Educause Security Discussion mailing list archives

Correction: XP SP2 ports open to local subnet

From: Phil Rodrigues <phil.rodrigues () NYU EDU>
Date: Wed, 9 Jun 2004 18:08:41 -0400

Correction:

Brian Eckman of the University of Minnesota brought to my attention the
fact that the XP SP2 exception only applies to the LOCAL SUBNET.  If a
computer is on the same subnet as the XP computer, it will see ports
137-139,445 open if file and print sharing is enabled even if XP SP2 is
installed.

All computers *NOT* on the same local subnet will see the ports as
filtered.  XP SP2 closes those ports to anyone not on the same local
subnet by default.

I tested it and agree completely:

# Same Subnet: from 128.122.XXX.111
$ nmap -p 139,445 128.122.XXX.123 -P0 -T5
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-09 17:15 EDT
Interesting ports on SOMEONE.NYU.EDU (128.122.XXX.123):
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

# Different subnet: from 128.122.YYY.222
$ nmap -p 139,445 128.122.XXX.123 -P0 -T5
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on SOMEONE.NYU.EDU (128.122.XXX.123):
Port       State       Service
139/tcp    filtered    netbios-ssn
445/tcp    filtered    microsoft-ds

Sorry for the confusion, and thanks Brian for taking me up on my "Please
try it yourself" offer.

Phil

Phil Rodrigues wrote:

Hi all,

We downloaded the publicly available XP SP2 beta from Microsoft,
installed it on a computer, then ran some test with nmap.

By default, the Windows "Security Center" allows for 2 exceptions to the
firewall: one for "File and Print Sharing" and one for "Remote Assistance".

Remote Assistance didn't seem so scary: you still have to enable that
feature, which is disabled by default.

But since an exception for "File and Print Sharing" was enabled by
default, nmap showed that ports 137/udp, 138/udp, 139/tcp, and 445/tcp
were all open, even when the Firewall was turned on.  By default.  In
order to close these ports, we had to take the extra step of disabling
the exception within the Windows Security Center app.

Please try it yourself, and tell me if we missed something:

http://www.microsoft.com/SP2Preview

So, I would still make plans to automate pre-registration scans of your
networks for Windows RPC-ish vulnerabilities, at the very least.  They
may have closed 135/tcp, but with 445/tcp open there is still plenty of
room for mischief.  By default.

Phil

Sr Network Security Analyst
New York University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Correction: XP SP2 ports open to local subnet Phil Rodrigues (Jun 09)
- <Possible follow-ups>
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 09)
- Re: Correction: XP SP2 ports open to local subnet John Kristoff (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Brian Eckman (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Brian Eckman (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Jeff Bollinger (Jun 13)