[unisog] Windows Messaging Spam

Gary Flynn flynngn at jmu.edu
Fri Oct 11 18:35:08 GMT 2002


Peter Van Epp wrote:
> 
>         It looks like it may indeed be port 135.

Well, the Messenger service depends upon RPC whose mapper 
runs on 135. If it works like the unix portmapper, clients 
will connect to 135 to find out what high port the requested 
service (in this case the Messenger service) is running on.

The Messenger service is enabled by default on NT, 2000, 
and XP and runs as process name services.exe (as do many 
other services).

Blocking 135 will break Exchange. This site has a list
of other services that depend upon RPC:

http://snakefoot.fateback.com/tweak/winnt/service_details/service_details_pqr.html
(scroll down to Remote Procedure Call)

> Background Intelligent Transfer
> COM+ Event System
> Distributed Link Tracking Client
> Distributed Link Tracking Server
> FAX Service
> File Replication (Win2k)
> Directory Replicator (WinNT4)
> Indexing Service
> IPSEC Policy Agent
> Keberos Key Distribution Center
> Messenger
> Network Connections
> Print Spooler (Win2k)
> Spooler (WinNT4)
> Protected Storage
> Removable Storage
> Routing and Remote Access
> Task Scheduler (Win2k)
> Schedule (WinNT4)
> Telephony
> Telnet
> Windows Management Instrumentation

Most of these look like local programs that probably use RPC to 
communicate but don't open a network port. However, some of them 
look like they might and would break if 135 was inaccessible.

Anyone blocking 135 that can relate their experiences as to
what services or applications were affected?

While the SPAM spreaders may be obnoxious, there are more serious 
issues. I ran across another site (TechTV?) that showed an example 
of a message like:

"You have a virus, go to www.xxx.yyy". Presumably, that could 
 house malicious software. Or it could instruct the user to "delete 
 jdbmgr.exe" or perform some other social engineering attack. Lots 
 of room for mischief. What are we supposed to tell users? "Don't 
 trust Windows that pop up on your screen?" The ability of an 
 anonymous, unauthenticated person to pop up Windows on any desktop
 is decidedly unwise default functionality. Maybe we can get a patch 
 for the Messenger service so that all the Windows titles read "This 
 message is unsubstantiated and cannot be trusted".

Additionally, this site:

http://www.gsu.edu/~wwwccs/security/secureos/security_tips_checklists.htm

says:

"If the messenger service is running on your system, consider 
 disabling it as it provides information about currently logged 
 on users to anyone running the nbtstat –a command against your
 machine."

Kind of defeats the some of the purpose of denying null session 
connections.

Yea, I guess we can stop the messenger service on all our desktops. 
I'm going to go try to find out what that will break, if anything...
besides the ability to quickly pop up a message to all our users 
that says "don't take irreversible actions due to information that 
pops up on your screen"...oops, whats wrong with this picture? :)

This site says the Messenger service runs as LocalSystem. Hope 
its bulletproof :)

http://www.nextgenss.com/typhon/reports/10.1.1.2/ntsvc.html

Nice to see that both the Level 1 and II CIS benchmarks for
Windows 2000 recommend that the Messenger service be disabled.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list