Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Seeking information on my open ports in Windows 2000 SP2

1 view
Skip to first unread message

James

unread,
Sep 9, 2001, 12:02:05 AM9/9/01
to
Greetings

I've seen posts like this before with great responses, so I will try
one myself. I'm running Windows 2000 SP2 and have recently found out
how to you netstat and a gui version of it called netmon. I am also
running ZA Pro so I know the ports arent really listening, but I
wanted to close them anyway. I was succesfull in closing out a lot of
netbios ports that were opened, including 137, by going to tcp/ip
properties/wins/disable netbios over tcp/ip.

Alas, I still have a few ports that are listening, and would like to
know what services are opening them, and how I can close them.

The netstat in dos gives the following:

Proto Local Address Foreign Address State
TCP localhost:epmap localhost:0 LISTENING
TCP localhost:microsoft-ds localhost:0 LISTENING
TCP localhost:1025 localhost:0 LISTENING
TCP localhost:1027 localhost:0 LISTENING
TCP localhost:1029 localhost:0 LISTENING

I did some research and discovered that epmap is tcp/udp port 135 and
microsoft-ds tcp/udp port 445. I'm not sure about the other tcp
ports.

Is there a program out there that monitors your running services to
see which services are listening on what ports? I could list all of
my running services, but there are a lot. If I need to list them all
I will, but I just have norton protect and dumeter up. Looks like the
rest are win32 services.

Any information will be greatly appreciated.


James

unread,
Sep 9, 2001, 12:16:04 AM9/9/01
to
Btw, I just rebooted, and checked open ports again, and it seems that
on my last boot, one of the tcp ports was 1030 and this boot it has
changed to 1029. Just an observation.

Antti Tolamo

unread,
Sep 9, 2001, 3:40:07 AM9/9/01
to
James wrote:
> Greetings>
> I've seen posts like this before with great responses, so I will try
> one myself. I'm running Windows 2000 SP2 and have recently found out
> how to you netstat and a gui version of it called netmon. I am also
> running ZA Pro so I know the ports arent really listening, but I
> wanted to close them anyway. I was succesfull in closing out a lot of
> netbios ports that were opened, including 137, by going to tcp/ip
> properties/wins/disable netbios over tcp/ip.

Good. Altough netbios itself isn't dangerous unless you
open network shares without an identification.

>
> Alas, I still have a few ports that are listening, and would like to
> know what services are opening them, and how I can close them.
>
> The netstat in dos gives the following:

> Proto Local Address Foreign Address State
> TCP localhost:epmap localhost:0 LISTENING
> TCP localhost:microsoft-ds localhost:0 LISTENING
> TCP localhost:1025 localhost:0 LISTENING
> TCP localhost:1027 localhost:0 LISTENING
> TCP localhost:1029 localhost:0 LISTENING

Normal .
Those ports above 1024+ are normally just ready to iniate
connection from your side. There should couple of them open where you
boot up.
Thus for example when iniating a connection your, port 1025 connects
to port 80(web page) somewhere else.

Computer however chooses those port numbers on your side randomly.
Normally initially
somewhere just above 1024 but basically 65535 is upper limit.

>
> I did some research and discovered that epmap is tcp/udp port 135 and
> microsoft-ds tcp/udp port 445. I'm not sure about the other tcp
> ports.

Microsfot-ds(port 445) is sort of security risk if one doesn't use passwords
and loggin with Windows 2000. Its bit similar to netbios:

http://www.newsbytes.com/news/01/169408.html

Epmap can somebody else explain, I'm more aware of Linux networking altough
I do use lot of Windows 2000 Pro.

Antti

Antti Tolamo

unread,
Sep 9, 2001, 5:07:14 AM9/9/01
to
Antti Tolamo wrote:
> James wrote:

> Normal .
> Those ports above 1024+ are normally just ready to iniate
> connection from your side. There should couple of them open where you
> boot up.
> Thus for example when iniating a connection your, port 1025 connects
> to port 80(web page) somewhere else.
>
> Computer however chooses those port numbers on your side randomly.
> Normally initially
> somewhere just above 1024 but basically 65535 is upper limit.
>
>>
>> I did some research and discovered that epmap is tcp/udp port 135 and
>> microsoft-ds tcp/udp port 445. I'm not sure about the other tcp
>> ports.
>
>
> Microsfot-ds(port 445) is sort of security risk if one doesn't use
> passwords
> and loggin with Windows 2000. Its bit similar to netbios:
>
> http://www.newsbytes.com/news/01/169408.html
>
> Epmap can somebody else explain, I'm more aware of Linux networking altough
> I do use lot of Windows 2000 Pro.
>
> Antti


Actually I take back what I said. 1025 is port for Active Directory as I
searched
net. Rest of ports are also normally open. They are with my Windows 2000 and
I know they are in others too. Far as I know they don't pose any threat.

