Re: LISTENING, ESTABLISHED, CLOSE_WAIT TCP Ports & UDP Ports?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/03/04


Date: Fri, 3 Dec 2004 12:31:09 -0600

Domain controllers offer a lot of networking services to domain
users/computers. It is not unusual to see a LOT of ports listening or
connected. What I do is to use some free tools from SysInternals to see
exactly what all those processes are. You can use TCPView and Process
Explorer in particular to view port to process/executable mapping and
detailed info on processes. With Process Explorer you can examine the
properties of a process and it will show you what tcp/ip ports and services
[if any] that the process is associated with. Of course regular virus scans
with malware definitions updated the day of the scan should also be used to
check for malware. Offhand I recognize almost all of those processes as
being legitimate Windows process names. A firewall is of course necessary.
Beyond that I suggest you read the Windows 2003 Server Security Guide to see
how to lockdown your server, though by default Windows 2003 Servers are
fairly secure - much more than a default installation of Windows 2000 which
installed and enabled IIS in every install. The Windows 2003 Server Security
Guide will give guidance on services, security options, user rights, and
much more info. I highly recommend that you not install any Security
Templates to the default domain or domain controller Group Policy and to
create a "rollback" template BEFORE you do apply any. The links below are to
the tools and Windows 2003 Server Security Guide. The MBSA tool is also free
from Microsoft and can be used to scan computers for basic
vulnerabilities.--- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en
http://www.microsoft.com/technet/security/prodtech/win2003/default.mspx --
W2003 Security Center
http://www.microsoft.com/technet/security/tools/mbsahome.mspx -- MBSA.

