We won again!

Great victory for the People - Tax Cut!

Block PC Outbound Connections on Router Level (All but RDP)

This article applies to a scenario, when you already can establish RDP to a machine on your internal network from a remote network.  Now you’ve decided to tighten security screws and close all external access to and from that machine except for RDP on the router level.

Inbound connections to a server you can block easily using firewall on the machine itself.  This article deals with a situation, when you need to block access for any process or application running on your server to the external resources.  Other machines on your network still would be able to make external connections through the router.

Note: It is good a practice to change your RDP port from its default value of 3389.

Universal approach: Steps described here will help you to determine, witch ports to leave open in many situations, when access to the outside world should be limited to the extreme.

What local port will be used?
According to Microsoft articles,
— On Win XP if MaxUserPort is not set, then the local port will be allocated randomly from 1024 to 5000 range.
— On W2K3 and higher if MaxUserPort is not set, then the local port will be allocated randomly from 49152 to 65535 range.
— Registry changes to SYSTEM\CurrentControlSet\Services\Tcpip\Parameters require a restart.

This example works with Access Control rules on the router.  Name could be different for your router.  Router rule is linked to one machine on you network by MAC address.

This example blocks EVERYTHING but the external RDP access to the machine on your network.  We are creating 5 rules that are described bellow:

(1) Close all UDP ports from 1 to 65535.

(2) Close ICMP.

Next 3 lines are dealing with 3 TCP port ranges. Let’s say you are using custom RDP port 1234.  In that case:

(3) Close TCP ports from 1 to1233

(4) Close TCP ports from 1235 to 5XXXX

(5) Close TCP ports from 5YYYY to 65535

How to find out your range of ports to open between 5XXXX and 5YYYY.

– Disable the router block-access rule

– Establish an RDP connection from a remote machine

– Examine what ports a being used for your RDP connection. Use command

netstat -a

This command lists all ports that engaged in a network “conversation”.

Connect several times and each time examine the port taken by foreign (external) machine.

Approximately determine your 5-digit port range of several hundreds. This is not an exact science.

Your values for 5XXXX and 5YYYY could be 51750 and 52099.

(Visited 67 times, 1 visits today)

1 Comment

  1. Once you block those ports in the outgoing direction, you’ll want to test them to make sure they are indeed blocked.

    You can do that with Firebind. http://www.firebind.com

    Just choose the java applet and enter any TCP or UDP port (or range of ports.)

    It’s the only outbound port test tool in the world that can test all 65535 TCP and UDP ports.

Your question, correction or clarification Ваш вопрос, поправка или уточнение