Re: Securing a server under Windows 2000

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/15/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Fri, 15 Nov 2002 13:42:00 -0500

You've got two issues here. Services running on your machine that are
listening on certain ports [e.g. the "before" snapshot], and programs on
your computer like Internet Explorer sending out communications on certain
ports [e.g. the "after" snapshot below]

The best way to quickly close both of these is with some sort of packet
filtering, ideally a firewall. Firewall software like www.sygate.com is
free for non-commercial use, and there are others.

You can if you wish also stop the running services, mostly controllable in
Computer Management, Services. Inetinfo.exe is generally your IIS services.
TCP 512 is a concern... it's listed as being "exec - Remote Process
Execution." I'm guessing this is like REXEC and may allow remote command
execution on your computer. Not something you usually see on a system and I
have to wonder how it got there. Sounds like possible hacking, unless an
administrator put it there. I don't think it's secure so it's not a good
idea to use it. By default I think there are no passwords and no
restrictions on its use.

135 - 139 and 445 are NetBIOS / Windows networking / LDAP. You can disable
Netbios over TCP/IP in your network card properties in Control Panel, though
it's required if you have any pre-windows 2000 computers on your network.
To get rid of 445 I think you'd need to unbind / disable / uncheck the
Client for Microsoft Networks in the same place.

The other ports around 1000 are RPC connections on randomly chosen ports.
There is a registry setting to control which port RPC uses. Look for the
services in Control Panel, Services named Remote Procedure Call and disable
them.

However, you should really consider a firewall. There are other things you
should also consider doing to secure the machine, this is not everything.
Also, if the REXEC service was accessed by a hacker or is running on your
computer because it was installed by a hacker, there's no way to know for
sure what the hacker did to your computer or how to secure it again. For
more information, other firewalls, some things you can try to do to look for
evidence of hacking, etc, see:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#firewall

"JBoss Dude" <jbossdude@yahoo.com> wrote in message
news:d472e77c.0211151019.2be8fd35@posting.google.com...
> Hi,
>
> how could I close all ports below 1024. I have a machine based on a W2K
> box, exclusively serving static content.
>
> these are the open ports in my machine. Just after booting it up.
>
>
> ...>Fport
> FPort v2.0 - TCP/IP Process to Port Mapper
> Copyright 2000 by Foundstone, Inc.
> http://www.foundstone.com
>
> Pid Process Port Proto Path
> 364 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
> 8 System -> 445 TCP
> 480 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
> 512 inetinfo -> 1026 TCP
C:\WINNT\System32\inetsrv\inetinfo.exe
>
> 8 System -> 445 UDP
>
>
> ...>netstat -an
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
> UDP 0.0.0.0:445 *:*
>
>
> and these are the open ports in my machine after connecting to the
internet.
>
> ...>Fport
> FPort v2.0 - TCP/IP Process to Port Mapper
> Copyright 2000 by Foundstone, Inc.
> http://www.foundstone.com
>
> Pid Process Port Proto Path
> 364 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
> 8 System -> 139 TCP
> 8 System -> 445 TCP
> 480 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
> 512 inetinfo -> 1026 TCP
C:\WINNT\System32\inetsrv\inetinfo.exe
>
> 8 System -> 137 UDP
> 8 System -> 138 UDP
> 8 System -> 445 UDP
>
>
> ...>netstat -an
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
> TCP XXX.XXX.XXX.XXX:139 0.0.0.0:0 LISTENING
> UDP 0.0.0.0:445 *:*
> UDP XXX.XXX.XXX.XXX:137 *:*
> UDP XXX.XXX.XXX.XXX:138 *:*
>
> where XXX.XXX.XXX.XXX is my IP address.

Relevant Pages

  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-questions)
  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-current)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: iptables configuration
    ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
    (comp.os.linux.security)
  • Re: How to stealth against ping/echo requests?
    ... I just started using the Online-Armor firewall. ... Some ports are even open. ... Are you behind a router? ... Every time it founds a new LAN, it asks if you want to trust it ...
    (comp.security.firewalls)