Critical System Protection

Symptom :  After OS and IIS migrated then reinstalled SCSP agent 5.2, the agent under the same policies as previous conditions showed warn message unexpectedly.

OS : Windows 2000 -> Windows 2003

IIS : 5.0 -> 6.0

Warn Code & Message : Event Id 48, Inbound connection denided from IP-add(SCSP Manager):port to localaddress(SCSP Agent):80

Now,  configrured a allow rule for 80 port access on Kernel part and now the warn message is gone. 

but, I'd like to know the the reason why the warn message appeard?

Jeongran,

When you upgraded os's and IIS instance the way in which IIS processes port information changes. In Windows 2003 IIS 6.0 all port access is initially processed by kernel_ps. You do not however need to add the port to kernel_ps (if you are using a newer IPS policy say 5.2.4+) because its been built in to pull the port listing from IIS_PS into kernel PS. This is basically how IIS functions as its tcp ack sequence is processed first by kernel_ps (the kernel) and is actually one of the main reasons why IIS is so vulnerable to exploitation.

Didnt realize you are an employee and this is going to be passed to a customer.

In Sym_Win_Protection_Strict (I assume you are using strict) Revision 418+ (at least) you will notice under global policy options -> kernel driver options [kernel_ps] -> network Constols -> Inbound network rules -> list of rules to control connection... -> the first rule indicated %iis_accept_tcp_list%. This is a variable identifier (anything between %..% is) which links back to IIS_ps's network controls to grab the accept list of port 80. This was added in more recent IPS policies to auto import whichever setting is listed in IIS specific services to link back to kernel_ps.

It is the same for terminal services (the kernel first processes the stack request).