Re: Strange open ports on windows machines

[David LeBlanc <dleblanc () mindspring com>]

At 02:22 PM 10/25/99 -0400, Michael H. Warfield wrote:
> On Mon, Oct 25, 1999 at 10:44:38AM -0700, Kaptain wrote:
> > <snip>
> > >    Even without BO there, with ports 135-139 tcp and udp open to
> > > access you have all the security of a tissue in a hurricane.

Assuming the machine is left wide open, say with an blank admin password,
yes.  About the same as leaving a remote shell (telnet, ssh, whatever)
running on a UNIX box with password same as username.

Assuming the machine was secured by a non-idiot, no - Christoph is quite
wrong.  That said, even though a remotely clueful admin running without
coffee on 5 hours sleep CAN trivially secure 135-139 (set an admin password
- boy THAT was hard, whew, better go get that coffee), it is generally good
practice to disallow access to the outside world for any ports that aren't
needed by the outside world, just like you would with anything else.

There are a few more tweaks that a good admin might add to raise the bar
even further, but in general, being current with patches and having a
reasonable password on all the accounts will keep the riff-raff out.
Speaking of keeping riff-raff out, if you did want to leave 135-139 and
friends open, setting RestrictAnonymous = 2 on Win2k will help with that -
disallows null sessions completely.

Which leads me to Mike's comments...

> > > > Cheers,
> > > > Christoph Schneeberger
> > > > SCS Telemedia
>
> > >    Mike
> > </snip>
>
>
> > How can you disable the public accessibility of the 135-139 windows ports?

>       One word:  Firewall.
>
>       Block all access to those ports from anything outside or your site.
>
>       I think there may also be some filtering code available, but,
> since I don't use it, I don't know anything about it.

Putting a firewall in front of the machines (or a filtering router will
generally do, depending) is ideal, but you do have a few more options than
that.  There is a port filtering mechanism built in that has very limited
functionality, but it is always there, and it will help - go into Control
Panel, Network, Protocols, TCP/IP, Properties, Advanced, Security, and in
there is a little dialog.  Set the TCP column to allow only certain ports,
add the ports you want (e.g., 80), do the same for UDP.  The last one
allows you to control protocols other than ICMP, UDP and TCP.  Also note
that there is a registry toggle you can set (see regentry.hlp in resource
kit) to turn off multicast if you like.

Next step up from there is to add RRAS, and use the filters in that, which
are somewhat more versatile.  If you have Windows 2000, then you can use
the IPSec policy to establish port filtering rules in addition to the IPSec
policy (which could be left at default).

All depends on what your threat scenario is like.

>       BTW...  For those of you playing with Windows 2000, add port 445
> to the list of things that should be blocked from outside contact.  You
> can do the same sorts of things with port 445 that you can with port 135.

This is true, and blocking the Terminal Server ports is also a good idea -
I think that's up around 3289 (I know I'm close, but don't recall exactly).
 TS will often be found running as a remote admin tool on Win2k servers.

Yet another port to pay attention to is 2301 - used by the Compaq Insight
Manager's web-based admin gizmo.  Unpatched versions allow you to do stuff
like GET /../../whatever HTTP/1.0\n\n.  Patched versions tell anyone who
asks all your IP addresses.  I prefer to turn the thing off when I find it,
but blocking it at the router might be a Good Thing.  Note that this thing
can turn up on either UNIX or NT systems, so 'whatever' above could be
SAM._, or it could be /etc/passwd, so...


David LeBlanc
dleblanc () mindspring com