YAWAQ(Yet Another Windows Administration Question)

[eSDee]

A colleague of mine sent me an email about identifying services running on a Win2k box, and how to disable them once they are identified. Here is the email:

one of the tools we use is nmap. when you apply it to a machine on
the network, it returns the ports/services that are running on the
machine. for example:

[karin@rasta ~]$ nmap lofty

Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) Interesting
ports on computer.domain.edu (0.0.0.0): (The 1592 ports scanned but
not shown below are in state: closed)
Port State Service
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
1002/tcp open unknown
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1720/tcp open H.323/Q.931
3005/tcp open deslogin
3372/tcp open msdtc

Nmap run completed -- 1 IP address (1 host up) scanned in 0.836 seconds

it used to to have SMTP service running on port 25. it took me two
working days and this weekend poring over books at barnes&nobles to
finally figure out how to turn off smtp on that thing. that was just
one service and look how many are still running!

so what i really want to know is: 1) if i see a service or port
running on a windows box, what is it? "unknown" doesn't tell me a
whole lot. 2) once i know what the service is, how do i turn it off?

one shouldn't have to be microsoft certified to do this. there
should be really simple answers to everything.

Does anyone know of any websites that I can point my colleague to, that might have information on finding out how to determine what services are what, and then how to shut them off? Are there any utilities out there that might get her better info about the type of services that are running?

Thanks for reading.

[Eric_B]

Port 80 is for http (web server)

Port 135 (RPC)

Port 139 (NetBIOS over TCP)

1002/tcp unknown (some sort of RPC service listening)

389/tcp open ldap (Lightweight Directory Access Protocol)

443/tcp open (provides SSL Encrypted HTTP)

445/tcp open (The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445.)

1025/tcp open (Port 1025 is often one of the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 1025)

1026/tcp open (Port 1026 is often one of the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 1026)

1720/tcp open (H.323 video conferencing)

3005/tcp open (Genius License Manager????? Do not know what this does)

3372/tcp open (Microsoft Distributed Transaction Coordinator (MSDTC) is a new technology from Microsoft which provides transaction processing. The service is installed by default in Windows 2000. MS DTC can be used by such applications as Microsoft SQL Server and Microsoft Message Queue Server (MSMQ).

Vulnerability: Denial-of-Service (DoS)

A remote user may be able to cause MS DTC service to crash by sending 1024 bytes of random data to the MSDTC service (on TCP port 3372).

How to fix?
If you do not use MS DTC on your system just set your firewall to block access to port 3372. Sometimes MS DTS uses other ports so you will need to set your firewall to block any activity by MS DTS application

These ports can be closed with a firewall. However, based on the info present you may not want to close them as they may be needed by users on your LAN.

Another way to filter out the ports is through Network Neighborhood, Protocols, TCP/IP, Advanced, permit specific ports instead of allowing all TCP/IP ports. Be warned however that disabling some of these ports may infuriate users on your LAN, as they may lose the ability to do certain things, such as browsing secure sites on the web or printing/file sharing.

Other G|A members may have even more insight on this as well, but try these links:

http://www.seifried.org/ (listing of commonly used ports and what they do

http://www.packetattack.com/utilities/portlist.pdf (pdf file with a bit more detail

As for closing, IMHO use a firewall, but the best defense is do not use protocols that you are not using. NetBIOS comes to mind first. It is not always needed, but if you delete without research beware of the backlash.

Just my 2 cents.

Eric

[eSDee]

That's tremendous info Eric thanks alot. I'll pass on the info I'm sure it will help her out.

By the way I haven't seen you post before, but welcome! Glad to have the extra knowledge here at G|A.

Welcome aboard