Re: Outlook Web Access - Paranoid?

[Mikael Olsson <mikael.olsson () clavister com>]

Christopher Lee wrote:
> While the number of RPC ports one must open to allow OWA(or any MS DCOM apps)
> to work is insane, that doesn't mean you have open them manually.  Check Point
> firewall (for example) has the smarts to be able to open them dynamically as
> needed.  This way, unless the intruder is able to forge the same DCOM/RPC
> communications, the exposure is not all that bad...

Ah, yes, and such mechanisms are of course entirely impossible to fool 
into opening up arbitrary ports of the attacker's choice. </sarcasm>

Fortunately, the set of RPC ports used can be reduced. And, quite 
frankly, if I have to do RPC through a firewall (yuck, argh, ptooiiee),
I'd rather have a manageable small set of static holes open than
some Black Magic figuring it out for me.

More info about this at:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q154596
"HOWTO: Configure RPC Dynamic Port Allocation to Work with Firewall"

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards