Educause Security Discussion mailing list archives
Correction: XP SP2 ports open to local subnet
From: Phil Rodrigues <phil.rodrigues () NYU EDU>
Date: Wed, 9 Jun 2004 18:08:41 -0400
Correction: Brian Eckman of the University of Minnesota brought to my attention the fact that the XP SP2 exception only applies to the LOCAL SUBNET. If a computer is on the same subnet as the XP computer, it will see ports 137-139,445 open if file and print sharing is enabled even if XP SP2 is installed. All computers *NOT* on the same local subnet will see the ports as filtered. XP SP2 closes those ports to anyone not on the same local subnet by default. I tested it and agree completely: # Same Subnet: from 128.122.XXX.111 $ nmap -p 139,445 128.122.XXX.123 -P0 -T5 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-09 17:15 EDT Interesting ports on SOMEONE.NYU.EDU (128.122.XXX.123): PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds # Different subnet: from 128.122.YYY.222 $ nmap -p 139,445 128.122.XXX.123 -P0 -T5 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on SOMEONE.NYU.EDU (128.122.XXX.123): Port State Service 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds Sorry for the confusion, and thanks Brian for taking me up on my "Please try it yourself" offer. Phil Phil Rodrigues wrote:
Hi all, We downloaded the publicly available XP SP2 beta from Microsoft, installed it on a computer, then ran some test with nmap. By default, the Windows "Security Center" allows for 2 exceptions to the firewall: one for "File and Print Sharing" and one for "Remote Assistance". Remote Assistance didn't seem so scary: you still have to enable that feature, which is disabled by default. But since an exception for "File and Print Sharing" was enabled by default, nmap showed that ports 137/udp, 138/udp, 139/tcp, and 445/tcp were all open, even when the Firewall was turned on. By default. In order to close these ports, we had to take the extra step of disabling the exception within the Windows Security Center app. Please try it yourself, and tell me if we missed something: http://www.microsoft.com/SP2Preview So, I would still make plans to automate pre-registration scans of your networks for Windows RPC-ish vulnerabilities, at the very least. They may have closed 135/tcp, but with 445/tcp open there is still plenty of room for mischief. By default. Phil Sr Network Security Analyst New York University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Correction: XP SP2 ports open to local subnet Phil Rodrigues (Jun 09)
- <Possible follow-ups>
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 09)
- Re: Correction: XP SP2 ports open to local subnet John Kristoff (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Brian Eckman (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Brian Eckman (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Jeff Bollinger (Jun 13)