Re: [PEN-TEST] Closing Port 139

[Rebecca Kastl <rkastl () NEOHAPSIS COM>]

As far as closing port 139, I have tested this extensively, and there is
really no way to do it so that it no longer shows up on a port scan.

Steps to take:

Unbind WINS/NBF from the interface
Shutdown:
 * Server
 * Workstation
You can implement TCP/IP port filtering, but as someone else pointed out,
this isn't as foolproof as MS would have you believe.

Even after all of these steps have been taken, a port scan will still show
NetBIOS services as listening.  The reality is that the services aren't
listening on the interface in question.  Connection requests to that
interface will be refused/dropped.

I went one step further and attempted to remove the NetBIOS service with
the goal being to make the system a pure IP-only host (a la UNIX), but in
doing so, the system went and removed networking entirely (including
protocols, and adapter drivers/configurations), forcing me to reinstall
networking from scratch.

If you don't want someone to know that the machine is a MS box, put it
behind a firewall -- don't rely on (or expect) MS products to provide the
level of security that you require.


--Rebecca Kastl