[unisog] XP SP2: 137, 138, 139 and 445 open by default

Phil Rodrigues phil.rodrigues at nyu.edu
Wed Jun 9 18:32:45 GMT 2004


Hi all,

We downloaded the publicly available XP SP2 beta from Microsoft, 
installed it on a computer, then ran some test with nmap.

By default, the Windows "Security Center" allows for 2 exceptions to the 
firewall: one for "File and Print Sharing" and one for "Remote Assistance".

Remote Assistance didn't seem so scary: you still have to enable that 
feature, which is disabled by default.

But since an exception for "File and Print Sharing" was enabled by 
default, nmap showed that ports 137/udp, 138/udp, 139/tcp, and 445/tcp 
were all open, even when the Firewall was turned on.  By default.  In 
order to close these ports, we had to take the extra step of disabling 
the exception within the Windows Security Center app.

Please try it yourself, and tell me if we missed something:

http://www.microsoft.com/SP2Preview

So, I would still make plans to automate pre-registration scans of your 
networks for Windows RPC-ish vulnerabilities, at the very least.  They 
may have closed 135/tcp, but with 445/tcp open there is still plenty of 
room for mischief.  By default.

Phil

Sr Network Security Analyst
New York University





More information about the unisog mailing list