Accessing SQL through the Windows Firewall

Recently I installed a new instance of SQL 2008r2.  (Get more details on installing Microsoft SQL Server 2008r2 here…)

Upon my arrival I quickly learned in order to allow applications to access the SQL server instance I needed to open up the following port on my windows firewall:  1433

So here goes…

 

image

image

image

image

image

image

image

image

image

image

image

The Microsoft article described a way to do this via an admin command prompt. I chose the graphical process.

If you have your firewall configured for outbound filtering as well, you may need to follow this process for under outbound filters as well.

Do you have an alternative way of configuring SQL for firewall access?  I’d love to hear from you… leave your comments below with your process or comments/suggestions on my process.

TMG and BigFix BESClient

No series of posts would be complete if I didn’t relate it back to my new fabulous job some how…

The Microsoft Threat Management Gateway is secure by default.  This means everything you want to do or rather connect to online must be configured properly within the TMG console.  The BigFix Enterprise Client is no different.

By default the BigFix infrastructure communicates on port 52311.  Therefore we must let TMG know that we’d like our clients to talk over this port.

Below is a graphical step by step on how this is done:

1. Lets start by creating a new row…

ForeFront TMG->Firewall Policy->Tasks (tab)->Create Access Rule

1

2. Of course we’ll be Allowing this port to communicate

2

3. We’ll be creating a brand new protocol… so hit Add then in the Add Protocols window click New->Protocol

3    4

4. Name your protocol…

5

5. We’ll be adding the BigFix TCP port 52311 here… (You may have deployed via a different port… specify your custom BigFix port here…)

6  7   8

6. We have no secondary connections that are needed… so click next and hit finish

9   10

7. Next we will expand the “User-Defined” branch and choose our “BigFix Communication Protocol” we just defined and hit Add->Close->Next

11  12

8. Specify who is allowed to communicate… Source which should be your internal network.

13

9. And specify our destination which in my case I am setting up a secondary site and all these clients will communicate with my BigFix Root server somewhere else on the internet.  (later on I’ll setup a relay on one of the computers at this location and adjust TMG firewall rules.)

14

10.  Because BigFix is my main management for all my computers, I want every computer to have permissions to communicate via this port… so I’ll leave the default “All Users” here… Next->Finish

15   16

 

We’ll probably want to make sure this is our first firewall rule so it is not interfered with by some other rule.  After hitting finish it should look like this:

17

Lastly we’ll need to “Apply” this new rule set in order to get things working.

18

Port Scanning?!? oh and Microsoft Threat Management Gateway (TMG)

I am working on learning network security… so I went and picked up the NMAP Network Scanning book (ISBN: 978-0-9799587-1-7) from Gordon Lyon and Insecure.org.
During my reading he talks alot about an Intrusion Detection System (IDS). Apparently IDS’s are used to detect attacks on their networks including something benign as a port scan. This got me thinking… doesn’t my MS Action Pack include something like that… indeed it does… two in fact. The ISA 2006 and it’s newer replacement Threat Management Gateway (TMG 2010).
Any respectable hacker would jump at the chance to set it up and “hack” yourself to see what happens right? OF COURSE!!!

I’ve setup the new system and placed it on the “edge” of my network. This puts it in exactly the right spot to have the largest exposure… right…

Compiling NMap on a fresh install of SuSE 11.0

So, I’m researching the NMAP tool from Insecure.org… and needed to compile it on my various linux test boxes.

suse1:~/nmap # ./configure
checking whether NLS is requested… yes
checking build system type… i686-pc-linux-gnu
checking host system type… i686-pc-linux-gnu
checking for gcc… no
checking for cc… no
checking for cl.exe… no
configure: error: in `/root/nmap’:
configure: error: no acceptable C compiler found in $PATH
See `config.log’ for more details.

Only problem is they are fresh installations with the minimum of options during the setup of the computers. IE: I went with basic server options with no additional packages during the install of each flavor of Linux.

