Re: closing port 445

From: Duane Arnold (notme_at_notme.com)
Date: 05/06/04


Date: Thu, 06 May 2004 20:36:10 GMT

Jason Wade <savon1414_050404+gb@earthlink.net> wrote in
news:pan.2004.05.06.19.36.29.78303.3155@earthlink.net:

> On Thu, 06 May 2004 12:06:55 -0500, TJ Campana [MSFT] wrote:
>
>> So basically you want to disable RPC on you PC? Why?
>
> To protect against current and future rpc exploits.
>
>> There are many
>> items that use RPC, like Outlook when connecting to and Exchange
Server,
>> Netlogon, AD Replication and management, etc. In short, stopping RPC
is
>> a bad idea and you actually will not be able to do it on 2000 or XP
from
>> the Services Manager.
>>
>> RPC can use the End Point Mapper Port 135, or Named Pipes Ports 139 or
>> 445 so if your intention is to block RPC then you will have to block
all
>> those ports.
>
> But viruses are sometimes very specific. For example, sasser only
> goes in through 445.
>
>>
>> I would suggest that you use other methods to secure your environment
>> other than disabling important services that many applications rely
on.
>> Enable a firewall on the network to protect you from outside
>> penetration.
>
> done
>
>> Patch all systems with the latest Critical Updates using
>> Windows Update or Microsoft Software Update Service (both FREE),
>
> done
>
>> and if
>> computer to computer security is important enable IPSec traffic
>> filtering between you systems.
>>
>> How to Block Specific Network Protocols and Ports by Using IPSec
>> http://support.microsoft.com/?id=813878
>>
>> T.J. Campana [MSFT]
>> Microsoft EPS Security
>
> Just in case I did the patch wrong, and the fw goes down
> I want the system to be safe. Somebody here said, "paranoia comes
> from experience and is not necessarily a bad thing."
>
> I see that several services use port 445 in winxp: rpc locator,
> netbios over tcp/ip, and others.
>
> What if I disable the rpc locator in the services manager and
> disable netbios over tcp/ip for the internet connection?
>
> Port 445 would still be open, but maybe the exploit that
> sasser uses would be closed.
>
> IOW, I'm asking what subservice of port 445 does sasser exploit
> that I can safely disable?
>

IMHO, I think you're going off the deep end with this. :)

You can supplement the whole nine yards with IPsec and set a rule for
port 445 and block on inbound and outbound and forget about it. It's hard
to take down IPsec.

Duane :)