Running netstat -a on a web server and seeing
micorsoft-ds witha n etxternal ip here. This indicative of a hack?? Or
at least someone querying directory services. If so, what port can they
utilize, netbios??
Thanks
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp
http://www.microsoft.com/technet/security/prodtech/iis/default.mspx --- TechNet
IIS security page
"stan" <n...@email.com> wrote in message
news:ONb6ikpH...@TK2MSFTNGP12.phx.gbl...
It seems like the (Microsoft-DS) is communicating with an external port.
Regarding the issue, I suggest you refer to the steps below:
1. Use netstat -a -n to confirm the IP and its ports.
2. Determine which the external IP is and contact your ISP for more
information.
3. Check your firewall settings and apply the newest critical updates from
Windows Update sites.
4. Check the event log to get more information.
Please take a look at http://www.iana.org/assignments/port-numbers
microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS
So, port 445 is SMB over IP (Microsoft-DS) 445/tcp, 445/udp. It is used by
DFS, Active Directory.
The Distributed File System (DFS) service manages logical volumes that are
distributed across a local area network (LAN) or wide area network (WAN)
and is required for the Microsoft Active Directory directory service SYSVOL
share. DFS is a distributed service that integrates disparate file shares
into a single logical namespace.
System service name: "Dfs"
+====================================+==========+===========================
=+
| Application protocol | Protocol | Ports
|
+====================================+==========+===========================
=+
| NetBIOS Datagram Service | UDP | 138
|
+====================================+==========+===========================
=+
| NetBIOS Session Service | TCP | 139
|
+====================================+==========+===========================
=+
| LDAP Server | TCP | 389
|
+====================================+==========+===========================
=+
| LDAP Server | UDP | 389
|
+====================================+==========+===========================
=+
| SMB | TCP | 445
|
+====================================+==========+===========================
=+
| RPC | TCP | 135
|
+====================================+==========+===========================
=+
| Randomly allocated high TCP ports | TCP | <random port number>
|
+====================================+==========+===========================
=+
I would like to offer you these suggestions:
1. Check if the source of the public IP. Sometimes it can occur if one of
his internal clients dial to Internet and access the IIS server.
The following site is a good tool to check the source IP:
http://www.dns-tools.com/
2. Enable Firewall on the IIS server. Block the DS service port:
832017 Port Requirements for the Microsoft Windows Server System --
http://support.microsoft.com/?id=832017
In addition, SMB direct hosting' on port 445 can be disabled using the
following Registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\SmbDev
iceEnabled=0
3. Close all not required TCP/IP by follow the steps.
Hope this address your concern.
Best regards,
Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.