please disable it. I will do the same in the other two
profiles (2 and 4). This could be time consuming and introduces more problems by coping code and
makes our script quite long (more than 12 lines). Another idea is to shorten the script in a simple
way.
I will modify it to:
$firewall = New-Object -ComObject HNetCfg.FwPolicy2
$profile = 1,2,4
$profile | % {
if($Action -match "enable")
{$firewall.FirewallEnabled($_) = $True}
else
{$firewall.FirewallEnabled($_) = $False}
}
These line above do the exact same function as before. However, it put the 3 numbers in a variable
called $profile. And for each profile, do the script inside the {} block (4th line). We are 90% in our
process. I will then add:
$script = {
param (
$Action
)
$firewall = New-Object -ComObject HNetCfg.FwPolicy2
$profile = 1,2,4
$profile | %{
if($Action -match "Enable")
{$firewall.FirewallEnabled($_) = $True}
else
{$firewall.FirewallEnabled($_) = $False}
}
}
Notice that above all I have a variable called $script, that is where I store all the scripts inside. When
executing those line, the block of script inside the $script variable is not run. What it only does is to
store all of the script inside the variable for later use. I define another parameter block inside the
$script variable with the $Action variable (2nd line). Recall that I also have another $Action parameter
in the above steps. The reason I do this is because we cannot pass a variable directly inside a script
block. If we do not define another parameter inside the script block, the script takes no action. It will
always perform the code in the “else” statement even though we type in “enable”, simple because it
lost the variable at the time it jumps in the script block $script. However, we are still missing one
little thing for this to success.
53
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Last step is to make this script to run in any computers by specifying another parameter. I add this
parameter in my param() block:
[String[]]$Computer
This parameter will accept the second parameter as a string representing the computers’ name.
Notice that this variable is an array, so it can accept several names.
I add the following line in the bottom of my script:
#Parameter definitions and script block definition are above here
Invoke-Command -ComputerName $Computer -ScriptBlock $script -ArgumentList $Action
This line of code will read the computer name in our input, executing remotely (invoke-command)
the scripts in the $script variable that we defined before, and take the $Action parameter that the
user typed in, put it into the $Action parameter inside the $script variable. This argument list acts as
a virtual bridge. Then I save the script with the name “Firewall.ps1”
To execute the script, I open Windows PowerShell, navigate to the folder that contains the script and
type in:
PS C:\ > .\Firewall.ps1 -Action enable –Computer servername
This command will enable the firewall in a remote computer. Specifying another parameter such as
disable in Action or another name in Computer will make the script work in different way.
Disable rules
When the firewall is enabled, default rules (rules that are defined before) will takes effect again.
However, we do not want that to happen, as we want to implement our own rules to open the
wanted ports. Therefore, we need to disable those rules – including the Core Networking rules. Core
Networking rules mainly deal with ICMPv6 traffics or the IPv6 protocol. Some of them allow DHCP to
function well. However, none of these rules are in our consideration.
What we are disabling here is indeed the inbound rules. The outbound rules, however, will not be
disabled or touched at any parts. Outbound connections are used when the machine open a port and
connect to the other ends using that port. Those ports are usually dynamically assigned.
For the first part I will type in these line in order to specify the remote computers.
param(
[String[]]$Computer
)
54
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Now we come to the main script:
$firewall = New-Object -ComObject HNetCfg.FwPolicy2
The first line is to create a firewall object so that we can interact with the firewall. Then I typed in:
$rules = @($firewall.Rules | Where-Object {$_.Name -notlike "*Windows Remote
Management (HTTP-In)*" -AND $_.Direction -eq '1' -AND $_.Enabled})
This second line can be understood as follow: amongst the firewall rules ($firewall.Rules), get all of
those with the inbound direction and enabled state, except those with the name like “Windows
Remote Management (HTTP-In)”. It is a must to exclude Windows Remote Management, because if
we do not, by the time we disable all rules, we cannot perform any more command. We will then
store all of those rules into the $rules variable, which is an array/list. By executing this line, we get all
of the inbound rules with enabled state stored in a single variable. Then I typed in:
$rules | ForEach-Object { $_.Enabled = $NET_FW_DISABLED }
This is the important line in our script. This line simply iterates through each rules stored in the $rules
variable and set its enabled state to disabled. I will then store the script in the $script variable:
$script = {
$firewall = New-Object -ComObject HNetCfg.FwPolicy2
$rules = @($firewall.Rules | Where-Object {$_.Name -notlike "*Windows Remote
Management (HTTP-In)*" -AND $_.Direction -eq '1' -AND $_.Enabled})
$rules | ForEach-Object { $_.Enabled = $NET_FW_DISABLED }
}
Finally, the invoke command at the bottom line help us to execute remotely:
Invoke-Command -ComputerName $Computer -ScriptBlock $script
I go on and save the script as “Disablerules.ps1”.
To execute the script, I open Windows PowerShell, navigate to the folder that contains the script and
type in:
PS C:\ > .\Disablerules.ps1 –Computer servername
This command will disable the rules in a specified remote computer.
Adding more rules
After disabling the rules in the machine, it is currently not possible to initiate any connection to the
machine (but not the other way round), except WinRM. We have to add the rules that can opening a
port one by one in order for it to accept the incoming connection.
55
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
The script again makes use of the parameter in PowerShell, which is a powerful technique.
Firstly, I will define the parameters the scripts accept:
param(
[String[]]$Computer
[Parameter(Mandatory=$True)]
[ValidateSet(6, 17)]
[int]$protocol,
[Parameter(Mandatory=$True)]
[String[]]$ports
)
As before, there is a string variable representing a remote computer name. The next lines of script
define 2 parameters that the script accept: the first one is the protocol, the second one is the ports
to add in. Protocol can be an integer value, whether 6 (TCP) or 17(UDP). Ports can be a number or an
array of string value, separated by commas
For the first part I will create a firewall object in my main script block:
$firewall = New-Object -ComObject HNetCfg.FwPolicy2
Next, I will type:
$ports | % {
# Create a Rule Object.
$newRule = new-object -comobject HNetCfg.FWRule
$newRule.Name = "(PowerShell) Allow Port " + $_
$newRule.Description = "Manual rules added by PowerShell"
$newRule.Protocol = $protocol
$newRule.LocalPorts = $_
$newRule.Grouping = "@firewallapi.dll,-23255"
$newRule.Enabled = $True
$newRule.Profiles = 7
$newRule.Action = 1
$newRule.Direction = 1
# Add a new rule
$firewall.Rules.Add($newRule)
}
For each of the ports that the user type in, the block in the script will be executed. In more detail, this
is what each of line does:
Create a new COM HNetCfg.FWRule object for working with firewall rules. The object has
many properties such as name, description, protocol….
Specify the name of the rule. In our case, the new rule will be named after the port allowed.
For example, rule name will be "(PowerShell) Allow Port 80” if the port typed in is 80. Notice
that the “$_” variable represent a specific port in the $ports parameter. This is my only way
of naming the rules by using the fastest approach. Although the name is not clear on what
56
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
the description of it, administrator can always refer to the documentation provided. Making
understandable name is a good thing, but we have to manually name for each rule.
Add the description for the rule. This will always be "Manual rules added by PowerShell"
Add the protocol for the rule. The protocol will be the protocol number the user type in,
which is stored in the $protocol variable
Add the port that the rule allows. Again, the flexible “$_@ variable is used to represent each
port in the $ports variable
Add the group for our rule. Group "@firewallapi.dll,-23255” means that it is part of the
firewallapi.dll and will be treated as Windows default rule that cannot be modified after
being defined.
Set the state of the rule to be enabled
Set the profile that the rule applies to. Number 7 is for all profile (1, 2 and 4)
Set the action for the rule, 1 for allow and 0 for block. Our rule will always be set to allow.
Set the direction that the rule applies to. 1 for inbound and 2 for outbound. Our rule will
always be set to inbound.
After defining the properties for our rule object, the last line of script adds the rule to the firewall.
This block of script will be repeated for each of the port we typed in.
I put all of them into the $script variable. This means that I also have to create (again) the same
parameters as in the beginning, and then make a “bridge” to those parameters by the argument list.
$script = {
param (
$protocol,
$ports
)
# Create the FwPolicy2 object.
$firewall = New-Object -ComObject HNetCfg.FwPolicy2
$ports | % {
# Create a Rule Object.
$newRule = new-object -comobject HNetCfg.FWRule
$newRule.Name = "(PowerShell) Allow Port " + $_
$newRule.Description = "Manual rules added by PowerShell"
$newRule.Protocol = $protocol
$newRule.LocalPorts = $_
$newRule.Grouping = "@firewallapi.dll,-23255"
$newRule.Enabled = $True
$newRule.Profiles = 7
$newRule.Action = 1
$newRule.Direction = 1
# Add a new rule
$firewall.Rules.Add($newRule)
}
}
57
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Invoke-Command -ComputerName $Computer -ScriptBlock $script -ArgumentList
$protocol, $ports
I go on and save the script as “Addrules.ps1”.
To execute the script, I open Windows PowerShell, navigate to the folder that contains the script and
type in:
PS C:\ > .\Addrules.ps1 –computer servername -protocol 6 -ports 80,
123, 443
This command will add the rule that enable inbound connection to TCP port 80, 123, 443 on a
remote server.
Resetting the Firewall
As mentioned before, we have to reset the firewall setting back to its original stage if we do
something wrong – or the script turn out to fail. My method is to resetting the firewall back to its
original state.
I start with those line of script that specify the remote computers:
param(
[String[]]$Computer
)
I will type in my script block:
$script = {
$firewall = New-Object -ComObject HNetCfg.FwPolicy2
$firewall.RestoreLocalFirewallDefaults()
$profile = 1,2,4
$profile | %{
$firewall.FirewallEnabled($_) = $False
}
$rules = @($firewall.Rules | Where-Object {$_.Name -like "*Windows Remote
Management (HTTP-In)*"})
$rules | ForEach-Object { $_.Enabled = $True }
}
These block of script will create a firewall object, reset the firewall to default and set the firewall
back to off mode. Notice that the $firewall object has a useful function, which is
RestoreLocalFirewallDefaults(). Notice that I also enable Windows Remote Management, so we do
not have to come back to the server and enable it. I will finish my script with:
Invoke-Command -ComputerName $Computer -ScriptBlock $script
This is an example of executing the script:
PS C:\ >.\ResettingFW.ps1 –Computer computername
58
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
After executing this script, the firewall will be set back to default and turned off.
Another safe and better way to reset the firewall rules is to use the import/export function built-in
with Windows Firewall Advanced Security. Before doing any changes, save the current firewall
settings (export) by choosing Windows Firewall with Advanced Security on Local Computer, choose
Action and then Export. After doing the changes and the machine is not working well, we can use the
exported file and import it in again. Simply follow the above step, but when clicking the Action
button, choose Import. This works well if the firewall has some more predefined rules before that
are hard to keep track of.
Enable ping (ICMP traffic)
I start with those line of script that specify a remote computers:
param(
[String[]]$Computer
)
I will type in the following line into my $script variable:
$script = {
$firewall = New-Object -ComObject HNetCfg.FWPolicy2
$rules = @($firewall.Rules | Where-Object {$_.Name -like "*File and Printer Sharing
(Echo Request - ICMPv4-In)*" -AND $_.Direction -eq '1'})
$rules | ForEach-Object {$_.Enabled = $True}
}
The first line creates a new firewall object. The next line can be understood as: getting all of the
inbound rules in the firewall where the name is like “File and Printer Sharing (Echo Request - ICMPv4In)". After that iterate through each of the rule and set it to enabled. I finish my script with this last
line:
Invoke-Command -ComputerName $Computer -ScriptBlock $script
This is an example of executing the script:
PS C:\ >.\Enableping.ps1 –Computer computername
After executing this command, the rules that enable pinging will be enabled.
Local machine and remote machines
The Invoke-Command can also execute the script block in the local machine as well, if we specify the
“localhost” in the computer parameter.
PS C:\ >.\Enableping.ps1 –Computer localhost
59
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
This type of flexibility is really useful, providing administrators the options to implement the script
whether remotely or locally, or both.
Comments
In each of the scripts I have prepared some of the instruction in form of comment. This, again, is a
strong side of PowerShell.
