Re: DHS --> Updated MS Advisory

[Gary Flynn <flynngn () JMU EDU>]

Barros, Jacob wrote:
> DHS and Microsoft further suggest that Internet Service Providers and
> network administrators consider blocking TCP and UDP ports 135, 139, and
> 445 for inbound connections unless absolutely needed for business or
> operational purposes.
>
> Can anyone say that they have done this and what are any reprocussions
> you've felt?  I might be missing something in my research but is there
> any traffic on those ports that I might care about?  Will this effect OWA?

Hi,

We have blocked the netbios ports (137-139) since around 1996, the 445 netbios
port since Windows 2000 was released, and port 135 since last Fall. I think
we got away with the netbios block because we did it before it was in wide
use and nobody missed it. :)

We also blocked 593 a couple weeks ago without repercussions.

We opened holes for port 135 to official exchange servers. Last week
we closed all but one of those when the administrators informed me
that OWA and IMAP access didn't need it...only MAPI. They haven't
called back asking that the holes be opened so I guess they're running
fine.

There are other applications that may be affected by a port 135 block.
I've got some information on them in the Caveats section at:
http://www.jmu.edu/computing/security/info/winmsg.shtml#block

The best thing to do when you are contemplating blocking a port is
to specifically allow it for a while with logging enabled and see
what's talking. For example:

access-list 100 permit tcp any any eq 135 log

If you need to make exceptions, make sure the targets have been
patched.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.