I would like to make my workstation more secure by closing ports that I don't need. My machine is running Windows 2000 professional and in the TCP/IP filtering options I allowed 20,21,23, and 80 (for telnet, ftp, and http).
My problem is with ftp: While I can connect to a ftp-server (log in works fine), the response to the "ls" command is the following: ftp> ls
200 PORT command successful.
425 Can't build data connection: Connection refused.
As far as I can tell, the "cd" command is working fine, if you know the right directories (it shows an error if the directory does not exist). When I disable TCP/IP filtering on my PC, everything works fine. I actually only want to block a few ports below 1024 in regards to recently discovered vulnerabilities of Windows, but with the way Windows 2000 has implemented port-filtering this seems not to be possible.
The best security practice is to create a "Deny All" filter and then create an "Allow" filter for the specific ports you want to open on your system. By default the "Any" filter allows access to all the ports. Your FTP problem seems to be a misconfiguration issue. On the other hand you can achieve Port level security by installing filtering software or Personal Firewalls like IP/PORT Blocker and ZoneAlarm. They do a fantastic job.
Related Q&A from Puneet Mehta
To view network security expert Puneet Mehta's latest advice, see his Public Profile on the IT Knowledge Exchange: http://...continue reading
Find out if there's a difference between a virtual private network (VPN) concentrator and a network access server (NAS) in this explanation from our ...continue reading
Our network security expert explains how to keep unauthorized users from accessing your router's IP address for Internet access in this advice ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.