RE: Windows 2000 server ports, services to close.

["Depp, Dennis M." <deppdm () ornl gov>]

 Brent,

Ports 135,139 and 445 are used by Microsoft networking.  You probably
want to keep these on.
1433 is used by MS SQL Server again you probably want to keep this on.
I am assuming this is a Compaq box and is running the Compaq diagnostic
service.  If you are not using this service, you can turn it off and
this will clos port 2301.
3052 is used by your powerChute software.
3389 is usd to create a remote desktop to this machine.  If you do not
manage this machine remotely, you can turn off this service.
6101 and 6103 are used by BackupExec.  Are you backing up this machine
over the network?  If you you want to leave these open.

1025,1026 and 3372 I am not sure about.  Since you are running Windows
2000, you might want to look at fport from www.foundstone.com.  If you
run this on the Windows machine, you will be able to see what programs
are listening on which ports.  This will help you track down these
remaining three ports.

Dennis

> -----Original Message-----
> From: Brent Clark [mailto:bclark () rocketseed us] 
> Sent: Wednesday, October 13, 2004 3:17 AM
> To: security-basics () securityfocus com
> Subject: Windows 2000 server ports, services to close.
>
> Hi all
>
> Could someone please advise me on how and what ports do I 
> have to shutdown
> for a Microsoft Wintendo 2000 server.
> If anyone has a link, URL, doc, etc to advise me, it would be soo
> apprecaited
>
> On my linux box I run and port scan and these are what I 
> found (Quite scary
> actually, im soo glad that into Linux)
>
> ==============================================================
> ==============
> =================
> Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 
> 2004-10-13 09:12
> SAST
> Initiating SYN Stealth Scan against ctsql (192.168.111.123) 
> [1660 ports] at
> 09:12
> Discovered open port 3389/tcp on 192.168.111.123
> Discovered open port 6103/tcp on 192.168.111.123
> Discovered open port 3052/tcp on 192.168.111.123
> Discovered open port 135/tcp on 192.168.111.123
> Discovered open port 445/tcp on 192.168.111.123
> Discovered open port 6101/tcp on 192.168.111.123
> Discovered open port 1433/tcp on 192.168.111.123
> Discovered open port 139/tcp on 192.168.111.123
> Discovered open port 3372/tcp on 192.168.111.123
> Discovered open port 2301/tcp on 192.168.111.123
> Discovered open port 1026/tcp on 192.168.111.123
> Discovered open port 1025/tcp on 192.168.111.123
> The SYN Stealth Scan took 1.59s to scan 1660 total ports.
> For OSScan assuming that port 135 is open and port 1 is 
> closed and neither
> are firewalled
> Host ctsql (192.168.111.123) appears to be up ... good.
> Interesting ports on ctsql (192.168.111.123):
> (The 1648 ports scanned but not shown below are in state: closed)
> PORT     STATE SERVICE
> 135/tcp  open  msrpc
> 139/tcp  open  netbios-ssn
> 445/tcp  open  microsoft-ds
> 1025/tcp open  NFS-or-IIS
> 1026/tcp open  LSA-or-nterm
> 1433/tcp open  ms-sql-s
> 2301/tcp open  compaqdiag
> 3052/tcp open  PowerChute
> 3372/tcp open  msdtc
> 3389/tcp open  ms-term-serv
> 6101/tcp open  VeritasBackupExec
> 6103/tcp open  RETS-or-BackupExec
> MAC Address: 00:0F:20:98:2B:8B (Hewlett Packard)
> Device type: general purpose
> Running: Microsoft Windows 95/98/ME|NT/2K/XP
> OS details: Microsoft Windows Millennium Edition (Me), Windows 2000
> Professional or Advanced Server, or Windows XP
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=9327 (Worthy challenge)
> IPID Sequence Generation: Busy server or unknown class
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 
> 3.449 seconds
>
>
> ==============================================================
> ==============
> ===============
>
> Kind Regards and thanks in advance
> Brent Clark