Firewall Wizards mailing list archives
Re: Strange open ports on windows machines
From: David LeBlanc <dleblanc () mindspring com>
Date: Tue, 26 Oct 1999 09:50:48 -0700
At 02:22 PM 10/25/99 -0400, Michael H. Warfield wrote:
On Mon, Oct 25, 1999 at 10:44:38AM -0700, Kaptain wrote:<snip>Even without BO there, with ports 135-139 tcp and udp open to access you have all the security of a tissue in a hurricane.
Assuming the machine is left wide open, say with an blank admin password, yes. About the same as leaving a remote shell (telnet, ssh, whatever) running on a UNIX box with password same as username. Assuming the machine was secured by a non-idiot, no - Christoph is quite wrong. That said, even though a remotely clueful admin running without coffee on 5 hours sleep CAN trivially secure 135-139 (set an admin password - boy THAT was hard, whew, better go get that coffee), it is generally good practice to disallow access to the outside world for any ports that aren't needed by the outside world, just like you would with anything else. There are a few more tweaks that a good admin might add to raise the bar even further, but in general, being current with patches and having a reasonable password on all the accounts will keep the riff-raff out. Speaking of keeping riff-raff out, if you did want to leave 135-139 and friends open, setting RestrictAnonymous = 2 on Win2k will help with that - disallows null sessions completely. Which leads me to Mike's comments...
Cheers, Christoph Schneeberger SCS TelemediaMike</snip>How can you disable the public accessibility of the 135-139 windows ports?
One word: Firewall. Block all access to those ports from anything outside or your site. I think there may also be some filtering code available, but, since I don't use it, I don't know anything about it.
Putting a firewall in front of the machines (or a filtering router will generally do, depending) is ideal, but you do have a few more options than that. There is a port filtering mechanism built in that has very limited functionality, but it is always there, and it will help - go into Control Panel, Network, Protocols, TCP/IP, Properties, Advanced, Security, and in there is a little dialog. Set the TCP column to allow only certain ports, add the ports you want (e.g., 80), do the same for UDP. The last one allows you to control protocols other than ICMP, UDP and TCP. Also note that there is a registry toggle you can set (see regentry.hlp in resource kit) to turn off multicast if you like. Next step up from there is to add RRAS, and use the filters in that, which are somewhat more versatile. If you have Windows 2000, then you can use the IPSec policy to establish port filtering rules in addition to the IPSec policy (which could be left at default). All depends on what your threat scenario is like.
BTW... For those of you playing with Windows 2000, add port 445 to the list of things that should be blocked from outside contact. You can do the same sorts of things with port 445 that you can with port 135.
This is true, and blocking the Terminal Server ports is also a good idea - I think that's up around 3289 (I know I'm close, but don't recall exactly). TS will often be found running as a remote admin tool on Win2k servers. Yet another port to pay attention to is 2301 - used by the Compaq Insight Manager's web-based admin gizmo. Unpatched versions allow you to do stuff like GET /../../whatever HTTP/1.0\n\n. Patched versions tell anyone who asks all your IP addresses. I prefer to turn the thing off when I find it, but blocking it at the router might be a Good Thing. Note that this thing can turn up on either UNIX or NT systems, so 'whatever' above could be SAM._, or it could be /etc/passwd, so... David LeBlanc dleblanc () mindspring com
Current thread:
- Strange open ports on windows machines Christoph Schneeberger (Oct 21)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 23)
- Re: Strange open ports on windows machines Kaptain (Oct 25)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 25)
- Re: Strange open ports on windows machines David LeBlanc (Oct 26)
- whoops David LeBlanc (Oct 27)
- Re: Strange open ports on windows machines Kaptain (Oct 25)
- Re: Strange open ports on windows machines Arnd Vehling (Oct 28)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 23)
- <Possible follow-ups>
- RE: Strange open ports on windows machines Russ (Oct 25)
- RE: Strange open ports on windows machines Christoph Schneeberger (Oct 25)
- RE: Strange open ports on windows machines Russ (Oct 25)
- Re: Strange open ports on windows machines Randy Witlicki (Oct 25)
- RE: Strange open ports on windows machines Steve McQuade (Oct 26)