windows services

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Since i am new to Win2K I've recently learned about
the Windows messnger service and have just learned
how to turn it off. It hadn't been a problem anyway
due to my use of Kerio, but was examining some of
the packets with Ethereal.

My question is are there any other windows services
I should worry about and maybe turn off?

Brian

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Skywise <into@oblivion.nothing.com> wrote in
news:vR6dc.994$k05.339@newsread2.news.pas.earthlink.net:

> Since i am new to Win2K I've recently learned about
> the Windows messnger service and have just learned
> how to turn it off. It hadn't been a problem anyway
> due to my use of Kerio, but was examining some of
> the packets with Ethereal.

Don't be so sure about that. I just found out that the Messenger Spammers
are now using remote port 53 to get by your DNS rules if you don't have
your DNS servers specified in the rules. Better check that again...

> My question is are there any other windows services
> I should worry about and maybe turn off?

Here's a popular site for services: http://www.blackviper.com/

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Skywise" <into@oblivion.nothing.com> wrote in message
news:vR6dc.994$k05.339@newsread2.news.pas.earthlink.net...
> Since i am new to Win2K I've recently learned about
> the Windows messnger service and have just learned
> how to turn it off. It hadn't been a problem anyway
> due to my use of Kerio, but was examining some of
> the packets with Ethereal.
>
> My question is are there any other windows services
> I should worry about and maybe turn off?

It's more to it than just the services.

http://www.uksecurityonline.com/index5.php

Duane

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Skywise <into@oblivion.nothing.com> wrote in
news:mUhdc.1980$A_4.1231@newsread1.news.pas.earthlink.net:

>
> Ok, I could be wrong as I'm still learning, but if I have the
> messnger service disabled and not running, it wouldn't matter
> what port the messages come in on as there's no messenger service
> to respond to the packet anyway, right?
>

You should probably leave the messenger service on (automatic) until you're
sure nothing is getting in thru the firewall. You don't want inbound stuff
getting thru. If you're still getting messenger popups then that's a good
alert to you that something IS still getting thru somehow. Ideally, you
want nothing coming thru inbound that you don't specifically allow, such as
DNS or DHCP.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Kerodo <kerodo~nospam~kenny@hotmail.com> wrote in
news:Xns94C59F095923Ekerodonospamkenny@68.6.19.6:

> Skywise <into@oblivion.nothing.com> wrote in
> news:mUhdc.1980$A_4.1231@newsread1.news.pas.earthlink.net:
>
>>
>> Ok, I could be wrong as I'm still learning, but if I have the
>> messnger service disabled and not running, it wouldn't matter
>> what port the messages come in on as there's no messenger service
>> to respond to the packet anyway, right?
>>
>
> You should probably leave the messenger service on (automatic) until
> you're sure nothing is getting in thru the firewall. You don't want
> inbound stuff getting thru. If you're still getting messenger popups
> then that's a good alert to you that something IS still getting thru
> somehow. Ideally, you want nothing coming thru inbound that you don't
> specifically allow, such as DNS or DHCP.
>

Oh, nothing is getting through. Kerio is blocking them.

Later when I installed Ethereal I could see the messenger
packets in the capture. Apparently Ethereal get's the data
before it goes to the firewall to be blocked. I still did
not get any messenger pop-ups.

Now messenger is completely disabled and I have added the
specific ports (135,137-139,445) to Kerio.

Brian

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Skywise" <into@oblivion.nothing.com> wrote in message
news:ZCsdc.3034$A_4.3006@newsread1.news.pas.earthlink.net...
> Kerodo <kerodo~nospam~kenny@hotmail.com> wrote in
> news:Xns94C59F095923Ekerodonospamkenny@68.6.19.6:
>
> > Skywise <into@oblivion.nothing.com> wrote in
> > news:mUhdc.1980$A_4.1231@newsread1.news.pas.earthlink.net:
> >
> >>
> >> Ok, I could be wrong as I'm still learning, but if I have the
> >> messnger service disabled and not running, it wouldn't matter
> >> what port the messages come in on as there's no messenger service
> >> to respond to the packet anyway, right?
> >>
> >
> > You should probably leave the messenger service on (automatic) until
> > you're sure nothing is getting in thru the firewall. You don't want
> > inbound stuff getting thru. If you're still getting messenger popups
> > then that's a good alert to you that something IS still getting thru
> > somehow. Ideally, you want nothing coming thru inbound that you don't
> > specifically allow, such as DNS or DHCP.
> >
>
> Oh, nothing is getting through. Kerio is blocking them.
>
> Later when I installed Ethereal I could see the messenger
> packets in the capture. Apparently Ethereal get's the data
> before it goes to the firewall to be blocked. I still did
> not get any messenger pop-ups.
>
> Now messenger is completely disabled and I have added the
> specific ports (135,137-139,445) to Kerio.
>
> Brian

I've also added (to packet filter)
Application: system
Protocol: TCP
Direction: Incoming
Action: Deny

If you 'Log to Network Log' you'll be surprised how many
apparent attacks there are!

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Skywise <into@oblivion.nothing.com> wrote in
news:ZCsdc.3034$A_4.3006@newsread1.news.pas.earthlink.net:

>
> Now messenger is completely disabled and I have added the
> specific ports (135,137-139,445) to Kerio.

Messenger spam also comes in on ports 1026 and 1027 as well...


--
Kerodo