Hi! I have 2 servers win 2008 R2 with AD, DNS, Fileserver, DHCP roles. A have enabled windows firewall with advanced security to protect both DCs from internal attacks. I know that enabling role, corresponding rules in firewall are beeing enabled. My first question is: Enablng these rulles (specific ports) what happens with the rest of the ports? Thei are kind of closed and can't be used for attacks or I should create new rules and block them which would take a lot of time.. Second: I used nmap(zenmap GUI) to see what ports are open. I scaned 1st server from the second one. It showed that FTP - 21 port is opend. The same from workstations (win xp). I blocked 21st creating new rulle, but still it showed up as open. How to explain this? I also used TCPview to see what is going on... didn't see it there. also tried nstat command.

Using port 21, a client computer can establish a control connection with the FTP server. Proceed like that: Open port 21 and 20 and then check that a client computer is able to connect to FTP server Block port 21 and check if the client computer is able to connect to the FTP server or not. If not then all is okay AFAIK, if you open ports that you need then other ports are by default blocked. To check which ports are opened, you can use Netstat: http://technet.microsoft.com/en-us/library/bb490947.aspx Needed ports for AD replication: http://technet.microsoft.com/en-us/library/bb727063.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\dacep>ftp 172.16.0.3 Connected to 172.16.0.3. Connection closed by remote host. It happens after ~15 seconds. Is it ok? Same situation with blocked/opened ports. P.S. There is no ftp server installed.

Please post the output of netstat -a before and after blocking the port. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

http://cid-76f5afb8cc7d3640.office.live.com/self.aspx/Logs^_DCs/allowed.txt http://cid-76f5afb8cc7d3640.office.live.com/self.aspx/Logs^_DCs/blocked.txt

In both outputs, I don't see the server listening on port 21. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

so it's perfectlly fine right? Just can't figure out why it shows in two different port scanners...

Possible something wrong with them. As I see the client computer is unable to open a connection as it is getting blocked. Also, I don't see from the output of the command I suggested that port 21 is under LISTENING state. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

Any ides why it is happening?

You have to check which configuration, you have made as in both cases I don't see the server listening on port 21. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

I tried every possible configuration. Used TCPview to mionitor ports during ftp connection from workstation. nothing.... I turned even fw off - nothing. Could it be because Im using VMs?

Hi Customer, Please use PortQry utility to query your server/VM port 21: portqry -n <servername> -e 21 PortQry version 2.0 http://support.microsoft.com/kb/832919Regards, Rick Tan

Thanks! Querying localy - it showed NOT LISTENING (with allowed and blocked ports) When I tried to do with second server from the 1st one it said: C:\porty>portqry -n server2008rep -e 21 Querying target system called: server2008rep Attempting to resolve name to IP address... Name resolved to 172.16.0.4 querying... TCP port 21 (ftp service): LISTENING Port did not return extended data - request timed out ...this showed up in both cases.. blocked and allowed. Is it ok? Wierd thing is that this port is LISTENING even it's blocked. To block ports I added new rule in INBOUND section. Now I tried to do the same at OUTBOUND section. This is what came up: C:\porty>portqry -n server2008rep -e 21 Querying target system called: server2008rep Attempting to resolve name to IP address... Name resolved to 172.16.0.4 querying... Error opening socket: 10013 A Winsock error has been encountered.

Using port 21, a client computer can establish a control connection with the FTP server. Yes, but it sounds like he doesn't want to open port 21; so, I think he'd better check if there's a built-in rule for the IIS FTP service and, if so, disable that rule; such a thing would, in effect, block access to port 21 * Open port 21 and 20 and then check there's no need to open port 20, that one is NEVER used for incoming connections but only as the source port for data transfers, so, as long as outbound traffic from the server's port 20/tcp to whatever client dynamic port won't be blocked the regular (not PASV) FTP will work That said; enabling the firewall and setting it to block incoming traffic which doesn't match a rule means that if there's no rule allowing some given traffic (on given ports) to come it, it will be blocked which, in turn means that ports will be by default closed (filtered) except the ones allowed by rules

When I tried to do with second server from the 1st one it said: just in case; run the following at each server cmdprompt netstat -oan|find ":21 " and check if the command will output a line telling you that the port 21 is, in effect, listening; if that is the case, use the process ID to find which process is holding the port; if not and if you still see that "connection", then it may be due to some s/w or h/w sitting behind the boxes (e.g. it may be due to a transparent proxy intercepting connection requests to port 21, accepting them but then dropping them as soon as the real host refuses the connection)

there were no output after netstat -oan|find ":21 "

there were no output after netstat -oan|find ":21 " which means that there's nothing listening on port 21 now, given that your "portscan" shown it as "open" this mean that there's something else "intercepting" such connections "on the path" but not knowing how your infrastucture is set up and which s/w and h/w you've around it's difficult to tell what's causing such a behaviour; here are some bets * A "transparent proxy" intercepting FTP connection requests, accepting them and then carrying over the connection to the real server (if the latter fails the local connection will be dropped too) * Some AV software doing the same as above * A router exposing port 21 but not offering service ...

ok, F it. tahnks. I have set it on VMs and I have pctools av. maybe it has something to do with it.

ok, F it. tahnks. I have set it on VMs and I have pctools av. maybe it has something to do with it. I see, well, if possible, post back here when you'll find the reason for such a behaviour since that may be of help for other experiencing your same issue thanks

ok, I will if.. Could not find much info on the net too. same result everywhere....