Every time an admin is confused about a function of a script or a command, or wonder how to use it,
what is an example of it, or what type of value the parameter allows to take in. He can open the
script and see what is written in there. Otherwise, there is another way by typing this command:
PS C:\ Get-help .\scriptname
Depends how the script is documented; a list of instruction will be shown. The information shown
can be:
Name: the name of the script
Synopsis: a short description of the script
Description: a better description of the script
Parameter: the script has any parameter
Example: some example of how to execute the script
To enable this useful function, I add the following command in the beginning of my script:
<#
.SYNOPSIS
This script can be used to enable ping echo request (in).
.DESCRIPTION
Enable the machine to receive ping.
.PARAMETER computer
The computers you want to apply.
.EXAMPLE
.\Enableping.ps1
Enable ping
.NOTES
This script is submitted for the final project at KEA in collaboration with
Origio.
#>
Different script will have different instruction, depending on how complicated it is.
Putting the commands into one package
At some point in the implementation phase we will forget to type in a command, we are missing a
port, we type in the wrong port and so on. Anything could happen if we implement the script
60
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
manually and we do not notice it. Of course we can be very careful when we do it, but then when
referring back to what we did, what we have typed at that time, there is also no document regarding
to that. Besides the documentation about the port needed, we also have to document what
command we actually type.
Putting all of the commands into one package can solve that issue, as it also acts as a form for
documentation for future reference. A set of command that will be perform will be put into one
PowerShell script. By running the newly created script, we will also run all of the script inside (scripts
in script). The following block of script can be an example:
#Enable firewall
.\Firewall.ps1 enable dc
#Disable default rules
.\Disablerules.ps1 dc
#Basic rules in the domain
.\Addrules.ps1 dc 6 135, 445, 3389, 49152-65535
.\Addrules.ps1 dc 17 445, 123, 49152-65535
#Rules for domain controller
.\Addrules.ps1 dc 6 389, 636, 3268, 3269, 88, 464, 53, 9389
.\Addrules.ps1 dc 17 389, 88, 464, 53, 67
#Enable pinging
.\Enableping.ps1 dc
I will save the script as “Main_DC” stating that this is the main script performed for the domain
controller. When looking back what I did, I can read this script as a mean of reference. I can manually
modify the ports needed for a specific type of server. I execute the script by:
PS C:\ >.\Main_DC.ps1
Other aspects: error handling, recovery and automation
The above PowerShell script creation process is of course an incomplete approach. To be a
completed, several aspects have also need to be considered, especially when the environment
becomes bigger than Origio. They are error handling, recovery and the automation of the script.
Although the script will be tested for full functionality, in some cases error will always occur. It could
be when the command cannot reach the specific machine, or when it could reach but the function is
not performed, firewall rules are created in the way we do not expect and so on. There should be a
way to make sure that all of the errors occurred can be noticed by administrator. The ability of
automatic error handling is important. Until now my approach of finding errors is to manually check
the machines by looking into the firewall or using tools such as Portqry (will be mentioned later) to
check for listening ports. The implemented machine itself do not response with any messages when
it successfully implemented or if it faces failure. This aspect should be developed in the future.
61
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
In the above part, I have mentioned two ways of recovering from failure. It could be running the
ResettingFW.ps1 script to reset the firewall back to its original state. This, however, is not a good
approach if WinRM is disabled accidentally in the remote machine. Another way to do it is to have a
backup from the firewall itself (by importing – exporting firewall policy). This requires to manually
navigate to the machine and use the GUI. The problem posed here is to provide a recovery method
that is automatically and could be widely implemented.
Because the servers are very different in our environment at Origio, the nature of our script is to be
manually implemented. We have to manually input ports and protocol for a specific type of server
and save the script for future reference. That, however, could be an arduous task for administrator,
especially when they have to craft every single script for every type of server.
Tests and Test Results
After finishing the port exploration process and creating PowerShell script, I will continue to test my
work before finalizing the project.
I will test mainly on:
Whether the implementation method works: The PowerShell script should run as expected,
and perform well its function.
Whether the port assessment is correct and on the right track, that means the implemented
server will still function well after the implementation. As a proof of concept, I will test with
the domain controller and the Citrix VDA.
Testing the PowerShell scripts
The first thing to do is to set up the testing environment. I used VMWare to create a virtual network
containing of 3 machines, where the test is conducted on. All three with WinRM turn on and
connected to the same network and join in the same domain. I will use one of them as the
management machine, executing all of the scripts (DC). The other two machines will be tested for
functionality (client1 and client2). The process of setting up this environment is not elaborated, since
this is not what I focus on. However, a brief description of the machines is shown in the following
table:
Table 14: Summary of the testing machines for PowerShell script
Machine name
Description
62
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
DC
Domain Controller running Windows Server 2008 R2, with DNS role, DHCP
role, File Server role, Remote Desktop enabled and WinRM enabled. I will
perform PowerShell command in this machine.
Client1
Windows 7 client with Windows Remote Management turn on. This is the
target machine.
Client2
Windows 7 client with Windows Remote Management turn on. This is the
target machine
The testing phase requires that our scripts to function well and as expected. For each script, the
requirements are:
Enable or Disable or firewall script (Firewall.ps1): when executing this script, remote and
local computer should be affected. Connection must have been made to the remote/local
machine (supposing that they have WinRM turn on) and executing the command. Two of the
parameters (“enable” and “disable”) should work well, that means, when admin type in
“enable” the firewall should be turn on remotely/locally and vice versa. Admin can have the
option to specify how many computers there are.
Disable firewall rules (Disablerules.ps1): when executing this script, remote and local
computer/computers should disable all of their inbound firewall rules except those used for
WinRM. Admin can have the option to specify how many computers there are.
Adding rules to firewall (Addrules.ps1): when executing this script, firewall rules/rule should
be added on the remote and local computers/computer. Admin can have the option to
specify how many computers there are (like above), what ports should be open, what
protocol that the port uses. The rules should appear in the inbound list of rules in the
Windows Firewall with Advanced Security.
Resetting the Firewall (ResettingFW.ps1): when executing this script, all of the firewall rules
will be reset to its original state. WinRM rules should be keep enabled for management
purpose. The firewall then will be turned off. Admin can have the option to specify how
many computers there are.
