scan of domain logon reveals unknown port
From: Dan Larsen (drlarsen77_at_hotmail.com)
Date: 08/16/03
- Previous message: Jannie Hanekom: "RE: Account Lockout -- ARGH"
- Next in thread: Bell, Stephen: "RE: scan of domain logon reveals unknown port"
- Maybe reply: Bell, Stephen: "RE: scan of domain logon reveals unknown port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Fri, 15 Aug 2003 15:22:29 -0700
Hello,
After having one of my fully patched Win2k/IIS5 web servers hacked, I had
decided to enable Routing and Remote Access restricting only traffic to
ports I determined were necessary.
After spending much time researching, I configured Routing and Remote Access
only to find that when logging in using my Domain Administrator account, I
was now greeted with a lengthy (approx 15 minute) delay at the "Loading your
personal settings" window.
Rechecking my settings revealed no missed entries, so I decided to install
Ethereal to find out exactly what was going on. Interestingly enough, I
discovered that during the logon process there was some TCP communication
between the Win2k DC / DNS server and the IIS web server on port 1026.
I enabled incoming and outgoing traffic for all packets originating from, or
going to, port 1026 and my login delay is gone. However, I wasn't able to
find anything anywhere explaining what this communication on port 1026 is
for. Also, I would have expected it to be below the 1024 range.
Can anybody shed some light on what is going on here? I'd like to move ahead
and lock down all my servers in a similar fashion, however I'd like to know
what port 1026 is and if I can rely on that traffic always being on the same
port. If not, I'm hoping to find out how I can configure Routing and Remote
Access to allow proper communication with the DC.
Below is a list of the ports I have opened and what I believe their function
is. I have configured the routing for all traffic to/from the ports listed.
Thanks for any help you can provide.
Regards,
Dan
21 TCP FTP
25 TCP SMTP
53 TCP UDP DNS
80 TCP HTTP
88 TCP UDP Kerberos Secure Authentication
135 TCP MS Networking
137 UDP MS Networking
138 UDP MS Networking
139 TCP MS Networking
389 TCP LDAP
443 TCP SSL
445 TCP NetBIOS over TCP/IP
464 TCP UDP Kerberos Password
3268 TCP MS Global Catalog
3269 TCP MS Global Catalog w/ LDAP/SSL
3389 TCP RDP
1026 TCP Unknown?
---------------------------------------------------------------------------
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
---------------------------------------------------------------------------
- Previous message: Jannie Hanekom: "RE: Account Lockout -- ARGH"
- Next in thread: Bell, Stephen: "RE: scan of domain logon reveals unknown port"
- Maybe reply: Bell, Stephen: "RE: scan of domain logon reveals unknown port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
