Closing Port 135 and 1025

From: Sebastian Gottschalk (seppi_at_seppig.de)
Date: 03/29/04

  • Next message: S. Pidgorny : "Re: Closing Port 135 and 1025"
    Date: Mon, 29 Mar 2004 06:46:05 +0200
    
    

    We are running Windows Server 2003 Enterprise Edition with MySQL, Apache
    and FTP-Serv as fileserver. For high security purposes we're using IPSEC in
    authentication mode, hardened TCP/IP-Stack and very limited services.

    Even due ports can be filtered with IPSEC policies, it's a better approach
    to disable unnecessary services to close the ports. The problem is that
    port 135 and 1025 are still open. Port 135 is only bind to
    svchost.exe\Rpcss but DCOM is disabled and all rpc-bindings are deleted
    from registry (HKLC\SW\MS\Rpc\ClientProtocols). Port 1025 is bind to
    lsass.exe\SamSs. It does not make any sense at all that these ports are
    still open, but when disabling ipsec filtering you can even enumerate port
    135 with epdump utility, showing the rpc-bindings ipsec, policy agent and
    rpcss. We've studied many many many documentation, but still can't find out
    how to disable these unnecessary bindings.

    We tried:
    uninstalled netbios protocol, only leaving tcp/ip
    disabling all unnecessary services
    disabled dcom
    disabled and deleted netbios&smb driver from device manager
    Registry: SMBDownload=0
    Registry: HKLC\SW\MS\Rpc DCOM*="N"
    Registry: HKLC\SW\MS\Rpc\ClientProtocols deletec all rpc bindings

    Everything increased security a little bit, but still these 2 services were
    running. How can we disable them?

    -- 
    http://piology.org/ILOVEYOU-Signature-FAQ.html
    begin  LOVE-LETTER-FOR-YOU.txt.vbs
    I am a signature virus. Distribute me until the bitter
    end
    

  • Next message: S. Pidgorny : "Re: Closing Port 135 and 1025"

    Relevant Pages

    • Closing Port 135 and 1025
      ... Even due ports can be filtered with IPSEC policies, ... to disable unnecessary services to close the ports. ... port 135 and 1025 are still open. ... but when disabling ipsec filtering you can even enumerate port ...
      (microsoft.public.windows.server.security)
    • Re: UDP Port 500 open
      ... I use a free software firewall ... >> I have recently installed a firewall and it says that UDP Port 500 is ... > ISAKMPD uses this port to negotiate IPSec. ... >> perhaps a registry key and/or disabling some service or other in ...
      (comp.security.misc)
    • Re: closing port 445
      ... > To protect against current and future rpc exploits. ... >> other than disabling important services that many applications rely ... >> How to Block Specific Network Protocols and Ports by Using IPSec ... > I see that several services use port 445 in winxp: ...
      (microsoft.public.security.virus)
    • Re: device pcic and card
      ... unknown: ... PNP0100: adding irq mask 0x1 ... isa_probe_children: disabling PnP devices ... strange result for test aux port. ...
      (freebsd-current)
    • The reboot doesnt work anymore in today -CURRENT..
      ... Location Bus Device Pin Link IRQs ... port error, restarting port 1 ... unknown: not probed ... isa_probe_children: disabling PnP devices ...
      (freebsd-current)