Enable ping (Enableping.ps1): when executing this script, the inbound rule for File and
Printer Sharing (Echo Request - ICMPv4-In) should be enabled in Windows Firewall
Advanced Security. Admin can have the option to specify how many computers there are.
63
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
I start the test by starting PowerShell in the main machine (DC). I will navigate to the directory where
I store the PowerShell script (this is important – without this I could not execute any script simply
because they are not found). The following command will be executed:
PS C:\Users\Administrator> cd psscript
PS C:\Users\Administrator\psscript> .\Firewall.ps1 -Action enable Computer client1
PS C:\Users\Administrator\psscript> .\Firewall.ps1 disable client1
PS C:\Users\Administrator\psscript> .\Disablerules.ps1 -Computer
client1
PS C:\Users\Administrator\psscript> .\Disablerules.ps1 client1
PS C:\Users\Administrator\psscript> .\Addrules.ps1 -Computer client1
-protocol 6 -ports 80, 123, 445
PS C:\Users\Administrator\psscript> .\Addrules.ps1 client1 17 4915265535
PS C:\Users\Administrator\psscript> .\ResettingFW.ps1 client1
PS C:\Users\Administrator\psscript> .\Enableping.ps1 client1
PS C:\Users\Administrator\psscript> .\Firewall.ps1 enable client1,
client2
PS C:\Users\Administrator\psscript> .\Disablerules.ps1 client1,
client2
PS C:\Users\Administrator\psscript> .\Addrules.ps1 -Computer
client1, client2 -protocol 17 -ports 500
PS C:\Users\Administrator\psscript> .\Enableping.ps1 -Computer
client1, client2
PS C:\Users\Administrator\psscript> .\ResettingFW.ps1 client1,
client2
PS C:\Users\Administrator\psscript> .\Firewall.ps1 disable localhost
PS C:\Users\Administrator\psscript> .\Disablerules.ps1 localhost
PS C:\Users\Administrator\psscript> .\Addrules.ps1 localhost 17 53
PS C:\Users\Administrator\psscript> .\Enableping.ps1 localhost
PS C:\Users\Administrator\psscript> .\ResettingFW.ps1 localhost
For each command, I will manually check the local host and navigate to the other two clients to test if
the command success.
After observing the results, I notice that all scripts work fine. That means, that the client’s firewall
perform the exact function as defined in the script. The table below is the summary of what I have
observed.
Table 15: Test results
Test command
.\Firewall.ps1 -Action enable -
Description
Enable the firewall in client1.
Result
Success
64
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Computer client1
Parameter is explicitly written out.
.\Firewall.ps1 disable client1
Disable the firewall in client1.
Parameter is implicitly read.
Disable firewall rules in client1.
Parameter is written out.
Disable firewall rules in client1 with
no –Computer parameter
Add firewall rules open TCP port 80,
123, 445 on client1.
Success
Add firewall rules open UDP
dynamic ports on client1.
Resetting the firewall on client1
Enable pinging on client1
Enable firewall on client1 and
client2
Disable firewall rules on client1 and
client2
Adding firewall rules open UDP port
500 on client1 and client2
Success
.\Enableping.ps1 -Computer client1,
client2
Enabling ping on client1 and client2
Success
.\ResettingFW.ps1 client1, client2
Resetting the firewall on client1 and
client2
Disable the firewall locally
Disable firewall rules locally
Adding firewall rules open UDP port
53 locally
Enable pinging locally
Resetting the firewall locally
Success
.\Disablerules.ps1 -Computer client1
.\Disablerules.ps1 client1
.\Addrules.ps1 -Computer client1 protocol 6 -ports 80, 123, 445
.\Addrules.ps1 client1 17 49152-65535
.\ResettingFW.ps1 client1
.\Enableping.ps1 client1
.\Firewall.ps1 enable client1, client2
.\Disablerules.ps1 client1, client2
.\Addrules.ps1 -Computer client1,
client2 -protocol 17 -ports 500
.\Firewall.ps1 disable localhost
.\Disablerules.ps1 localhost
.\Addrules.ps1 localhost 17 53
.\Enableping.ps1 localhost
.\ResettingFW.ps1 localhost
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Success
Testing the function of implementing server
After proving that the PowerShell script works well, I will then perform test on the servers which are
assessed for open ports. As a proof of concept, I will test on the Domain Controller and the Citrix
VDA.
Domain Controller
I have created my own testing environment inside VMWare. The network consists of 4 hosts, 2
domain controllers and 2 clients. The servers are running Windows Server 2008 R2 and the clients
are running Windows 7. The process of setting up this environment is not elaborated, since this is not
what I focus on. However, a brief description of the machines is shown in the following table:
65
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Table 16: Summary of the machines used for testing the implementation on domain controller
Hostname
Description
DC
Domain Controller running Windows Server 2008 R2, with DNS role, DHCP role,
File Server role, Remote Desktop enabled and WinRM enabled.
DC2
Domain Controller running Windows Server 2008 R2 with DNS role, WinRM
enabled.
Client1
Windows 7 client. This client has already joined in the domain. I will execute
remote script from this client.
Client2
Windows 7 client. This client is not in the domain. This client is used for testing
the ability of joining the domain and testing DHCP from the server.
Notice that this time I will use client1 to perform the command. Of course I could perform the
command locally in DC. But I will stick to the remote strategy, proving my script will work fine on any
machine.
After implemented, the domain controller will be tested on those aspects:
The ability of joining the domain: new computers are capable of joining in the domain as
normal.
Logging in the domain: user can log in to the domain as normal and can be authenticated by
the domain controller (Kerberos).
Accessing share file: users still have access to the file shared by other users (SMB).
DNS: users can still perform name resolution normally.
DHCP: machines will receive their IP address as usual.
RDP: machines will accept incoming connection using Remote Desktop Connection
Domain replication process and LDAP: replication between domain controllers will happen
without any errors. All LDAP traffic is flowing normally.
After defining the testing requirement, I go further on to perform the test.
