Open ports.

When I setup mail servers and web servers for any client I never consider ISA as a viable option - I don't want to trust the OS vendor to protect the system. At the same time I don't want the system directly exposed to the internet for any reason - an attack could significantly slow the machine if nothing else.

You should get a cheap NAT device, they are going to be faster than your internet connection so any NAT device would work. A simple NAT device with only the necessary ports open inbound will prevent a lot of the scans that hit your system - additionally, you can also (on some units) block outbound to destination ports 135~139, 445, and 1433/1434.

As for port 80, if they are not running a web server exposed to the public, disable port 80, or block it at the firewall (router). They should be doing OWA over SSL (443) and not HTTP (80). You don't need 110 open unless you are letting people PULL POP connections from outside - the exchange server does not need 110 to work. So, as far as inbound, you only need 443 and 25 inbound to the server.

If they want to use Outlook instead of OWA from home, setup the ability to VPN into the server and let them access it over the VPN, don't use RPC over HTTP.

When I run shields up from my current location I find 25, 80 and 443 open (but not 110 because I don't need it). It's been like that for four years without problems.

That would make it difficult to use outlook web acces (you do use SSL for OWA, don't you?) It would also make it difficult to receive incoming email. It is likely that 110 does not need to be open to the Internet.

I would run some more sophisticated tests against that box.

I don't recommend running Windows 2000 directly on the Internet. Get an external firewall box and port forward 25,80,443 to your Windows 2000 box.

Jason

Thanks for the help guys. I locked down everything except ports 443 and 25 and I feel much better. I do currently have a NAT device installed but NAT is disabled. The DSL Modem I have is a Netopia Cayman 3546 broadband router with a 4 port switch. My "client" is actually 3 clients sharing one office suite. One client (aforementioned) has a domain network the other two clients are peer-to-peer, connecting to the Cayman router for Web access using their own wireless routers and static i.p.'s (3 distinct networks). The peer-to-peer clients connect to the domain network using VPN to access the domain network's scanner (hence file server) and printers. All clients access their desktops remotely using Remote Administrator. I'm not worried about the wireless routers security, each router has a built-in firewall and all workstations behind the routers are running a software firewall.

Rather than enable NAT on the Cayman I think I'll go buy an inexpensive NAT device and put it between the Cayman and the domain. It seems like it would be less work and less disruptive. Anyone see any flaws with this logic?

Thanks again for everyone's help.

Kevin G