Re: [PEN-TEST] Closing Port 139

[Erik Birkholz <erik.birkholz () FOUNDSTONE COM>]

Quote from Frank Dimina
> I think people are stating that the NT TCP filtering "gets funny" because
> they are expecting a stateful type of filter, remember this is not a
> firewall, it's a router style of blocking all packets on a port.

> I have never experienced a problem or unexpected result with the NT TCP
> packet filtering.

Frank is right on NT 4.0, but Win2K is different.  I just did some testing
and have some more info to add:

NT 4.0 TCP/IP filtering is not stateful and does not recognize established
connections.  With that said, if you block all inbound TCP ports except 80
(situation originally described by Kasey Speakman in post) and block all UDP
ports you will lose DNS resolution and the ability to establish a full TCP
connection (FTP, Telnet, etc.).
Win 2K TCP/IP filtering however, is stateful and will allow established
connections.  This means you will be able to establish a full TCP
connection, but you will still lose the ability to resolve host names if you
block UDP (stateless protocol)

* Erik Pace Birkholz, CISSP
* Principal Consultant
* erik.birkholz () foundstone com
* 949/450-5980
* www.foundstone.com
* Terminal Server: The Day of Reckoning
* http://www.foundstone.com/cgi-bin/display.cgi?Content_ID=198