Logging in Client1 as an Administrator, with the ports documented as a reference, I will run the
following command towards my domain controllers:
PS C:\Users\Administrator.FINALPROJECT\PSScript> .\Main_DC.ps1
66
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Notice that in the “Main_DC.ps1” script there is:
#Enable firewall
.\Firewall.ps1 enable dc
#Disable default rules
.\Disablerules.ps1 dc
#Basic rules in the domain
.\Addrules.ps1 dc 6 135, 445, 3389, 49152-65535
.\Addrules.ps1 dc 17 445, 123, 49152-65535
#Rules for domain controller
.\Addrules.ps1 dc 6 389, 636, 3268, 3269, 88, 464, 53, 9389
.\Addrules.ps1 dc 17 389, 88, 464, 53, 67
#Enable pinging
.\Enableping.ps1 dc
After that, I will start to test all of the predefined requirements.
Testing the ability to join the domain
The first test after I perform the execution is the ability to join the domain. In client2, under the
Computer name tab in System Properties, I choose Change. A new window call Computer
name/Domain changes will appear. I change the Member of check box to Domain, and then specify
the domain I want to join.
After authenticating with the Administrator account, a message appear that the computer has
successfully joined the domain. However, an error appears afterwards.
The message says the “Changing the Primary Domain DNS name of this computer to “” failed.”. After
doing some researches about the problem on the Internet, I found a really good explanation here17.
This is not a big problem we are facing, since we are already successfully joined in the domain.
However, the problem is caused by the blocking of communication on UDP port 137, making the
function to perform an LDAP by using NetBIOS fail. This is explainable, since we have decided to
block the ports used by NetBIOS. A quick fix around this problem could be opening ports for NetBIOS
again, which I’d not prefer.
Testing the Kerberos authentication
The next test I want to conduct is the ability to log in the domain using the domain account. Although
when joining in the domain, the authenticating process already happened. However, I want to
double check the function by performing normal login. In this case I will use the admin account and 2
another user accounts to test.
Back to our client2, after joining in the domain and restarted, the log in screen will appear. I typed in
the username and the password for the Administrator account, and then log in.
17
https://support.microsoft.com/da-dk/kb/2018583
67
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
The log in process succeeds, proving that the Kerberos protocol works just fine, and our newly made
rule in the firewall allow the correct port to open. The login process works just fine for another user
account.
I tried to disable the rule that allow port 88 (UDP & TCP) and try to do the login process again. I use
another normal user account (3rd account) to login. This is because sometimes the machine caches
user’s identity locally, and authenticate locally when it cannot contact Kerberos18. Using the totally
new account can avoid that to happen, making the result clearer.
This time the login process takes forever, and nothing happen. The machine gets stuck at the login
screen and keep loading. I get back to the firewall, enable again the rules. After this I can login with
the 3rd account.
Accessing the shared file
To test the ability to perform file sharing (SMB), I create a folder in drive C: of the domain controller.
After that I right click the file, and choose Properties. In the Sharing tab, I click Advanced sharing and
check on the box Share this folder. After doing that, I can get the network path of the file showing in
the Sharing tab. The folder’s name is “script”, so the share path will be \\DC\script.
Back to the client1 and client2 machine, I type Windows button + R to open the Run box. I type in
the network path as above, and press Enter. A new window will appear, showing the folder’s
content.
Now that I know I can access the shared folder, I try to double check by disable the rule that allows
port 445 (SMB) in the domain controller. This time, the path takes a really long time to access. The
following message is shown: “\\DC\script is not accessible. You might not have permission…”
I turn on the rule again, and it works just perfect again.
Testing DNS
There are several ways to test the DNS function. The first one could be the ping command. Using the
ping command can verify that a host is alive and can communicate in a network. Pinging could be
performed by stating out the IP address of the machine, or the name of that machine. In the second
case, the pinging machine will first perform a lookup to resolve the name of the second machine into
IP address (using name resolution method) and then proceed to send ICMP packets.
18
https://support.microsoft.com/en-us/kb/172931
68
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
In my test, I will use client1 to ping client2 using its name. The ping is successful, client2’s name is
translated to FQDN client2.finalproject.com and its IP address as well.
Another approach to check the DNS is by the nslookup command. Nslookup is a tool used for
diagnosing the DNS. The tool is quite easy to use, whether in interactive mode or non-interactive. I
have performed an interactive nslookup with the query set to type A (hostname to IPv4 address) as
follow:
C:\nslookup
>set q=a
>dc
The result return from the DNS server is the IP address of DC.
Testing DHCP
DHCP is already working when performing the above test. By checking in the DHCP address leases, I
can see that 2 of my clients has already get IP address from the server. To manually test DHCP again,
I perform the following actions:
Shutdown 2 of my client machine. I have already set them to receive IP address from DHCP
server.
Delete DHCP address leases entries in DHCP server (DC)
Turn on 2 of my client machines. I can see the address leases have added 2 of the newly
assigned IP address for the 2 clients.
Testing RDP
The first thing I do is to enable Remote Desktop control in my domain controller. Under the Remote
tab in System Properties, I choose the option Allow connections from Computers running any
version of Remote Desktop. A firewall rule will be added, but I disable it because I have already
added rules for port 3389 (RDP) before using PowerShell.
I start Remote Desktop Connection from client1, typing in the name of my domain controller (DC),
authenticate myself as an admin and press OK.
After waiting a few second, I have succeeded in connecting to the domain controller using RDP.
When disable the rule – that means blocking port 3389, I could not do it anymore.
69
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Testing LDAP and GC
In this part I will make use of the tool Portqry. First I will download the tool from this website19. I
extract the files in the client1 machine. What I am going to do is to test the LDAP traffic to see if it is
working well.
Recall that the domain controller listens on port 389 and 636 for LDAP and LDAPS, 3268 and 3269 for
GC and GC SSL. Our aim here is to test if all of that ports are not blocked by the firewall. This is where
portqry comes into use, since it can craft a query and send it to a specific port. The response will
then be analyzed into detail.
I started by open portqry (GUI). In the destination box, I type in the domain controller name DC. I
choose the option to Manually input query port. I type in the port number 389 (LDAP) and the
protocol type to TCP. I click Query to begin the test.
In the Query Result pane, I can see all of the LDAP query response. I continue to do the same on port
636, 3268 and 3269 – I could type them in the same time and it still works. I got the result from the
second query. All of those ports are reported to be listening.
I could also roll back to check the other ports, such as DNS port, DHCP port, RDP port or Kerberos
ports. I could also choose the protocol used, whether TCP or UDP, or both.