Antt


Tilman Schmidt

unread,
Sep 10, 2001, 1:30:51 PM9/10/01
to
James <de700d1d...@sneakemail.com> wrote:
>I'm running Windows 2000 SP2 and have recently found out
>how to you netstat and a gui version of it called netmon. I am also
>running ZA Pro so I know the ports arent really listening, but I
>wanted to close them anyway.

This is indeed a good idea. A port that isn't listening in the first
place is safer than a port shielded by a firewall.

> I was succesfull in closing out a lot of
>netbios ports that were opened, including 137, by going to tcp/ip
>properties/wins/disable netbios over tcp/ip.
>
>Alas, I still have a few ports that are listening, and would like to
>know what services are opening them, and how I can close them.

Yeah, I have those too and haven't found a way of closing them yet.

>The netstat in dos gives the following:
>
> Proto Local Address Foreign Address State
> TCP localhost:epmap localhost:0 LISTENING

This is the DCE End Point Mapper listening on port 135. It is similar
in function to the Unix portmapper (port 111), ie. it receives
requests for DCE services and hands out the actual port the requested
service is listening on so the client can connect to it. I do not like
this at all, but there doesn't seem to be a way to disable it.

> TCP localhost:microsoft-ds localhost:0 LISTENING

According to Microsoft, this is a sort of successor to NetBIOS over
TCP/IP. I like that even less than epmap, although of course Microsoft
swears that it poses no risk at all, but again, I found no hint on how
to get rid of it.

> TCP localhost:1025 localhost:0 LISTENING
> TCP localhost:1027 localhost:0 LISTENING
> TCP localhost:1029 localhost:0 LISTENING

These are the actual services epmap makes available. It should be
possible to find out what they are by interrogating the epmap service,
but I haven't found a tool which does that yet.

On my machine there is another one:

> UDP localhost:500 *:*

which is the IPSEC key management port. Again, completely safe
according to Microsoft (of course) but no way to close it.

>Is there a program out there that monitors your running services to
>see which services are listening on what ports?

The nearest I found is a program named Active Ports available from
http://www.ntutility.com/freeware.html - it needs administrator
privilege to run but otherwise it works fine. It produces a display
like this:

>Process PID Local IP Local Port Remote IP Remote Port State Protocol Path
>System 8 0.0.0.0 445 LISTEN TCP
>System 8 0.0.0.0 1026 LISTEN TCP
>System 8 192.168.0.1 137 LISTEN UDP
>System 8 192.168.0.1 138 LISTEN UDP
>System 8 0.0.0.0 445 LISTEN UDP
>System 8 192.168.0.1 139 192.168.0.92 1025 ESTABLISHED TCP
>services.exe 220 0.0.0.0 1027 LISTEN UDP E:\WINNT\system32\services.exe
>lsass.exe 232 192.168.0.1 500 LISTEN UDP E:\WINNT\system32\lsass.exe
>svchost.exe 400 0.0.0.0 135 LISTEN TCP E:\WINNT\system32\svchost.exe
>svchost.exe 400 0.0.0.0 135 LISTEN UDP E:\WINNT\system32\svchost.exe
>svchost.exe 492 192.168.0.1 3002 LISTEN TCP E:\WINNT\System32\svchost.exe
>svchost.exe 492 192.168.0.1 3003 LISTEN TCP E:\WINNT\System32\svchost.exe
>svchost.exe 492 192.168.0.1 3004 LISTEN TCP E:\WINNT\System32\svchost.exe
>svchost.exe 492 0.0.0.0 3001 LISTEN UDP E:\WINNT\System32\svchost.exe
>svchost.exe 492 192.168.0.1 67 LISTEN UDP E:\WINNT\System32\svchost.exe
>svchost.exe 492 192.168.0.1 68 LISTEN UDP E:\WINNT\System32\svchost.exe
>svchost.exe 492 192.168.0.1 53 LISTEN UDP E:\WINNT\System32\svchost.exe
>MSTask.exe 572 0.0.0.0 1025 LISTEN TCP E:\WINNT\system32\MSTask.exe

However you still have to find out yourself which service corresponds
to which process.

--
Tilman Schmidt E-Mail: Tilman....@ePost.de
Bonn, Germany
- Undetected errors are handled as if no error occurred. (IBM) -

James

unread,
Sep 10, 2001, 8:21:04 PM9/10/01
to
Thanks for the information guys. It has been greatly appreciated.

If I find out how to close the ports, I will let you know.

James

0 new messages