"JediRockClimber" <someone@somedomain.net> wrote in message
news:ePgmsOR2EHA.1260@TK2MSFTNGP12.phx.gbl...
> I'm running Windows Server 2003.
> Can somebody explain me why are all this ports opened, and how are they
> bein used, is this a security risk can somebody in the network or from the
> internet gain access to my server?
> what kind of messure do I need to take beside just to place a firewall?
> Thanks a lot...
>
> This is what i get when I run netstat -ano
> Active Connections
>
> Proto Local Address Foreign Address State PID
> TCP 0.0.0.0:42 0.0.0.0:0 LISTENING wins.exe
> TCP 0.0.0.0:53 0.0.0.0:0 LISTENING dns.exe
> TCP 0.0.0.0:88 0.0.0.0:0 LISTENING lsass.exe
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> svchost.exe
> TCP 0.0.0.0:389 0.0.0.0:0 LISTENING lsass.exe
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING System
> TCP 0.0.0.0:464 0.0.0.0:0 LISTENING lsass.exe
> TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
> svchost.exe
> TCP 0.0.0.0:636 0.0.0.0:0 LISTENING lsass.exe
> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING lsass.exe
> TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
> svchost.exe
> TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING lsass.exe
> TCP 0.0.0.0:2804 0.0.0.0:0 LISTENING
> IDUServ.exe
> TCP 0.0.0.0:3001 0.0.0.0:0 LISTENING ntfrs.exe
> TCP 0.0.0.0:3005 0.0.0.0:0 LISTENING wins.exe
> TCP 0.0.0.0:3011 0.0.0.0:0 LISTENING dns.exe
> TCP 0.0.0.0:3012 0.0.0.0:0 LISTENING
> tcpsvcs.exe
> TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING lsass.exe
> TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING lsass.exe
> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
> svchost.exe
> TCP 127.0.0.1:389 127.0.0.1:1037 ESTABLISHED
> lsass.exe
> TCP 127.0.0.1:389 127.0.0.1:1038 ESTABLISHED
> lsass.exe
> TCP 127.0.0.1:389 127.0.0.1:1039 ESTABLISHED
> lsass.exe
> TCP 127.0.0.1:389 127.0.0.1:3007 ESTABLISHED
> lsass.exe
> TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING
> ccproxy.exe
> TCP 127.0.0.1:1037 127.0.0.1:389 ESTABLISHED
> ismserv.exe
> TCP 127.0.0.1:1038 127.0.0.1:389 ESTABLISHED
> ismserv.exe
> TCP 127.0.0.1:1039 127.0.0.1:389 ESTABLISHED
> ismserv.exe
> TCP 127.0.0.1:2804 127.0.0.1:3117 ESTABLISHED
> IDUServ.exe
> TCP 127.0.0.1:2804 127.0.0.1:4202 ESTABLISHED
> IDUServ.exe
> TCP 127.0.0.1:3007 127.0.0.1:389 ESTABLISHED dns.exe
> TCP 127.0.0.1:3082 0.0.0.0:0 LISTENING alg.exe
> TCP 127.0.0.1:3117 127.0.0.1:2804 ESTABLISHED
> iptray.exe
> TCP 127.0.0.1:4202 127.0.0.1:2804 ESTABLISHED
> iptray.exe
> TCP 192.168.1.10:139 0.0.0.0:0 LISTENING System
> TCP 192.168.1.10:139 192.168.1.50:2931 ESTABLISHED System
> TCP 192.168.1.10:139 192.168.1.56:1267 ESTABLISHED System
> TCP 192.168.1.10:389 192.168.1.10:3099 ESTABLISHED
> lsass.exe
> TCP 192.168.1.10:1025 192.168.1.10:3103 ESTABLISHED
> lsass.exe
> TCP 192.168.1.10:1025 192.168.1.10:3105 ESTABLISHED
> lsass.exe
> TCP 192.168.1.10:1025 192.168.1.10:3902 ESTABLISHED
> lsass.exe
> TCP 192.168.1.10:1025 192.168.1.10:4742 ESTABLISHED
> lsass.exe
> TCP 192.168.1.10:3099 192.168.1.10:389 ESTABLISHED
> ntfrs.exe
> TCP 192.168.1.10:3103 192.168.1.10:1025 ESTABLISHED
> ntfrs.exe
> TCP 192.168.1.10:3105 192.168.1.10:1025 ESTABLISHED
> ntfrs.exe
> TCP 192.168.1.10:3389 66.245.216.179:10215 ESTABLISHED
> svchost.exe
> TCP 192.168.1.10:3832 192.168.1.10:389 CLOSE_WAIT
> svchost.exe
> TCP 192.168.1.10:3902 192.168.1.10:1025 ESTABLISHED
> lsass.exe
> TCP 192.168.1.10:4204 192.168.1.10:389 CLOSE_WAIT mmc.exe
> TCP 192.168.1.10:4339 192.168.1.10:389 CLOSE_WAIT mmc.exe
> TCP 192.168.1.10:4455 192.168.1.10:389 CLOSE_WAIT mmc.exe
> TCP 192.168.1.10:4478 192.168.1.10:389 CLOSE_WAIT mmc.exe
> TCP 192.168.1.10:4742 192.168.1.10:1025 ESTABLISHED
> lsass.exe
> UDP 0.0.0.0:42 *:* wins.exe
> UDP 0.0.0.0:445 *:* System
> UDP 0.0.0.0:500 *:* lsass.exe
> UDP 0.0.0.0:1030 *:* svchost.exe
> UDP 0.0.0.0:1031 *:* svchost.exe
> UDP 0.0.0.0:1035 *:* dns.exe
> UDP 0.0.0.0:1036 *:* ismserv.exe
> UDP 0.0.0.0:3002 *:* ntfrs.exe
> UDP 0.0.0.0:3004 *:* wins.exe
> UDP 0.0.0.0:3006 *:* dns.exe
> UDP 0.0.0.0:3068 *:* lsass.exe
> UDP 0.0.0.0:3086 *:* winlogon.exe
> UDP 0.0.0.0:3419 *:* spoolsv.exe
> UDP 0.0.0.0:3587 *:* dfssvc.exe
> UDP 0.0.0.0:3831 *:* svchost.exe
> UDP 0.0.0.0:3908 *:* llssrv.exe
> UDP 0.0.0.0:4199 *:* winlogon.exe
> UDP 0.0.0.0:4203 *:* mmc.exe
> UDP 0.0.0.0:4338 *:* mmc.exe
> UDP 0.0.0.0:4500 *:* lsass.exe
> UDP 127.0.0.1:53 *:* dns.exe
> UDP 127.0.0.1:123 *:* svchost.exe
> UDP 127.0.0.1:1034 *:* dns.exe
> UDP 127.0.0.1:3129 *:* iexplore.exe
> UDP 192.168.1.10:53 *:* dns.exe
> UDP 192.168.1.10:67 *:* tcpsvcs.exe
> UDP 192.168.1.10:68 *:* tcpsvcs.exe
> UDP 192.168.1.10:88 *:* lsass.exe
> UDP 192.168.1.10:123 *:* svchost.exe
> UDP 192.168.1.10:137 *:* System
> UDP 192.168.1.10:138 *:* System
> UDP 192.168.1.10:389 *:* lsass.exe
> UDP 192.168.1.10:464 *:* lsass.exe
> UDP 192.168.1.10:2535 *:* tcpsvcs.exe
>



Relevant Pages

  • SecurityFocus Microsoft Newsletter #164
    ... Got Storage Security Risks? ... MICROSOFT VULNERABILITY SUMMARY ... Chat Client FTP Server Default Username Credential Weak... ... NetServe Web Server is a compact web server for Microsoft Windows ...
    (Focus-Microsoft)
  • Re: im being held in memory
    ... How can I harden my computer or server to secure it from hackers? ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
    (microsoft.public.security)
  • MS and security: good effort but no cigar
    ... build upon the progress it's already made in security. ... The low-hanging fruit of millions of insecure Windows machines ... Then there's the issue of poorly secured server applications. ... and execute external virus and filtering ...
    (microsoft.public.windowsxp.general)
  • SecurityFocus Microsoft Newsletter #167
    ... MICROSOFT VULNERABILITY SUMMARY ... Multiple Vendor XML Parser SOAP Server Denial Of Service Vul... ... Proactive Windows Security Explorer ...
    (Focus-Microsoft)
  • Re: Group Policy broke my DCs
    ... to be very careful with tweaking services on domain controllers. ... Group Policy - security policy at the OU level which makes it much easier to ... complied from the Windows 2003 Server Security guide for baseline core ... Server - automatic ...
    (microsoft.public.windows.group_policy)