Notice that with this tool, I can also query predefined service. One of them is the Domain and Trusts
(as in the screenshot) service. When choosing it and query, I will get all of the result from well-known
ports that are considered to be used in the domain and trusts. The tested ports are LDAP, GC,
Kerberos, RPC, SMB, DNS, …. This tool is very useful in this testing phase.
Testing domain replication process
I continue to test the replication process in the domain if the domain controller has been
implemented with the firewall. I will use another controller named DC2 to perform this check.
In DC2, I open cmd.exe. I will then execute the following command:
C:\Users\Administrator> repadmin /syncall /AdeP
19
https://www.microsoft.com/en-us/download/details.aspx?id=24009
70
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
This command will force the replication from this domain controller to all of the other domain
controllers. The syncing domain controller will basically sync the forest DNS zones, domain DNS
zones, schema, configuration… partitions. The replication results are shown as all successful.
Although the replication was shown successful, I will recheck again by the following command:
C:\Users\Administrator> repadmin /showrepl dc
The result is successful. All of the replication is fine as well.
I perform the same actions the other way round, that is executing those command from the DC
controller to check replication to DC2. The result is successful.
Citrix VDA
I continue my test in Origio Citrix environment. The test server is a Citrix Agent with WinRM enable.
The execution server is the remoting server. I will perform the following command:
PS C:\ > .\Xenapp65-test.ps1
Notice that inside my “Xenapp65-test.ps1” there are the following script:
#Enable firewall
.\Firewall.ps1 enable xenapp65-test
#Disable default rules
.\Disablerules.ps1 xenapp65-test
#Basic rules in the domain
.\Addrules.ps1 xenapp65-test 6 135, 445, 3389, 1550, 1551, 30523, 5985, 49152-65535
.\Addrules.ps1 xenapp65-test 17 445, 123, 15000, 500, 4500, 49152-65535
#Rules for Citrix VDA
.\Addrules.ps1 xenapp65-test 6 1494, 2598, 2512, 2513
.\Addrules.ps1 xenapp65-test 17 16500
#Enable pinging
.\Enableping.ps1 xenapp65-test
The following table describe the testing requirement as well as the results from the test:
Table 17: Summary of the test and results in the Citrix server
Requirement
Testing method
Result
Remote client can connect to the server
Using a Citrix Receiver, acting as a client
Success
as normal using Citrix Receiver. (log in)
and connect to the Xenapp65-test server.
Connection to the Kaspersky Antivirus
Checking the connection in Kaspersky
server should be successful. The server
Security Center and the Kaspersky
should communicate well with the
Network Agent running in the server.
Success
Antivirus server.
71
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Access to share drive and folder in the
Accessing shared drive and folder in
domain should be successful.
different locations.
Client should be able to perform basic,
Opening Outlook, logging in as user,
daily operation in the server such as
receiving user information in the domain,
logging in Outlook and send emails,
receiving mail to the mail box and send
connecting to a printer and print out a
mail to other user.
document, be able to start Navision and
Connecting to a printer in the network and
access the database.
print out a document.
Starting Navision and connect to a
Success
Success
Success
Success
database.
72
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Project Conclusion
Hardening the security of a network is an important task, at the same time it is also an arduous task
that requires careful consideration. Although I only touch a really small part of the hardening phase
by enabling local firewall in the machine, it takes a lot of time and effort to get the final result. The
hardening process required a wide range of academicals and technical knowledge to be done
successfully. It is also required a wide knowledge of network protocol as well as their ports to fully
limit the security threats. In addition, an appropriate implementation method should also be well
defined and taken into considered regarding to its simplicity and scalability.
Following the completion of the project, I have reached my original goal, which includes:
Defining minimum ports needed port a type of server in the domain
Conducting the port exploration process in most of the active server at Origio
Defining additional ports needed after the process
Creating PowerShell script as an implementing method
Testing for full functionality
Creating the documentation for future references.
The results of the project are a nice joy for me. Although there should be more testing and proof
from more server types, but the initial results have shown that this is the right direction I am
following. As also mentioned in earlier section, my implementation method still need some
improvement regarding to the error handling, recovery and automation aspects. My testing method
also need to be applied in a more range of server to fully prove that my assessment and finding is
correct, that it will work after the implementation, with the minimum ports are allowed to receive
connection.
I indeed have gained a lot of new knowledge in the project. I have learnt to work closely with the
Windows Firewall, get in-depth knowledge on how the firewall works. I have a chance to learn more
new application layer protocols and other layer protocols, and have a practical experience to interact
with them. In addition, I can work with a lot of tools, discovering open ports inside the machine. I
learnt a new and useful scripting language that I can further use in the future, and have opportunity
to improve my skill in programming aspects. Besides the technical knowledge that I’ve gained, I also
improve my personal skill on how to plan and conduct a professional project. It should be considered
widely and practically in several aspects.
73
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
During the project, I face many problems. One of them could be that I lack the permission to perform
what I want. During the process of port exploration, I do not have permission to log in many servers
to explore the port. One of the solution is to get Origio’s administrators to perform the command for
me and return me the results. This solution does not 100% work, as it makes me so dependent on
the administrator – when I need to inspect something immediately, I need to contact them, explain
to them what the problem is, and if they agree on the actions they will do it. This not only makes the
process of port exploration difficult but also affects a lot on my assessment of opening or blocking
ports. The other problem is when I need to find a documentation for a specific port. I need to read
may references on the Internet, some of them conflicts with each other and I have to decide what to
do. It is also difficult to find information about some rare ports and programs.
Although effort has been made in this project, this still needs many improvements. I am willing to
take any comments and recommendations from the readers to make it better. From there I can gain
more experiences for future projects.
