At 02:22 PM 10/25/99 -0400, Michael H. Warfield wrote: >On Mon, Oct 25, 1999 at 10:44:38AM -0700, Kaptain wrote: >> <snip> >> > Even without BO there, with ports 135-139 tcp and udp open to >> > access you have all the security of a tissue in a hurricane. Assuming the machine is left wide open, say with an blank admin password, yes. About the same as leaving a remote shell (telnet, ssh, whatever) running on a UNIX box with password same as username. Assuming the machine was secured by a non-idiot, no - Christoph is quite wrong. That said, even though a remotely clueful admin running without coffee on 5 hours sleep CAN trivially secure 135-139 (set an admin password - boy THAT was hard, whew, better go get that coffee), it is generally good practice to disallow access to the outside world for any ports that aren't needed by the outside world, just like you would with anything else. There are a few more tweaks that a good admin might add to raise the bar even further, but in general, being current with patches and having a reasonable password on all the accounts will keep the riff-raff out. Speaking of keeping riff-raff out, if you did want to leave 135-139 and friends open, setting RestrictAnonymous = 2 on Win2k will help with that - disallows null sessions completely. Which leads me to Mike's comments... >> > > Cheers, >> > > Christoph Schneeberger >> > > SCS Telemedia > >> > Mike >> </snip> > > >> How can you disable the public accessibility of the 135-139 windows ports? > One word: Firewall. > > Block all access to those ports from anything outside or your site. > > I think there may also be some filtering code available, but, >since I don't use it, I don't know anything about it. Putting a firewall in front of the machines (or a filtering router will generally do, depending) is ideal, but you do have a few more options than that. There is a port filtering mechanism built in that has very limited functionality, but it is always there, and it will help - go into Control Panel, Network, Protocols, TCP/IP, Properties, Advanced, Security, and in there is a little dialog. Set the TCP column to allow only certain ports, add the ports you want (e.g., 80), do the same for UDP. The last one allows you to control protocols other than ICMP, UDP and TCP. Also note that there is a registry toggle you can set (see regentry.hlp in resource kit) to turn off multicast if you like. Next step up from there is to add RRAS, and use the filters in that, which are somewhat more versatile. If you have Windows 2000, then you can use the IPSec policy to establish port filtering rules in addition to the IPSec policy (which could be left at default). All depends on what your threat scenario is like. > BTW... For those of you playing with Windows 2000, add port 445 >to the list of things that should be blocked from outside contact. You >can do the same sorts of things with port 445 that you can with port 135. This is true, and blocking the Terminal Server ports is also a good idea - I think that's up around 3289 (I know I'm close, but don't recall exactly). TS will often be found running as a remote admin tool on Win2k servers. Yet another port to pay attention to is 2301 - used by the Compaq Insight Manager's web-based admin gizmo. Unpatched versions allow you to do stuff like GET /../../whatever HTTP/1.0\n\n. Patched versions tell anyone who asks all your IP addresses. I prefer to turn the thing off when I find it, but blocking it at the router might be a Good Thing. Note that this thing can turn up on either UNIX or NT systems, so 'whatever' above could be SAM._, or it could be /etc/passwd, so... David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:09 PDT