So where do I go from here… welp, download and compile of course.
In the end I needed 15 different rpm packages from my SuSE DVD… and they needed to be installed in the following order:

1. gmp-4.2.2-30.1.i586.rpm
2. libmpfr1-2.3.1-4.1.i586.rpm
3. cpp43-4.3.1_20080507-6.1.i586.rpm
4. cpp-4.3-39.1.i586.rpm
5. linux-kernel-headers-2.6.25-8.1.noarch.rpm
6. glibc-devel-2.8-14.1.i586.rpm
7. libstdc.43-devel-4.3.1_20080507-6.1.i586.rpm
8. libstdc.43-4.3.1_20080507-6.1.i586.rpm
9. libgomp43-4.3.1_20080507-6.1.i586.rpm
10. libmudflap43-4.3.1_20080507-6.1.i586.rpm
11. gcc43-4.3.1_20080507-6.1.i586.rpm
12. gcc43-c.4.3.1_20080507-6.1.i586.rpm
13. gcc-4.3-39.1.i586.rpm
14. gcc-c.4.3-39.1.i586.rpm
15. make-3.81-103.1.i586.rpm

I’ve posted them at my files webiste http://files.moranit.com/SuSE11/

After installing all of these, the remaining installation proceedure outlined on the nmap website went perfectly… I now have a working version on my SuSE 11.0 text box.

All new Day

Today was an interesting one… Not. Not much happened today that was all that note worthy. Today was the one of four more days at my current “day” job. Overall not bad. It was a 7am to 7pm shift where I was so engaged with what I was doing I didn’t even remember to take my lunch.
Anyways, this does lead into my overall thoughts for the past few days which are indeed technical.

My question I want to pose to the world in general… Is it time for a replacement to Facebook?

I ask because of the last several news worthy articles about Facebook have all been about their wild changes to their privacy policies. Is it just to much to ask that my private thoughts I posted for friends and family… Oh I don’t know… Remain only for their eyes?

I bring this up because of the other stories about employers researching new employees or applicants on the internet for what their online profiles look like. Now it is, as far as I know, against the law for them to hold your online persona against you when considering job applicants… But you just know it happens… Right? Am I alone in thinking that?

Anyways I was wanting to ask that for a few reasons. I have been developing a remote support software, like many others Kaseya and BigFix being just two, that can remotely manage computers. Well… Here is the thing… I just got a shiny new job at BigFix and I feel it would be not very appropriate to continue with that project as long as I worked there. I have also been slowly getting away from helping the general public with IT support problems as well.

(come on Daniel, wrap it up… LOL)

I need a new project that doesn’t clearly introduce a conflict of interest to my new job.
Thus I’m proposing that maybe I could start putting together the new replacement for Facebook… With all the security, privacy and features that everyone wants in their social networking website of choice.

I have a wonderful idea for a “privacy slider” that would be attached to every post that users make… Wether it is short Twitter-like posts, pictures, long blog articles, or even simple conversations between friends, family, coworkers and public. Everything has a privacy value that you can change at the time of posting. This way you are the master of what is public, private and who in-between can see it…

Leave your comments below… I will read each and every idea as I’m excited to maybe work on the new and improved rootSync.com

Internet Cameras… We’re talking Enemy of the State stuff…

211w_left

If I told you that there are literally thousands of publicly accessible cameras that you could pull up on your computer right now… would you believe me?

A little Google search, inurl:/view/index.shtml, shows us only one brand of public IP Cameras.

I tell you this because of my current project that i have recently had a lot of success with.  My goal is to setup cameras through out my apartment in order to monitor what goes on within it.

What I’m wanting is three very basic things.  It took me a few days of research to verify that they were possible.  The first thing I wanted for my camera project was the ability to use my web-cam along with network IP cameras I will purchase over time.  I wanted to be able to access all of the cameras the same way… which meant that I needed a computer software to turn my USB web-cam into an IP Camera, or at least act like one.  The second thing I wanted was to have a software package that will display the video feeds from all my cameras on one 20” LCD I have in my office.  This LCD will work exclusively to display the security system.  The system itself, using this software would act much like a DVR and record the video feeds to a file on it’s hard drive.  Lastly I wanted the ability to view the cameras remotely on my iPhone.  IMG_0001

I was very happy to find that all of this was possible with two pieces of software.  One is called IP Vision Pro, and is an iPhone app available through the iTunes App Store for only $24.99.  This application gives me the ability to  watch and control IP Network Cameras which are publicly available over the internet. 

The second software package I would need is called w5_mainWebCamXP.  I will be using the Pro license because it has the ability to have unlimited number of cameras, among other very useful features.

This software not only connects to IP Network Cameras like the IP Vision Pro software, but will also turn my USB web-cam into an IP Network Camera as well. 

WebCamXP also has the advanced features of those expensive monitoring programs like DVR functionality.

Now that the software is out of the way, I can focus on cameras.  When I have additional camera research I’ll be sure to post it here…