Re: How do you block port 25 on workstations via SBS 2008/Group Policy?

On 06/08/2010 11:29, eggedd2k wrote:
> I have recently read that a best practice on the network was to block
> port 25 on all workstations that connect to the exchange box. The
> exchange server should be the only computer allowing smtp port 25
> traffic, therefore reducing the chance of a mass-mailing worm to do
> its magic on a workstation, invoke its own smtp service, and send out
> spam. Workstations would still be allowed to send out mail via
> Exchange and Outlook, but no port 25 traffic on the individual
> machines
>
> My domain controller is SBS 2008 with Exchange 2007. The client
> workstations are mostly XP with a couple of Windows 7 systems.
>
> There's the Security section within the SBS Console however I can't
> figure out how to put a block on all workstations from sending port 25
> outbound traffic.
>
> Can anyone help?

Why don't you do this at your edge firewall device? Block the network's
entire IP address range for outbound from any port to port 25 outbound
and then specifically allow only the SBS IP address to make outgoing
SMTP connections...

eggedd2k wrote:

> I already thought of that however:-
>
> My setup is as follows:
>
>
> Workstations
> ------------------------------------------Switch ------- Webserver
> (win2k rras nat) ------- ISP provided Router/Firewall
> Servers (dc/exchange)
>
>
> As far as I'm aware rras (nat) on win2k doesn't allow blocking of
> individual addresses. Of course the traffic seen by the isp router/
> firewall is that of the webserver only.

RRAS in 2003 certainly lets you do selective access, I'd expect RRAS in
2000 to be similar.

Of course, the bigger question is WTF are you using a Win2000 server as
a NAT device?

I'd be inclined to blow it away, and install Untangle on that hardware
instead, if you want a decent firewall between you and the internet
(and don't want to spend much $$$).

--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net