Running Windows directly under default settings, many ports are open. Since multiple services will automatically start, you can use a variety of services without complex settings. But if you don't make it, you may become an attacker of an attacker. The basis of security countermeasures is strictly distinguished and unwanted service, then shuts down unwanted services. To this end, you must understand the role of Windows and representative ports that are open in the default settings and their hazards, and make appropriate settings.
Through the Internet, all the content in the server hard disk can be seen. And it is also easy to tamper with and delete the data. Perhaps the reader will think: Where is there been such a clumsy server? ! Many people think that as long as they do not perform extreme settings, this will not happen.
However, in Windows, even if the administrator does not start some service, or open a port, it is possible to happen.
Under the default setting, Windows opens the 139 port of the TCP for the file sharing service. Therefore, after the file sharing service is started under default, the system enters the waiting state. As a result, the machine will always be in dangerous situations where the attacker accesss the shared resource. Sharing resources can be easily allocated using the net command. Although the C drive cannot be shared if there is no administrator privilege, if it is not intended to set the guest account to be valid, it will access the C drive, so it is very easy to destroy the hard disk. Moreover, it is also possible to find a serious security vulnerability that uses file sharing services to start attacks.
The basic principle of security countermeasures is to close unwanted services. If the service is not started, even if the externally sent a connection request, the machine will not respond. To do this, computer administrators must fully understand which services are necessary, and what services are actually actually started.
However, in Windows, there will be many services under default conditions, and many times the effects of each service are not easy to figure out. And many administrators not only understand the risk of open open, but also connect the Internet directly without understanding the role and necessity of the service.
5 ports that should be noted
So, what are the ports open under Windows default conditions? After the Windows system is installed, the author has conducted an investigation on the port opened under the default condition. The free port scan tool "NMAP" is used in the survey (http://www.insecure.org/nmap/).
The ports operated in almost all Windows include 135, 137, 138, and 139. In addition, 445 ports in 2000, XP, and .NET Server are also open. The well-known ports that Windows open under default conditions are these five.
Is it really necessary to serve? To think about the conclusion, you must fully understand the respective functions of these ports. Although it is open to the default conditions, if this default setting does not change, it will be illegally accessed without awareness. Therefore, you should close yourself as much as possible. Whether the service that cannot be stopped, the service must be used, ensuring external access.
The following is a detailed description of the most representative 5 ports, which are open to almost all Windows, is the respective role of 135, 137, 138, 139, and 445, etc. After understanding their role, it is possible to speculate what hazards may exist after the open port, thereby conveniently develop the corresponding countermeasures.
Using tools to verify the risk of 135 ports
Although everyone is very dangerous, it is difficult to understand its use, and the representative port of its hazard is not able to feel the 135th. But in July 2002, it was able to realize that its dangerous tools appeared, this is "IE .en".
This tool is publicly provided by "SecurityFriday.com", providing security related technical information and tool class software (http://www.securityfriday.com). Its purpose is to verify the risk of 135 ports in a simple and clear form, and call for users to strengthen security settings. However, because the power is very powerful, Japanese Trend Micro has added the characterization code of the tool to the virus definition library file. If IE installed in a computer installed the company's virus scanning software, it is possible to treat it as a virus.
Can see the content of SSL
是 操作 操作 操作 i i i i Not only can you obtain information from an IE that is running on other computers on your network, but also you can operate on the browser itself. Specifically, it is possible to obtain a list of window lists that are running, the URLs of the Web site displayed in each window, and the search keywords such as the retrieval key entered in the search site.
The most horrible situation displayed by this tool is that the data should be protected by SSL protection in a non-encrypted state. Therefore, it is possible to thus acquire data before encryption or restore. If IE` Ne, you can even see information such as bank cash card passwords entered on the network banking and other information.
used the distributed object technology DCOM (Distributed Component Object Module) for Windows NT4.0 / 2000 / XP standard integrated. Use DCOM to remotely operate DCOM applications in other computers. This technology uses the RPC (Remote Procedure Call, Remote Process Call) function for calling the functions of other computers. And this RPC is used by the 135 port.