74
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
References
Computer Networking A Top Down Approach 6th edition, James F.Kurose, Keith W.Ross
Microsoft Training Kit: Configuring Windows Server 2008 Active Directory
Learn Windows PowerShell 3 in a Month of Lunches – Jones Jeffrey Hicks
Tools used:
https://msdn.microsoft.com/en-us/powershell/scripting/powershell-scripting
https://technet.microsoft.com/en-us/library/bb490715.aspx
https://en.wikipedia.org/wiki/Netstat
https://technet.microsoft.com/en-us/library/bb490715.aspx?f=255&MSPPError=-2147217396
https://en.wikipedia.org/wiki/Task_Manager_(Windows)
https://en.wikipedia.org/wiki/Resource_Monitor
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/ise/introducing-thewindows-powershell-ise
The netstat command:
https://support.microsoft.com/en-us/kb/137984
http://superuser.com/questions/661188/what-is-in-the-local-address-of-netstat-output
http://unix.stackexchange.com/questions/139938/meaning-of-netstat-local-address-column
https://www.quora.com/What-does-local-address-and-foreign-address-mean-in-the-netstatcommand-result
Remote Procedure call
https://technet.microsoft.com/en-us/library/cc787851(v=ws.10).aspx
https://support.microsoft.com/da-dk/kb/154596
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378642(v=vs.85).aspx
https://blogs.technet.microsoft.com/askds/2007/08/24/dynamic-ports-in-windows-server-2008and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana/
NetBIOS & Server Message Block
https://technet.microsoft.com/en-us/library/cc940063.aspx
https://support.microsoft.com/en-us/kb/204279
http://superuser.com/questions/694469/difference-between-netbios-and-smb
http://blogs.msmvps.com/acefekay/2013/03/02/do-i-need-netbios/
https://msdn.microsoft.com/en-us/library/aa365233.aspx
http://digitallachance.com/blog/2009/02/should-you-kill-netbios-from-your-network/
https://en.wikipedia.org/wiki/Server_Message_Block
Ports requirements:
https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
https://support.microsoft.com/en-us/kb/832017#bookmark-4
https://support.microsoft.com/en-us/kb/179442
https://technet.microsoft.com/en-us/library/bb727063.aspx
https://technet.microsoft.com/en-us/library/cc783351(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/bb727063.aspx
Exchange 2010
75
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
https://technet.microsoft.com/en-us/library/bb331973(v=exchg.160).aspx
https://technet.microsoft.com/en-us/library/bb331973(v=exchg.141).aspx
http://www.aurelp.com/2013/01/19/exchange-2010-network-ports-complete-list/
https://en.wikipedia.org/wiki/Message_submission_agent
https://community.spiceworks.com/topic/598095-difference-between-port-25-and-587
http://help.altn.com/mdaemon/en/default-domain-andservers_ports.htm?zoom_highlightsub=ports
https://technet.microsoft.com/en-us/library/ff943663.aspx
https://technet.microsoft.com/en-us/library/ee332346(v=exchg.141).aspx
https://technet.microsoft.com/da-dk/library/ff963524(v=exchg.141).aspx
Firewall
https://technet.microsoft.com/en-us/library/ms345310(v=sql.100).aspx
https://support.microsoft.com/en-us/kb/154596
http://security.stackexchange.com/questions/13141/what-specifically-does-the-windows-firewall-do
Domain Name System and DNS cache poisoning
https://www.experts-exchange.com/questions/23558272/DNS-listening-on-too-many-ports.html
https://technet.microsoft.com/library/security/ms08-037
https://technet.microsoft.com/en-us/library/dd197515(v=ws.10).aspx
http://www.networkworld.com/article/2231682/cisco-subnet/cisco-subnet-allow-both-tcp-and-udpport-53-to-your-dns-servers.html
https://people.eecs.berkeley.edu/~daw/teaching/cs261-f09/reading/matasano-kaminsky-dnsforgery.html
http://www.networkworld.com/article/2277316/tech-primers/tech-primers-how-dns-cachepoisoning-works.html
https://technet.microsoft.com/en-us/library/ee649174(v=ws.10).aspx
https://technet.microsoft.com/library/security/ms08-037
IAS, NPS, RADIUS
https://technet.microsoft.com/en-us/library/cc730852(v=ws.10).aspx
https://msdn.microsoft.com/en-us/library/bb742384.aspx#XSLTsection125121120120
https://technet.microsoft.com/en-us/library/cc737273(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd197605(v=ws.10).aspx
https://en.wikipedia.org/wiki/Internet_Authentication_Service
ADWS - Active Directory Web Services
https://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd391908(v=ws.10).aspx
Windows Remote Management
https://msdn.microsoft.com/en-us/library/aa384291(v=vs.85).aspx
https://morgansimonsen.com/2009/12/10/winrm-and-tcp-ports/
Kerberos change set password
https://blogs.technet.microsoft.com/askds/2011/09/30/friday-mail-sack-super-slo-moedition/#password
IPsec and NAT-T
https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec
Kaspersky
76
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
http://www.boostbyreason.com/resource-file-12757-klnagent-exe.aspx
https://support.kaspersky.com/9297#block1
LLMNR - Dnscache
https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution
https://blogs.technet.microsoft.com/networking/2010/12/06/disabling-network-discoverynetworkresources/
Lightweight Directory Access Protocol
http://tldp.org/HOWTO/LDAP-HOWTO/howitworks.html
Dynamic Host Configuration Protocol
https://en.wikipedia.org/wiki/DHCPv6
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
Remote Desktop Protocol
https://technet.microsoft.com/en-us/library/cc755399(v=ws.10).aspx
Port Mapper & Network File System
https://en.wikipedia.org/wiki/Portmap#Example_portmap_instance
https://support.microsoft.com/en-us/kb/883105
https://technet.microsoft.com/en-us/library/jj574143(v=ws.11).aspx#BKMK_deploy
Simple Mail Transfer Protocol & ESMTP
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
https://en.wikipedia.org/wiki/Extended_SMTP
https://en.wikipedia.org/wiki/Extended_SMTP
SQL
https://msdn.microsoft.com/en-us/library/cc646023(v=sql.110).aspx
https://msdn.microsoft.com/en-us/library/ms174937.aspx
TFTP
https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
Simple Network Management Protocol
https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
SharePoint
https://technet.microsoft.com/en-us/library/cc262849.aspx
