Disabling ports to secure your environment is one of the first things that should be done when setting up your servers or other network connected devices. Let’s think about this for a minute. What is the most simple way that someone is going to find your device to try and attack it. Answer; with a port scan! You could argue that setting your password might be the most important, or another setup item but as far as the network is concerned, you need to lock down the attack vector right away.
A lot of environments will start their setup journey behind a Network Address Translation (NAT) device which by default is going to provide a level of port protection. If for some reason you’re setting up a brand new device with a public IP, keep a network firewall in between so you can make sure to block random internet traffic. Sounds obvious right?
It seems so simple and really it is. The issue is that people forget. Or worse, an operating system update forces a service to turn on and/or enable a port. When was the last time you reviewed your firewall ports? For a lot of people, they probably never have. The simple thought process is that “it’s working”. Ask yourself if you really know what’s being allowed through the firewall because I’ll bet it will surprise you. The last time I reviewed one of the windows firewalls on one of my servers, there was all sorts of xbox connections being allowed and sharing of odd sorts.
Now this brings up a huge security issue that I couldn’t believe was happening. After taking a lot of time to go through my firewalls and disable rules that I explicitly wanted disabled, a windows update went through and ENABLED them again! My monitoring software alerted me to this huge security flaw because I have it monitoring for firewall rules. Could you imagine if you knew 100% that a service had a security flaw so you blocked it; then during an O.S. upgrade the developers decided they know better than you and enabled it as part of the update? Well that’s really what happened!
This is why making sure to review the ports you’re allowing into your server is very very important. It’s not just about watching out for what you know about. It’s about watching out for what you don’t know about. I understand that monitoring a server for all 65,535 ports is not a feasible undertaking but monitoring your firewall is something that can be done. For example, I use Nagios with a custom script to complete the job.
Finally, what about your secure environment? Why disable rules or make sure server ports are locked down when you’re behind a network firewall? This is a matter of trust and layers. Disabling the port is only one layer. Blocking the port on the network firewall is another layer. You never know when a bad actor is going to find a flaw in that network firewall which would allow connection deeper into your network. That flaw could let them port forward 3389 RDP for example without your knowledge. By locking down those ports locally on your server, it’s created another barrier to the attack vector even if one gets through.
