Re: Windows 2003 Domain Controller (Open Port 593)

I think you may have misinterpreted the KB
http://support.microsoft.com/kb/826382
tcp 593 exists not due to use of rpc/http proxy and KB says how
to plug up rpc/http proxy (if it exists on a box) so that it cannot
get to dcom via tcp 593
Yes, this is admittedly confusing, but check the following
http://support.microsoft.com/kb/832017
that really does clarify this port is part of RcpSs implementation

I would suggest, if this were not a DC, that you try disabling
DCom on the box, but it is a DC. (start/run dcomcnfg and then
dig into the default properties page of ComponentSvcs\My Comp,
right-click properties on My Computer in Component Services)
On the other hand, the second KB ref given does list RPC locator,
but not RPC Https locator, as requirement for DCs.

Seeing a dynamic port (ex 1026) coming and going in association
with LsaSs is not unusual.

Did you do such as tasklist /svc to see what is in the svchost
instance you are associating with the tcp 593 binding ?


"netmon" <bkj@xxxxxxxxxxxxxxx> wrote in message
news:1166478504.332613.131800@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have just set up a new Windows 2003 domain controller and after
setting up the DC I ran a quick nmap scan of the box and have two open
ports which concern me. They are ports 593 and 1026. I did a quick
Google and port 593 (opened by svchost.exe) is related to
http-rpc-epmap and port 1026 (opened by lsass.exe) is related to
lsa-or-nterm. I do not have RPC over http proxy enabled and just to
make sure I have doubled checked this by going to add/remove windows
components/networking services and RPC over HTTP Proxy is not enabled.
My question is how can I remove these or are they necessary services
needed by the OS. I do not have an Exchange environment and IIS is not
installed.



.

Relevant Pages

  • Re: AD Replication over SonicWall site-to-site VPN
    ... Active Directory replication over RPC ... takes place dynamically over an available port via the RPC Endpoint Mapper ... Global Catalog Server TCP 3269 ...
    (microsoft.public.windows.server.active_directory)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... the article is incorrect in stating that port 80 is needed. ... "The only ports you'll need to open on your firewall are TCP ... that port 443 and port 80 must be open to use RPC over HTTP. ...
    (microsoft.public.windows.server.sbs)
  • RE: Exploit for Windows RPC may be in the wild!
    ... I was able to get a copy of the exploit from various newsgroups: ... The exploit comes in a rpc port and then allows for cmd.exe ... Exploit for Windows RPC may be in the wild! ... TCP 135 scanning over the past week, ...
    (Incidents)
  • Re: CAS Server in the DMZ
    ... In order to minimize exposure by opening TCP 135 and TCP 1024+ ... for RPC, we are interested in restricting our RPC traffic to a specific port, ... need to restrict FRS replication traffic to the same static port. ... cheap Linksys firewall publishing TCP 443 to your CAS from the Internet ...
    (microsoft.public.exchange.design)
  • Re: excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)