[Dshield] Secure computing (was: Port 135)

Russell Washington russ.washington at vaultsentry.com
Mon Oct 28 16:36:23 GMT 2002


>>You're doing this on your 300 Windows workstations, without blocking 
>>135:139, how?  And the clients your 10 000 students use, how?  If 
>>there's a way to do this that scales, I'd be interested to hear about 
>>it.

>We have not gotten to this stage yet as the SPAM is not a large
>problem for us yet. The solution we are looking at is turning
>off the "Messenger" service. That would be done in the Ghost
>image and then the clients would be reinstalled.

>Our next incarnation of Windows will use Active Directory so
>this type of thing should be even simpler in the future.

I think you're missing the point, which has been stated (sort of) but not
really blurted out.

Ports 137 - 139 are used by all Windows boxes for file sharing,
authentication, yadda yadda.  They are NOT Messenger service recipient ports
and turning off the Messenger service will have NO effect whatsoever on
filesharing, authentication, yadda yadda.

On a Windows box the only way to turn these off that I am aware of is to
turn off the Computer Browser service and the TCP/IP NetBIOS helper, or rip
out the guts of the NBT services and bindings.  Whichever of these two
approaches you use, you will disable that box's ability to file-share or
print-share with ANY OTHER WINDOWS BOX.

So if you're not crippling every Windows box on your net at the
service/device level (user permissions have nothing to do with it), these
ports are open to squawk at and be squawked from.

Active Directory won't help you much either, as the Win2K+ solution is to
move all this stuff to port 445 and work under the same set of service-level
assumptions.

So the question being asked is:  are you crippling every Windows box or are
you blocking these ports?  Or neither, in which case you're wide-open to the
Internet?




More information about the list mailing list