0

Windows 2008 with native Windows Firewal w/Adv Sec. Using GRC.com's Shield'sUP to probe my system I find 25 to be open. Since I only use it to send mail from SQL Server (internally) i'd like to close the port to any outside access. I have a firewall rule set to block all local and remote 'Port 25' on all profiles but shieldsup insists it can see 25.

where do i look next?

thx

justSteve
  • 859
  • 1
  • 7
  • 19
  • 2
    If you telnet to port 25 (from the outside), what banner does it show? Are you certain it is connecting to your Windows 2008 server? – Dave Drager Dec 20 '10 at 13:42

2 Answers2

3

You need to be careful about interpreting the ShieldsUP results correctly. For instance, at home I have a single, dynamic ip address from my cable internet provider. I port forward SMTP traffic to my internal email server, if I run ShieldsUP from my workstation it reports that I have SMTP open. Is that correct? Yes and No. SMTP is open, but not to my workstation, only to my server. ShiledsUP can only report what it finds open via the external ip address, which may not reflect what you actually have open internally, based on your specific configuration.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
2

rather than trusting the application you have menetioned, lets investigate for ourselves.
Please open up a command prompt and enter the following command:

netstat -aon | find ":25"

Once this has been done look for lines which contain :25 if any exist the application is correct and we need to look more closly at the software running on the box. If not the software is not accurate.

EDIT

Now you have checked and found a line showing port 25 is infact open on your machine, we need to see what that process is.

tasklist | find "1856"

This command lists all running tasks on your computer and with the "find" pipeline it can limit the results to the process ID you showed me in your comment.

Bear in mind!

One thing you need to bear in mind is that your server unless it is on a DMZ/Connectect directly to the internet or has a NAT port forward on your Firewall/Router is invisible to the internet.

Dave on the comment of your post has the right idea to test this. If you attempt this from home or any network with access to the internet which isnt your own.
Open a command prompt and type the below:

telnet <externalIPaddress> 25

If you get a banner page make a note of what message you are displayed as this will help us identify which server is setup to recieve port 25 from your Firewall/Router.

Please Note this answer is being updated as more information is being provided

JamesK
  • 1,646
  • 11
  • 19
  • TCP 0.0.0.0:25 0.0.0.0:0 LISTENING 1856 – justSteve Dec 20 '10 at 16:10
  • Hi Steve, use this command tasklist | find "1856" this will show us which process is running on port 25 – JamesK Dec 20 '10 at 17:06
  • Whilst re-reading your question. Your internal server should be safe from outside world access, providing you do not have a NAT rule on your firewall/router directing outside traffic to said server! (Unless you are in a DMZ) – JamesK Dec 20 '10 at 17:14
  • tasklist | find "1856" responds with inetinfo.exe - thx for the ease of mind explan – justSteve Dec 20 '10 at 18:36
  • Ok, so inetinfo.exe is related to IIS, I assume you have the SMTP option enabled for IIS which is what is causing your application to report that Port 25 is open. If you take a look at my Answer's last paragraph it explains that you should not worry unless you have one of the items I mention. I hope this has helped you. If your happy with my answer please accept it if not ask away for the information you require. – JamesK Dec 21 '10 at 09:19