Re: [Full-Disclosure] Why does a home computer user need DCOM?
From: Jean-Baptiste Marchand (Jean-Baptiste.Marchand_at_hsc.fr)
Date: 09/11/03
- Previous message: Andry_Christian/JKT/INDOFOOD_at_indofood.co.id: "[Full-Disclosure] Break Administrator/Share Folder in Windows 2000/XP/NT (Need Tips & Trick)"
- In reply to: *Hobbit*: "Re: [Full-Disclosure] Why does a home computer user need DCOM?"
- Next in thread: Stephen Perciballi: "Re: [Full-Disclosure] Why does a home computer user need DCOM?"
- Reply: Stephen Perciballi: "Re: [Full-Disclosure] Why does a home computer user need DCOM?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Thu, 11 Sep 2003 11:15:05 +0200
* *Hobbit* <hobbit@avian.org> [10/09/03 - 13:31]:
> Once again, I wouldn't mind a way to turn off *ALL* the RPC stuff,
> including the RPC service itself, without paying the price of having
> almost everything I do afterward just sit there and stupidly wait for it
> to respond. A box with it disabled *will* run, just barely, it'll just
> be sluggish as hell.
It is not really possible to disable the rpcss service (a.k.a _Remote
Procedure Call (RPC)), probably because a Windows NT system heavily uses
Local Procedure Calls (ncalrpc transport), which happen to be handled by
the rpcss service.
To close port 135 (tcp and udp), used among other things by the MSRPC
endoint mapper, you have to minimize Windows services, i.e stop all
services that register RPC services.
> Or at the very least a way to run it so it doesn't listen on a socket
> bound to *. How 'bout localhost-only, or the equivalent of unix-domain
> pipes, or *something* to keep it insulated from the network??
It is possible to bind RPC services to a specific network interface, for
example the loopback interface (127.0.0.1). This technique works on
Windows 2000 but not for all RPC services (however, it works for port
135).
For more information, see the _RPC Services_ of our _Minimizing Windows
network services_ paper:
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
> How 'bout the same for SMB/tcp 445?
Port 445 is opened by the NetBT driver (thus in kernel-mode) and is
always bound to 0.0.0.0 because it was designed as a global device:
http://www.hsc.fr/ressources/presentations/sambaxp2003/slide4.html
If you don't need SMB/CIFS at all, the easiest way to close port 445
(tcp and udp) is to disable the NetBT driver. You can also set the
SmbDeviceEnabled registry value to 0. This is also described in our
minimization paper (_CIFS over TCP_ section).
PS: thanks for netcat and your _CIFS: Common Insecurities Fail Scrutiny_
paper!
Jean-Baptiste Marchand
-- Jean-Baptiste.Marchand@hsc.fr HSC - http://www.hsc.fr/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Andry_Christian/JKT/INDOFOOD_at_indofood.co.id: "[Full-Disclosure] Break Administrator/Share Folder in Windows 2000/XP/NT (Need Tips & Trick)"
- In reply to: *Hobbit*: "Re: [Full-Disclosure] Why does a home computer user need DCOM?"
- Next in thread: Stephen Perciballi: "Re: [Full-Disclosure] Why does a home computer user need DCOM?"
- Reply: Stephen Perciballi: "Re: [Full-Disclosure] Why does a home computer user need DCOM?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
