RE: Help Required

[Don Tuer <Don_Tuer () dtaadv on ca>]

Hi Ben/Sim:

        Thanks for the notes. I've identified the following ports:


Port 6666 - Windows Media Unicast Service - 
                Provides Windows Media streaming content on-demand to
networked clients

Port 7007 - Windows Media Station Service  - 
                Provides multicasting and distribution services for
streaming Windows Media content

Port 7778 - Windows Media Monitor Service - 
                Provides services to monitor client and server connections
to the Windows Media services

I am still fighting with some of the other one's but don't think they are
from a hack.

Thanks for the tip about Stefan Norberg's book, looks quite good. Will add
it to my reading list...

Thanks

Don

-----Original Message-----
From: Ben Nagy [mailto:ben.nagy () marconi com au]
Sent: Tuesday, January 16, 2001 6:22 PM
To: Don Tuer; Firewall Wizards
Subject: RE: [fw-wiz] Help Required


> -----Original Message-----
> From: sim [mailto:simeonuj () eetc com]
> Sent: Wednesday, 17 January 2001 1:31 
> To: Don Tuer; Firewall Wizards
> Subject: Re: [fw-wiz] Help Required

A few more comments inline...

> > From: Don Tuer <Don_Tuer () dtaadv on ca>
> > Date: Sat, 13 Jan 2001 17:07:53 -0500
> > To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net>
> > Subject: [fw-wiz] Help Required
> >
> > Hello:
> >
> > I just ran nmap on my web server and received the following, rather
> > disturbing picture. I'm quite surprised about the netbios 
> stuff as I have
> > unbound the Microsoft client and server from the nic facing 
> the net. Any
> > help on what these other ports could be would be appreciated.
> >
> > Thanks
> >
> > Don

First - have you run a few different nmap scans? In particular, run the UDP
scan - you might well turn up 137,138 udp. It doesn't look like your NetBIOS
stuff is completely unbound. On the plus side, there are couple of the nmap
scans which are listed in the docco as being prone to produce false
positives. Make sure you're not getting any of those - try running netstat
and / or inzider on the server and reconcile the outputs.

Secondly, have you worked through one of the web server hardening docs?
They're quite good.[1]

More further down...

> > NMAP output
> >
> > Port       State       Service
> > 25/tcp     open        smtp
> Simple Mail Transfer Protocol

Is this expected? I think you can disable the crazy SMTP listener in IIS,
can't you?

> > 53/tcp     open        domain
> This port is used for DNS.
> > 80/tcp     open        http
> Web
> > 119/tcp    open        nntp
> Network News Transfer Protocol.

Again - is this expected? NNTP is abnormal for a webserver.

> > 135/tcp    open        loc-srv

You won't get rid of this - it's the RPC endpoint mapper.

> > 139/tcp    open        netbios-ssn

This is a bad sign.

> > 389/tcp    open        ldap
> Lightweight Directory Access Protocol

Again - presumably this is because it's a Win2K box? If you unbind all the
M$ networking stuff and remove the Server and Workstation service it should
go away.

> > 563/tcp    open        snews
> NNTP over SSL.  Secure News.
> > 1002/tcp   open        unknown
> > 1058/tcp   open        nim

1002 is a worry. Normally the random fluff ports are between 1024 and maybe
1100 depending on workload etc. 1058 may well be random fluff. Restart and
scan again - see if it's still there.

> > 1723/tcp   open        pptp
[sim]
> PPTP is Microsoft's VPN protocol.  Supposedly it is a 
> security risk on a
> Microsoft machine acting as a server.  I am not sure about this but
> something about the way they implement it, NOT the protocol 
> itself, has some
> problems.  Don't quote me on this:-)

The protocol has problems. The implementation has more problems before they
fixed it. It's still dependant on strong passwords for key entropy, AFAIK,
which is a Bad Thing crypto-wise. I don't lose _too_ much sleep over PPTP
with the 128-bit patch, but it's definately worth looking at your password
strength.

> > 3005/tcp   open        deslogin
> > 6666/tcp   open        irc-serv
[sim]
> This looks like an IRC server.  As far as I know IRC is 
> rather insecure.

Are you running Backup Exec on this server? I've seen it use 6666 before -
gave me a nasty fright.

> > 7007/tcp   open        afs3-bos

No idea. netstat and inzider might tell you, or you can start killing
services one by one until it goes away.

In summary, it looks to me like your main problems are IIS configuration
issues (NNTP and SMTP listeners) and M$ networking guff.

Cheers,

[1] Random reference: Stefan Norberg did some good stuff for NT4, and has an
ORA book out for 2k (which it looks like you're using). I have a methodology
somewhere but it's mainly for firewalls and may be too pared-down for a WWW
box. Or just webgrep for 'hardening NT'.
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards