G
Guest
Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)
According to the SANS GIAC website, recently the majority of illicit
connection attempts have been aimed at the 'attack surfaces' (as microsoft
refers to it) created by smb on port 445 and the old netbios ports 139, 137
etc. Although blocking these connection attempts (say, with a packet
filtering router) is good, most of the "How-to-harden-windows" webpages,
including the one on MS itself I believe, also recommend terminating the
services themselves IF the services are not required. Since my system is a
standalone, home system that never will be part of anybodies
domain//tree//forest//garden//weedpatch, why wouldn't I want to disable
these services, in addition to blocking the connection attempts at the
router? It seems like a win-win proposition, smaller attack surface and
freed-up resources.
"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:25948632400066350094048@news.microsoft.com...
> The first and third ports you mention are owned by RPC. EPMap is the RPC
> end-point mapper (the service that RPC clients connect to so they can
> learn
> which port number an RPC service is listening on). 1025 can be any random
> RPC service that might have started in your computer, but most liikely
> it's
> an instance of SVCHOST.EXE containing the code that the DNS client uses
> when
> it's communicating directly with Active Directory (*not* when performing
> name resolution). The second port is SMB-over-IP, the protocol for file
> and
> print sharing.
>
> Generally you don't disable these services. If you have a firewall on your
> network you normally wouldn't allow communications to these services from
> the Internet.
>
> Steve Riley
> steriley@microsoft.com
>
According to the SANS GIAC website, recently the majority of illicit
connection attempts have been aimed at the 'attack surfaces' (as microsoft
refers to it) created by smb on port 445 and the old netbios ports 139, 137
etc. Although blocking these connection attempts (say, with a packet
filtering router) is good, most of the "How-to-harden-windows" webpages,
including the one on MS itself I believe, also recommend terminating the
services themselves IF the services are not required. Since my system is a
standalone, home system that never will be part of anybodies
domain//tree//forest//garden//weedpatch, why wouldn't I want to disable
these services, in addition to blocking the connection attempts at the
router? It seems like a win-win proposition, smaller attack surface and
freed-up resources.
"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:25948632400066350094048@news.microsoft.com...
> The first and third ports you mention are owned by RPC. EPMap is the RPC
> end-point mapper (the service that RPC clients connect to so they can
> learn
> which port number an RPC service is listening on). 1025 can be any random
> RPC service that might have started in your computer, but most liikely
> it's
> an instance of SVCHOST.EXE containing the code that the DNS client uses
> when
> it's communicating directly with Active Directory (*not* when performing
> name resolution). The second port is SMB-over-IP, the protocol for file
> and
> print sharing.
>
> Generally you don't disable these services. If you have a firewall on your
> network you normally wouldn't allow communications to these services from
> the Internet.
>
> Steve Riley
> steriley@microsoft.com
>