How to protect incoming TCP connection for Microsoft "microsoft-ds" service ?
search cancel

How to protect incoming TCP connection for Microsoft "microsoft-ds" service ?

book

Article ID: 61021

calendar_today

Updated On: 02-08-2024

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

This is an example of how you could protect Microsoft "microsoft-ds" service (port 445) and the selang rules definitions that could be implemented for that. The purpose is to protect your local machine from remote sharing access.

 

Environment

Release:
Component: SEOSNT

Resolution

In order to protect the ds services on "my_local_system.com" and deny access to those services to "remote_system.com", the following set of commands need to be invoked from the command line using selang:

  1. Env eTrust; so class+(TCP);

  2. Env eTrust; newres HOST ("remote_system.com") owner("nobody")
    (please replace "remote_system.com" by your own remote IP address)

  3. Env eTrust; newres TCP ("microsoft-ds") defaccess(All )

  4. To authorize sharing access from the machine "remote_system.com" to your local machine "my_local_system.com":

    Env eTrust; authorize TCP ("microsoft-ds") host("remote_system.com") access(read);
    (please replace "remote_system.com" by your own remote IP address)

  5. To NOT authorize sharing access from the machine "remote_system.com" to your local machine "my_local_system.com":

    Env eTrust; authorize TCP ("microsoft-ds") host("remote_system.com") access(None);
    (please replace "remote_system.com" by your own remote IP address)

  6. Here the popup window result on the remote machine "remote_system.com" when step 5 is in place and you are trying to access from the remote machine "remote_system.com" to the local machine "my_local_system.com" :

Additional Information

For additional information, please see our "CA Access Control Administration Guide for UNIX", "Chapter 10: Protecting TCP/IP Services" and read the contents:

"
Using the TCP Class
...

Note: defaccess(read) disables outgoing services. defaccess(write) disables incoming services.

If the HOST class is active (that is, if it is used as a criterion for access), then the TCP class cannot effectively be active. You can use the command setoptions class- HOST to deactivate the HOST class; then use the command setoptions class+ TCP (if necessary) to activate the TCP class. Deactivating the HOST class automatically deactivates GHOST, HOSTNET, and HOSTNP as well.
"