Hey Guys - I need some information to help further my education please.
After reading about PrivateFirewall which has just been made freeware I got all enthused and decided to pop over to the GRC site to see how the standard Windows Firewall tubbed up. Actually it did very well but I was told that port 80 is open for incoming traffic and shouldn't be. Apparently it should only be open for outgoing, or for incoming only if one is running a local server.
Now I checked some of the Windows services which, according to tech help web sites, apparently use port 80 but none of them are running on my machine. I then accessed the Windows firewall with advanced security and looked down the list of incoming rules for anything using port 80. I found two identical entries..'Windows Remote Management (HTTP-In) set to 'allow' access.
Okay so my questions are;
1) Is it really that bad to have port 80 open for incoming traffic...I mean, I've had it that way for yonks (unbeknown of course) and haven't suffered any ill effects?
2) What is Windows Remote Management? and
3) If I delete those two rules or change the status to 'disallow' will that have any negative impact? and
4) If no negative impact would ensue is that then an advisable course of action?
5) Is any of this related to the settings in the router?
As you can tell, my knowledge in this area is somewhat limited...any enlightenment will be very much appreciated!!
August 11, 2011
Port 80 is no different than any other port so far as being vulnerable to attack. Port 80 is best known for hosting http traffic, but you can do that on any port, and you can have any other program listen on port 80.
The attack vulnerabilities come in when you are running http traffic through port 80. The attacks are geared toward the "most likely" -- and the de facto standard for http / web traffic is port 80. So..choosing to run your FTP server on port 80 limits the kinds of attacks you will be subject to. Your FTP server will ignore all http requests.
So...that said your questions:
1) On your local computer, probably doesn't matter much. On your router, it can get sticky. If you're forwarding port 80 then whatever you're forwarding to needs to be inspecting the traffic it receives on that port. If your router hosts its admin function on port 80....well, I don't leave it there. I don't think that makes it any more vulnerable, just easier to find (so be SURE to change your default password).
2) According to Microsoft -- [url=http://msdn.microsoft.com/en-us/library/aa384291(VS.85).aspx:3aqw3pmm]Windows Remote Management is one component of the Windows Hardware Management features that manage server hardware locally and remotely.[/url:3aqw3pmm] ([url=http://www.blackviper.com/WinVista/Services/Windows_Remote_Management_(WS_Management).htm:3aqw3pmm]here's[/url:3aqw3pmm]a normal explanation) What this means....it allows your computer (with proper authentication) to be remotely managed.
3) Changing their status will prevent your computer from being remotely managed. Either by you from another network connected machine, by Microsoft during support calls (I imagine they use this, why else have it?) or by hackers (unlikely as your router should be blocking these requests anyway, but included for completeness). Worst case, you disallow it. Something stops working, you reallow it.
4) My philosophy is to secure the network as a whole, and keep most of the security from impacting the local desktop. My router and proxy server serve as the guardians of my network. They do all the filtering/firewalling/destruction necessary before my local computers even see the big bad internet. As such, I tend not to run firewalls at all on my home computers. Exceptions being laptops when they leave the house.
5) The only relation to the router is that if the router does not allow the traffic through, then the traffic will not get to the local computer. To hack your computer, you either have to initiate something (open an application that tunnels through the Internet via allowed paths), or someone has to hack your router first.
and that's a long post. :/ Sorry.
Hey thanks Zig....Long post??...No way!!! Thanks for taking the time to submit such a terrific explanation.
A couple more questions mate...hope you don't mind.
I'm still a tad shaky on the relationship between the router and the computer. If ports are closed on the router (which I am assuming is the case) and an application requests a specific port be opened, the Windows Firewall (in my case) will open that port [i:1eh0j7my]but[/i:1eh0j7my] how does that port then get opened in the router? Shouldn't it remain closed in the router until I change something there also?
I've been right through my router settings (TP-Link W8920G) and can't find anything which mentions specific ports at all. How can I tell which port is hosting the admin function?
I don't have any port forwarding entries and I have already changed the default router access password to a very strong one.
Thanks again Zig...much appreciated,
August 11, 2011
The best way I can think of to describe the relationship between router and computer is to equate it to a night club. Imagine your network as a nightclub, your computer as the open bar, and the router as the bouncer standing outside. Your bouncer has a list of everyone allowed into the nightclub from outside (VPN Tunneling), but ignores any and everything that goes on inside. He doesn't care. If you're in the nightclub, you're allowed to be there. If you're not, you have to be on his list. The bouncer's other list though, contains a list of publicly available drinks. Someone walks up to him, asks for a drink, if it's on the list you're served the drink. If it's not, you're escorted off the premises. (open ports on the router).
Inside the club, people can move about freely. The bar has a list of approved drinks (open ports on your computer). Anyone in the club can ask for any drink, only those on the approved list will get served. The bar can choose to allow everything and anything to the people in the nightclub, but instruct the bouncer to only serve one drink.
OK, the analogy breaks down easily, but I hope it simplified it for you.
The router should have an admin screen. I'd imagine it's where you set your password and there will be an option for remote Management. The IP address should be listed there.
September 17, 2008
You might want to try out this location http://www.grc.com Then once there click onto the ShieldsUp! link (but don't get confused with the opeming page which talks about SpinRite and this program). You need to scroll down to run through this program online. It will open your eyes to your port security. Enjoy, Mindblower!
"Light travels faster than sound;
That is why some people seem bright until you hear them speak"
Most Users Ever Online: 188
Currently Browsing this Page:
Guest Posters: 10
Administrators: Jim Hillier, Richard Pedersen, David Hartsock, Marc Thomas
Moderators: Judy Novotny, Jason Shuffield, Mail Poet