Couple followup notes that may be of interest.
1) From the DirectAdvertisor test page, the first packet is sent to
UDP-135 whether or not other ports are open. I took out the
router filters blocking 137-139,445 and the initial packet was
still sent to UDP-135. There was speculation on my part that the
way the messages were sent depended on what ports were available.
I haven't tested the demo version to see if its the same.
2) After the intial packet to UDP-135, which looks as though contains
the message data, there is a back and forth exchange on high UDP
ports that Ethreal labels an RPC "who are you" conversation.
3) Using the information in "Using DCOM with Firewalls", I added the
following registry entry:
HKEY_LOCAL_MACHINE/Software/Microsoft/RPC/Internet/PortsInternetAvailable
and set its value to "N" (without the quotes). After doing so,
the DirectAdvertisor demo page was not able to send me a message.
This may be an alternative to shutting down the Messenger service
altogether if that causes local problems. I've seen some people say
it might be used for things like spooler messages.
Of course, if the Messenger service functionality is desired from
remote systems, access will have to be controlled via an external
device like a firewall or they'll have to live with abuse. Perhaps
Microsoft will offer a patch that will allow the service to be
configured with the list of allowed IP addresses that can use the
service. And perhaps set the default so that only addresses on the
local network (as defined by the computer's IP address and subnet
mask) can access the Messenger service. Or disable the Messenger
service network access altogether by default.
4) I tried removed the following registry entries and rebooting the
computer but the message was still received. I was hoping removing
the UDP affiliated one would prevent the problem without having
to stop the Messenger service:
HKEY_LOCAL_MACHINE/Software/Microsoft/RPC/ClientProtocols/
ncadg_ip_udp
ncacn_ip_tcp
ncacn_http
ncacn_np
5) I'm monitoring both UDP and TCP network traffic now to see if there
are any other uses for UDP-135. I had thought previously everything
used 135-TCP. If so, maybe UDP-135 can be blocked without affecting
other services. However, if Messenger can also be contacted on
the TCP port....
6) Does anyone have any resources indicating what applications may
break if the Messenger service is shut down? If it isn't accessible
via IP?
All tests performed on XP Home.
Useful RPC References:
Microsoft RPC
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/overviews.asp
Using DCOM with Firewalls
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp
--
Gary Flynn
Security Engineer - Technical Services
James Madison University
Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 16:58:27 PDT