Sign in with
Sign up | Sign in
Your question

Why not terminate un-needed services that burn overhead & ..

Last response: in Windows XP
Share
Anonymous
December 31, 2004 4:03:47 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

According to the SANS GIAC website, recently the majority of illicit
connection attempts have been aimed at the 'attack surfaces' (as microsoft
refers to it) created by smb on port 445 and the old netbios ports 139, 137
etc. Although blocking these connection attempts (say, with a packet
filtering router) is good, most of the "How-to-harden-windows" webpages,
including the one on MS itself I believe, also recommend terminating the
services themselves IF the services are not required. Since my system is a
standalone, home system that never will be part of anybodies
domain//tree//forest//garden//weedpatch, why wouldn't I want to disable
these services, in addition to blocking the connection attempts at the
router? It seems like a win-win proposition, smaller attack surface and
freed-up resources.

"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:25948632400066350094048@news.microsoft.com...
> The first and third ports you mention are owned by RPC. EPMap is the RPC
> end-point mapper (the service that RPC clients connect to so they can
> learn
> which port number an RPC service is listening on). 1025 can be any random
> RPC service that might have started in your computer, but most liikely
> it's
> an instance of SVCHOST.EXE containing the code that the DNS client uses
> when
> it's communicating directly with Active Directory (*not* when performing
> name resolution). The second port is SMB-over-IP, the protocol for file
> and
> print sharing.
>
> Generally you don't disable these services. If you have a firewall on your
> network you normally wouldn't allow communications to these services from
> the Internet.
>
> Steve Riley
> steriley@microsoft.com
>
Anonymous
December 31, 2004 4:55:42 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You can't disable RPC because much of Windows relies on it, even for interprocess
communications within a single computer.

Regarding SMB, I don't know what the side effects would be of disabling the
server and workstation services because it isn't something I normally do.

Steve Riley
steriley@microsoft.com



> According to the SANS GIAC website, recently the majority of illicit
> connection attempts have been aimed at the 'attack surfaces' (as
> microsoft refers to it) created by smb on port 445 and the old netbios
> ports 139, 137 etc. Although blocking these connection attempts (say,
> with a packet filtering router) is good, most of the
> "How-to-harden-windows" webpages, including the one on MS itself I
> believe, also recommend terminating the services themselves IF the
> services are not required. Since my system is a standalone, home
> system that never will be part of anybodies
> domain//tree//forest//garden//weedpatch, why wouldn't I want to
> disable these services, in addition to blocking the connection
> attempts at the router? It seems like a win-win proposition, smaller
> attack surface and freed-up resources.
>
> "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> news:25948632400066350094048@news.microsoft.com...
>
>> The first and third ports you mention are owned by RPC. EPMap is the
>> RPC
>> end-point mapper (the service that RPC clients connect to so they can
>> learn
>> which port number an RPC service is listening on). 1025 can be any
>> random
>> RPC service that might have started in your computer, but most
>> liikely
>> it's
>> an instance of SVCHOST.EXE containing the code that the DNS client
>> uses
>> when
>> it's communicating directly with Active Directory (*not* when
>> performing
>> name resolution). The second port is SMB-over-IP, the protocol for
>> file
>> and
>> print sharing.
>> Generally you don't disable these services. If you have a firewall on
>> your network you normally wouldn't allow communications to these
>> services from the Internet.
>>
>> Steve Riley
>> steriley@microsoft.com
Anonymous
January 2, 2005 5:37:22 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Fri, 31 Dec 2004 13:55:42 -0800, Steve Riley [MSFT]

>You can't disable RPC because much of Windows relies on it, even for interprocess
>communications within a single computer.

Which points to bad design.

XP is NT, and NT was designed to be a network slave (er, "client").
Whereas the poster, like most consumers that Home is for, has a
standalone PC that he'd prefer to air-gap from the Internet.

>Regarding SMB, I don't know what the side effects would be of disabling the
>server and workstation services because it isn't something I normally do.

Me neither. I do use a .REG to kill "admin shares", facilitate Set
statements in RC, and suppress WSH, and those have been OK.

>> "How-to-harden-windows" webpages, including the one on MS itself I
>> believe, also recommend terminating the services themselves IF the
>> services are not required. Since my system is a standalone, home
>> system that never will be part of anybodies
>> domain//tree//forest//garden//weedpatch, why wouldn't I want to
>> disable these services, in addition to blocking the connection
>> attempts at the router?

Exactly. But you can't, because MS is fobbing you off with a neutered
network client OS rather than developing a true stand-alone OS.

Firewall's the only way to protect against RPC and similar attacks,
but you can do two things to mitigate the effects of such attacks:

1) Stop RPC service failures from restarting the PC

2) Stop system failures from restarting the PC

These are both worthwhile fixes for dumb-ass MS duhfaults.



>------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
>------------ ----- --- -- - - - -
Anonymous
January 5, 2005 1:58:25 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You brought some interesting points (I'm the original poster of this thread)

>Me neither. I do use a .REG to kill "admin shares", facilitate Set
>statements in RC, and suppress WSH, and those have been OK.

The .reg, is that a registry mod? If so, what is it? I use "script sentry"
which intercepts calls to script interpereters (like wscript host) and
diverts them to notepad, so I can read the script and decide what to do.
It's just amazing how frequently browsers and even other apps encounter (and
would have just gone ahead and run)scripts.



>1) Stop RPC service failures from restarting the PC
>2) Stop system failures from restarting the PC

Sounds good, but how do it?



"cquirke (MVP Win9x)" <cquirkenews@nospam.mvps.org> wrote in message
news:haqft0lpo5bepsf8b093749m1kq9dpq94g@4ax.com...
> On Fri, 31 Dec 2004 13:55:42 -0800, Steve Riley [MSFT]
>
>>You can't disable RPC because much of Windows relies on it, even for
>>interprocess
>>communications within a single computer.
>
> Which points to bad design.
>
> XP is NT, and NT was designed to be a network slave (er, "client").
> Whereas the poster, like most consumers that Home is for, has a
> standalone PC that he'd prefer to air-gap from the Internet.
>
>>Regarding SMB, I don't know what the side effects would be of disabling
>>the
>>server and workstation services because it isn't something I normally do.
>
> Me neither. I do use a .REG to kill "admin shares", facilitate Set
> statements in RC, and suppress WSH, and those have been OK.
>
>>> "How-to-harden-windows" webpages, including the one on MS itself I
>>> believe, also recommend terminating the services themselves IF the
>>> services are not required. Since my system is a standalone, home
>>> system that never will be part of anybodies
>>> domain//tree//forest//garden//weedpatch, why wouldn't I want to
>>> disable these services, in addition to blocking the connection
>>> attempts at the router?
>
> Exactly. But you can't, because MS is fobbing you off with a neutered
> network client OS rather than developing a true stand-alone OS.
>
> Firewall's the only way to protect against RPC and similar attacks,
> but you can do two things to mitigate the effects of such attacks:
>
> 1) Stop RPC service failures from restarting the PC
>
> 2) Stop system failures from restarting the PC
>
> These are both worthwhile fixes for dumb-ass MS duhfaults.
>
>
>
>>------------ ----- --- -- - - - -
> Drugs are usually safe. Inject? (Y/n)
>>------------ ----- --- -- - - - -
!