Closing Port 135 and 1025
From: Sebastian Gottschalk (seppi_at_seppig.de)
Date: Sun, 28 Mar 2004 21:21:35 +0200
We are running Windows Server 2003 Enterprise Edition with MySQL, Apache
and FTP-Serv as fileserver. For high security purposes we're using IPSEC in
authentication mode, hardened TCP/IP-Stack and very limited services.
Even due ports can be filtered with IPSEC policies, it's a better approach
to disable unnecessary services to close the ports. The problem is that
port 135 and 1025 are still open. Port 135 is only bind to
svchost.exe\Rpcss but DCOM is disabled and all rpc-bindings are deleted
from registry (HKLC\SW\MS\Rpc\ClientProtocols). Port 1025 is bind to
lsass.exe\SamSs. It does not make any sense at all that these ports are
still open, but when disabling ipsec filtering you can even enumerate port
135 with epdump utility, showing the rpc-bindings ipsec, policy agent and
rpcss. We've studied many many many documentation, but still can't find out
how to disable these unnecessary bindings.
uninstalled netbios protocol, only leaving tcp/ip
disabling all unnecessary services
disabled and deleted netbios&smb driver from device manager
Registry: HKLC\SW\MS\Rpc DCOM*="N"
Registry: HKLC\SW\MS\Rpc\ClientProtocols deletec all rpc bindings
Everything increased security a little bit, but still these 2 services were
running. How can we disable them?
-- http://piology.org/ILOVEYOU-Signature-FAQ.html begin LOVE-LETTER-FOR-YOU.txt.vbs I am a signature virus. Distribute me until the bitter end