Re: Can I block port 135 ?
From: Craig Shrimpton (u.s.e.n.e.t_at_o.s.c.o.m)
Date: 11/01/03
- Next message: nemo: "Re: Ligths lit up on Netgear firewall router"
- Previous message: Barry: "Re: Kerio's rule set keeps disappearing! Attn: Sponge"
- Next in thread: Bill Matherly Jr: "Re: Can I block port 135 ?"
- Reply: Bill Matherly Jr: "Re: Can I block port 135 ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 01 Nov 2003 20:18:21 GMT
Fox wrote:
> Can anyone tell me if there is any reason
> to have port 135 open?
>
Fox,
Port 135 is the DCE endpoint mapper, i.e Microsoft RPC. It is a service
that tells connecting clients which port they should use for communication
to a specific service. For example: When an Outlook client connects to an
Exchange server, the client queries the endpoint mapper for the Exchange IS
and DS ports. Since Exchange runs those services on dynamically allocated
ports, the client has no way of knowing what they are in advance. It's the
portmapper's job to resolve that situation. Note that this is true even if
Exchange is configured to use static ports. The Microsoft RPC service is
similar to the UNIX portmapper service, except that Microsoft's RPC can use
named pipes.
Port 135, whether MS or UNIX, should never be open to the public Internet.
The danger of this is illustrated by the recent spate of security problems
with Microsoft's portmapper service. These flaws have led to several
recent exploits like msblaster. Those hits you see on your firewall are
probably blaster or other similar attacks.
It's interesting to note that simply blocking 135 at the firewall is
insufficient to prevent a security breach. A recent outbreak at one of our
clients was due to a remote user connecting to the Internet via cable,
getting the blaster worm and then connecting to the corporate LAN via VPN.
You must also diligently patch all servers and clients to insure they have
the "latest and greatest" RPC code.
Also, keep in mind that MS relies on the DCE portmapper to remotely manage
some services like DHCP, WINS and DNS not to mention AD itself. If you
completely shut it down, those services and others that rely on dynamically
allocated ports will fail.
Cheers,
-CS
- Next message: nemo: "Re: Ligths lit up on Netgear firewall router"
- Previous message: Barry: "Re: Kerio's rule set keeps disappearing! Attn: Sponge"
- Next in thread: Bill Matherly Jr: "Re: Can I block port 135 ?"
- Reply: Bill Matherly Jr: "Re: Can I block port 135 ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
