Re: closing port 445

From: Duane Arnold (notme_at_notme.com)
Date: 05/06/04


Date: Thu, 06 May 2004 20:36:10 GMT

Jason Wade <savon1414_050404+gb@earthlink.net> wrote in
news:pan.2004.05.06.19.36.29.78303.3155@earthlink.net:

> On Thu, 06 May 2004 12:06:55 -0500, TJ Campana [MSFT] wrote:
>
>> So basically you want to disable RPC on you PC? Why?
>
> To protect against current and future rpc exploits.
>
>> There are many
>> items that use RPC, like Outlook when connecting to and Exchange
Server,
>> Netlogon, AD Replication and management, etc. In short, stopping RPC
is
>> a bad idea and you actually will not be able to do it on 2000 or XP
from
>> the Services Manager.
>>
>> RPC can use the End Point Mapper Port 135, or Named Pipes Ports 139 or
>> 445 so if your intention is to block RPC then you will have to block
all
>> those ports.
>
> But viruses are sometimes very specific. For example, sasser only
> goes in through 445.
>
>>
>> I would suggest that you use other methods to secure your environment
>> other than disabling important services that many applications rely
on.
>> Enable a firewall on the network to protect you from outside
>> penetration.
>
> done
>
>> Patch all systems with the latest Critical Updates using
>> Windows Update or Microsoft Software Update Service (both FREE),
>
> done
>
>> and if
>> computer to computer security is important enable IPSec traffic
>> filtering between you systems.
>>
>> How to Block Specific Network Protocols and Ports by Using IPSec
>> http://support.microsoft.com/?id=813878
>>
>> T.J. Campana [MSFT]
>> Microsoft EPS Security
>
> Just in case I did the patch wrong, and the fw goes down
> I want the system to be safe. Somebody here said, "paranoia comes
> from experience and is not necessarily a bad thing."
>
> I see that several services use port 445 in winxp: rpc locator,
> netbios over tcp/ip, and others.
>
> What if I disable the rpc locator in the services manager and
> disable netbios over tcp/ip for the internet connection?
>
> Port 445 would still be open, but maybe the exploit that
> sasser uses would be closed.
>
> IOW, I'm asking what subservice of port 445 does sasser exploit
> that I can safely disable?
>

IMHO, I think you're going off the deep end with this. :)

You can supplement the whole nine yards with IPsec and set a rule for
port 445 and block on inbound and outbound and forget about it. It's hard
to take down IPsec.

Duane :)



Relevant Pages

  • Re: RPC and IPSec
    ... This is an rpc error. ... should be the one telling the client which rpc port to use. ... machine is provided this info on the initial connection off of port 135. ... I have implementet IPSec on my DC's. ...
    (microsoft.public.windows.server.active_directory)
  • Re: closing port 445
    ... To protect against current and future rpc exploits. ... > the Services Manager. ... > other than disabling important services that many applications rely on. ... I see that several services use port 445 in winxp: ...
    (microsoft.public.security.virus)
  • Re: Why not terminate un-needed services that burn overhead & create attack surfaces?
    ... You can't disable RPC because much of Windows relies on it, ... communications within a single computer. ... Regarding SMB, I don't know what the side effects would be of disabling the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Printerserver inaccessible from RPC
    ... disabling it, having not a lot to lose. ... RPC now pings the router as it used to do. ... it only lists router and printserver, ...
    (comp.sys.acorn.networking)
  • Re: Good online firewall checker
    ... unixcircle finds that my port 135 RPC is open. ... > Go into the services and set RPC startup action to "disabled". ... Disabling RPC will also disable a long list of vital services, ...
    (comp.security.firewalls)