Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problems disabling ports 135 and 1025.

1 view
Skip to first unread message

FzZzT

unread,
Jun 9, 2004, 1:01:04 PM6/9/04
to
Hello,

I have a Windows Server 2003 Web Edition box I'm trying to get ready to put on the net and I can't get I've read all sorts of procedures to disable ports 135 and 1025, and none of them have worked. I would settle even to change them to listen on localhost instead of all IPs at this point. DTC is disabled, NetBIOS is disabled, Task Scheduler is disabled, I've changed a bunch of registry keys and everything save deleting rpcrt4.dll but it doesn't close the thing. Port 1025 is owned by lsass.exe and 135 by svchost.exe, which doesn't help very much. rpcdump.exe says 1025 is "ncacn_ip_tcp", an "IPSEC policy agent endpoint", but disabling IPSEC Services doesn't close it either. Everything seems to depend on the RPC service, so maybe port 135 is an unwinnable battle for a usable IIS server. Is there a way to tell either or both of these services to listen on localhost, or a specific IP? Slapping a firewall on it isn't a desirable hack/kludge/"solution".

Thanks for any advice.

jbiddlew

unread,
Jun 9, 2004, 1:41:03 PM6/9/04
to
I, too, have ports open on W2K3s - TCP
ports 135, 145, 1025 & 1026 - and
would like to figure out how to close them

Tom Pepper Willett

unread,
Jun 9, 2004, 1:58:59 PM6/9/04
to
http://www.petri.co.il/what_is_port_445_in_w2kxp.htm

"jbiddlew" <anon...@discussions.microsoft.com> wrote in message
news:8F0C8014-17B0-412B...@microsoft.com...

N. Miller

unread,
Jun 9, 2004, 3:27:39 PM6/9/04
to
In article <F0BC3878-C12A-40D9...@microsoft.com>, =?Utf-8?B?
RnpaelQ=?= says...

Hmmm. You can only disable a port by disabling the application which uses
the port. But, if IIS will break by disabling a particular service, but that
service will hold a port open when it is running, you won't be able to run
the IIS server without opening the affected port.

In fact, it is this which causes many to suggest running the IIS server
behind a NAT device. By only forwarding those ports that the Internet needs
to access for the service, you can leave the vulnerable services running
because they can't be reached through the NAT device.

Although I don't run IIS, or even a WinOS with Blaster/Sasser vulnerability,
I do run an MTA, and I do have only the necessary ports exposed to the
Internet. I am not running an email service for the larger community, and
keep ports, such as port 143 (IMAP service) blocked from Internet access.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Lanwench [MVP - Exchange]

unread,
Jun 9, 2004, 1:55:48 PM6/9/04
to

Why not? It's not a kluge, or a hack, but it is part of the solution. A
firewall or a proxy server like ISA is the first thing you should have in
place - and if this is to be a public webserver, it should be in a DMZ,
ideally. Port 135 should definitely not be available from the Internet.

>
> Thanks for any advice.


0 new messages