Re: closing port 445
From: Duane Arnold (notme_at_notme.com)
Date: Thu, 06 May 2004 20:36:10 GMT
Jason Wade <firstname.lastname@example.org> wrote in
> On Thu, 06 May 2004 12:06:55 -0500, TJ Campana [MSFT] wrote:
>> So basically you want to disable RPC on you PC? Why?
> To protect against current and future rpc exploits.
>> There are many
>> items that use RPC, like Outlook when connecting to and Exchange
>> Netlogon, AD Replication and management, etc. In short, stopping RPC
>> a bad idea and you actually will not be able to do it on 2000 or XP
>> the Services Manager.
>> RPC can use the End Point Mapper Port 135, or Named Pipes Ports 139 or
>> 445 so if your intention is to block RPC then you will have to block
>> those ports.
> But viruses are sometimes very specific. For example, sasser only
> goes in through 445.
>> I would suggest that you use other methods to secure your environment
>> other than disabling important services that many applications rely
>> Enable a firewall on the network to protect you from outside
>> Patch all systems with the latest Critical Updates using
>> Windows Update or Microsoft Software Update Service (both FREE),
>> and if
>> computer to computer security is important enable IPSec traffic
>> filtering between you systems.
>> How to Block Specific Network Protocols and Ports by Using IPSec
>> T.J. Campana [MSFT]
>> Microsoft EPS Security
> Just in case I did the patch wrong, and the fw goes down
> I want the system to be safe. Somebody here said, "paranoia comes
> from experience and is not necessarily a bad thing."
> I see that several services use port 445 in winxp: rpc locator,
> netbios over tcp/ip, and others.
> What if I disable the rpc locator in the services manager and
> disable netbios over tcp/ip for the internet connection?
> Port 445 would still be open, but maybe the exploit that
> sasser uses would be closed.
> IOW, I'm asking what subservice of port 445 does sasser exploit
> that I can safely disable?
IMHO, I think you're going off the deep end with this. :)
You can supplement the whole nine yards with IPsec and set a rule for
port 445 and block on inbound and outbound and forget about it. It's hard
to take down IPsec.