https://support.microsoft.com/en-us/kb/178517
https://msdn.microsoft.com/en-us/library/ms711472(v=vs.85).aspx
https://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/
http://technicaltrix.blogspot.dk/2014/07/sharepointproject-server-firewall-port.html
https://technet.microsoft.com/en-us/library/cc770678(v=ws.10).aspx
https://blogs.msdn.microsoft.com/johnbreakwell/2008/04/29/clear-the-way-msmq-comingthrough/
https://msdn.microsoft.com/en-us/library/office/dn467936.aspx
SMS2
http://www.wrightccs.com/support/documentation/
77
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
http://euc.consulting/blog/netscaler-gateway-dual-factor-authentication-using-sms2/
UniFi
https://community.ubnt.com/t5/UniFi-Video/Change-ports-in-Unifi-Video-3-1-1/td-p/1224524
https://community.ubnt.com/t5/EdgeMAX/Disable-udp-broadcasts-to-port-10001/td-p/471753
https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used
Veeam Backup Tool
https://www.veeam.com/kb1518
PowerShell Script Creation
http://stackoverflow.com/questions/15262426/where-is-powershell-netsecurity-module
http://superuser.com/questions/921663/how-to-add-delete-rules-in-windows-firewall
https://blogs.technet.microsoft.com/jamesone/2009/02/17/how-to-manage-the-windows-firewallsettings-with-powershell/
https://blogs.msdn.microsoft.com/tomholl/2010/11/07/adding-a-windows-firewall-rule-usingpowershell/ (Add ports)
https://social.technet.microsoft.com/wiki/contents/articles/1650.adding-an-application-rule-to-thewindows-firewall-with-powershell-en-us.aspx (Add ports)
https://richardspowershellblog.wordpress.com/2009/08/30/enable-ping/ (Enable Ping)
http://www.happysysadm.com/2013/03/disabling-windows-firewall-in-powershell.html (Disable
rules)
https://gist.github.com/ig0774/1068598
https://bitbucket.org/splatteredbits/carbon/src/936df054fbbc558541f62110f51ac3482cb482fc/Carb
on/DscResources/Carbon_FirewallRule/Carbon_FirewallRule.psm1?at=default&fileviewer=file-viewdefault
https://blogs.technet.microsoft.com/heyscriptingguy/2010/07/03/hey-scripting-guy-weekendscripter-how-to-retrieve-enabled-windows-firewall-rules/ (Retrieve enabled rules)
http://carlwebster.com/listing-windows-firewall-rules-using-microsoft-powershell/ (List rules)
http://www.computerperformance.co.uk/powershell/powershell_invoke.htm (Invoke)
http://stackoverflow.com/questions/4225748/how-do-i-pass-named-parameters-with-invokecommand (Invoke command parameters)
Domain Replication
https://social.technet.microsoft.com/Forums/en-US/2832ab54-15f0-4c8c-9909b23ca2a54108/would-like-to-force-replication-imediately-to-all-domain-controller-in-the-domain-bycommand?forum=winserverDS
https://technet.microsoft.com/en-us/library/cc794749(v=ws.10).aspx
78
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Appendixes
1.
ACL – Access Control List
31. LDAP – Lightweight Directory Access Protocol
2.
AD – Active Directory
32. LDAPS – Lightweight Directory Access Protocol
3.
ADDS – Active Directory Domain Services
4.
ADWS – Active Directory Web Services
33. LLMNR – Link-Local Multicast Name Resolution
5.
ASA – Adaptive Security Appliance
34. NAT – Network Address Translation
6.
DC – Domain Controller
35. NBT – NetBIOS over TCP/IP
7.
DDOS – Distributed Denial of Service
36. NFS – Network File System
8.
DHCP – Dynamic Host Configuration Protocol
37. NTP – Network Time Protocol
9.
DNS – Domain Name System
38. OSI – Open Systems Interconnection
over SSL
10. EPM – End Point Mapper
39. PID – Process Identifier
11. ESMTP – Extended Simple Mail Transfer
40. POP3 – Post Office Protocol version 3
Protocol
12. FTP – File Transfer Protocol
13. GC – Global Catalog
14. GPO – Group Policy Object
41. POP3S – Post Office Protocol version 3 over
SSL
42. RADIUS – Remote Authentication Dial-In User
Service
15. HTTP – Hyper Text Transfer Protocol
43. RDP – Remote Desktop Protocol
16. HTTPS – Hyper Text Transfer Protocol over SSL
44. RPC – Remote Procedure Call
17. ICA – Independence Computing Architecture
45. SA – Security Association
18. ICMP – Internet Control Message Protocol
46. SMP – Server Message Block
19. IDS – Intrusion Detection System
47. SMTP – Simple Mail Transfer Protocol
20. IIS – Internet Information Services
48. SNMP – Simple Network Management
21. IKE – Internet Key Exchange
22. IMA – Independence Management
Architecture
Protocol
49. TCP – Transmission Control Protocol
50. TFTP – Trivial File Transfer Protocol
23. IMAP – Internet Message Access Protocol
51. TGT – Ticket Granting Ticket
24. IMAPS – Internet Message Access Protocol
52. TTL – Time to Live
over SSL
53. UDP – User Datagram Protocol
25. IPC – Inter-Process Communication
54. UUID – Universally Unique Identifier
26. IPS – Intrusion Prevention System
55. VDA – Virtual Delivery Agent
27. IPv4 – Internet Protocol version 4
56. VPN – Virtual Private Network
28. IPv6 – Internet Protocol version 6
57. WCF – Windows Communication Foundation
29. ISE – Integrated Scripting Environment
58. WinRM – Windows Remote Management
30. KDC – Key Distribution Center
79
Trong Hieu Lam
IT – Technology 4th Semester
Final Project Report
Supervisor: Michael Brandi Andersen
Deadline: 16/12/2016
Project timeline:
Date
24/10 - 30/10
Tasks
Brain-storming the Project design and all aspects of the implementation process
Define, assess and decide tools to be used
Define, assess and decide the implementation methods
31/10 – 3/11
Start the project first by testing and using the tools. Try to figure out what tool
will be eventually used.
Start to find documentation about minimum ports require in the domain
Define the minimum ports required in the domain
Start the port inventory process in critical servers.
Document the findings and the problems
Port inventory on less critical servers and document it
Start to find resources about PowerShell and setting up the testing environment
Making firewall scripts for the implementation phase.
Testing occurs along the way
Testing in the VMWare environment
Testing in Citrix VDA at Origio
Final project report documentation
Final project report editing
Final Project Hand-in
4/11 - 10/11
11/11 - 17/11
18/11 - 23/11
23/11 - 25/11
26/11 - 5/12
6/11 - 13/12
14/12 - 16/12
1
© Copyright 2026 Paperzz