When communicating with the RPC function, it will be used to communicate with the 135 port of the other computer. Thus, the other computer will inform the port number that can be used. The actual communication will use this port. 135 The port is dynamically determined by the port mapping of the port used by the actual RPC communication.
If it is an application developed using DCOM technology, it can be operated like an IE browser. For example, the connection is using other computers working in Excel, gets the values entered in the cell, or to edit this value itself is not impossible.
However, if you want to use this method to manipulate the computer's computer, you must know the IP address and registration name and password of the machine. Therefore, the possibility of attacking the third party is very low via the Internet. The highest hazard is the company's internal environment. In particular, the client is more dangerous. This is because most cases can not only get the IP address and registration name of others, but also the management of the password is not very strict. A number of computers such as schools and Internet cafes also need to pay attention to applications.
Be sure to set DCOM in the company's internal environment
The best way to avoid this danger is to close the RPC service. Select "Services" in the Administrative Tools of Control Panels, open the Remote Procedure Call property in the Service window. Set the start type to "Disabled" in the attribute window, will no longer start from the next startup RPC (if you want to set it to be valid, "HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / The value of "start" of RPCSS "is turned from 0x04 to 0x02, the machine can be restarted). However, after this setting, it will have a big impact on Windows run. For example, Windows XP Professional, from logging in to the display desktop screen, you have to wait for a long time. This is because many of Windows relies on RPC, and these services will not be able to start up normally after setting the RPC to invalid. Because this is very good, it is generally, and the RPC service cannot be closed.
So the countermeasure to consider is that the packet is filtered. But this will also bring a variety of impact on the operation of WINDOWS. For example, if you turn off the 135 port on the client, you cannot connect the Exchange Server using Outlook. Because managing distributed processing MSDTC, the MSMQ responsible for information exchange between applications and DHCPs that are dynamically assigned to connect to the network's computer allocated addresses. High-bridge of WINDOWS network said: "In Windows services, there are many services that need to use RPC. In addition, the Windows network is not intended to be constructed in the state of the firewall between the client and the server. So the company interior When filtering is used in a network environment, it should be implemented after full verification. That is, in the company's internal environment is not only a client, even the server cannot close the 135 port. On the server, in order to synchronize the active directory and the main domain, you should use the 135 port.
But there is a way to set the DCOM to invalid. This is the "DCMCNFG.EXE" tool integrated with Windows NT / 2000 / XP standard. After running the tool from the DOS command, open the Distributed COM Configuration Properties window, select the Default Properties page, and cancel "Enable distributed COM on this computer" option. This setting should be adopted when there is no DCOM inside the company and does not want other computers to operate their computer COM.
If it is the client, there is also a way to prohibit remote login to the computer. Select "Control Panel", Administrative Tools, and Local Security Policy, open the local security settings window, select the user rights assignment in the local policy, then use the "Reject to Access this computer from the network", specify Refused access to the object. If you want to reject all access, it is best to specify "Everyone".
Public server should turn off 135 ports
The server disclosed on the Internet is basically not using RPC. As mentioned earlier, although the risk is lower than the internal environment of the company, the 135 port should be turned off as long as it does not run a specific application using DCOM (as long as it is not a necessary service). For example, if it is used as a web server, email, or DNS server, even if the 135 port is turned off, no problem will occur.
However, when you need to use the DCOM application via the Internet, you cannot close the port. However, it is necessary to take a strict management password.
Specifically, it is to say that the computer name and registered username via the 137 port can be obtained by the main domain controller and the primary browser. Is it used as a file server, IIS and Samba are running And whether Lotus Notes is running information. According to SecurityFriday.com, "In addition to computer names, you can accurately understand the IIS, primary domain controller, main domain browser, and file servers. Although not 100%, but sometimes you can get other information ".
That is, as long as you want to get this information, you only need to send a request to the 137 port of this personal computer. As long as you know the IP address, you can easily do this. Not just the company's internal network, you can also get this information through the Internet.
For attackers, this is too convenient, it can easily understand the role of the target computer and the structure of the network. It is like a very friendly to tell the attacker how to attack your computer. For example, if you know that IIS service is running, you can easily understand the service that has been started on this computer. The attacker does not have to distinguish the port that can be invaded through the port scan.
Alternatively, if you capture a packet that is communicating with the 137 port, it is also possible to get the startup and closing time of the target host. This is because Windows will send a specific packet by a 137 port when Windows starts or off. If you have the start time of the target host, you can easily use the previous 135 port to operate the other party's DCOM.
Use 137 port to manage computer names
Why does the 137 port leak this information package to the network? This is because the 137 port is used in the Windows Network Communication Protocol - "NetBIOS Over TCP / IP (NBT)" computer name management function.
Computer Name Management refers to the functionality of the actual IP address by using the computer in the Windows network through the name -Netbios name identified to each other. 137 ports can be used in two ways.
One way is that the computer name is used to use the broadcast function between the computers in the same group. When the computer is started or when the network is connected, you will ask all the Computers that are using the same NetBIOS name as yours. Each receiving computer will send a notification packet if you use the NetBIOS name as yourself. These communications are performed using the 137 port.
Another way is to manage computer names using WINS (Windows Internet Name Services). The computer called the WINS server has an IP address and a comparison table of the NetBios name. WINS clients send their NetBIOS names to the WINS server when the system is started or when the network is connected to the WINS server. When communicating with other computers, the NetBIOS name will be sent to the WINS server and ask the IP address. This method also uses a 137 port.
As mentioned above, in order to get the IP address of the communication object, the 137 port is to exchange many packets. In these packets, there are many information as shown in Table 3. When using the broadcast management computer name, you will send this information to all computers. If you use NBT, you will spread your own detailed information from the computer itself if you don't have a consciousness.
138 port for browsing
The 138 port also sends its own information to the outside with the 137 port. Although there is no 137 port, it is characterized by someone to get Windows version information. For example, it will leak the Windows version is Windows 2000 Server.
The 138 port provides NetBIOS browsing. This feature is used to display a list of computers connected to the network. For example, after the "Internet Neighb" is selected in the "Network Neighbor" in Windows2000, it will complete the computer connected to the network.
This feature uses different operating mechanisms to manage the computer names described above. In the browsing function, the computer called the main browser manages the browsing list of the computer list connected to the network. Each computer uses 138 ports to broadcast your NetBIOS name when the network is started or connected to the network. The primary browser that receives the NetBios name will append this computer to the browse list. When you need to display a list, the request is displayed on the list of broadcasts. The host you receive the requested host will send a browse list. When you turn off your computer, the machine will inform the primary browser so that the primary browser removes its NetBIOS name from the list. The exchange of this information is used in the 138 port. Since broadcast here, you will send your computer information to all computers in the same group.
Public server should close NetBIOS
NetBIOS service uses the function of sending own information to the outside of the 137 and 138 ports. Under normal circumstances, this is a service that is not required in the open server connected to the Internet. Because NetBIOS is mainly used in a Windows network. Therefore, the public server should stop this service.
To stop NetBIOS, it is necessary to give up the convenience of the Windows network.
Stop the NBT service method. Select "Set NetBIOS Over TCP / IP" Therefore, if it is a network constructed from a personal computer over Windows 2000, NBT can be stopped. Although this, the convenience of this will decrease, for example, unable to display information for finding the file sharing object.
To stop the NetBIOS service, first select the network connection currently in use in the control panel, view the "Internet Protocol (TCP / IP" properties in the Properties window. In the General page, click the Advanced button, select "Disable NetBIOS (s) on the TCP / IP in the" WINS "page. In this way, 139, 138 and the 139 port will be told later.
I need a little attention here. If the NetBeui protocol is valid, the NetBIOS service will continue. In Windows 95, NetBIOS is installed under the default condition. In higher Windows versions, you can install if you choose. So not only stop NBT, but also to confirm whether NetBeui works. If using NetBeui, even if the 137 port is turned off, it is still possible to leak the information shown in the external leakage table 3.
139 and 445 ports are synonymous
The IP address is connected to the 137 and 138 ports between the Computer on the Microsoft Network. Then perform actual communication such as file sharing and printer sharing. The communication process is implemented by the SMB (Server Information Block) protocol. It is used here that 139 and 445 ports.
The difference between SMB and CIFS. Windows 2000 previous version of Windows uses the NetBIOS protocol to solve the problem of each computer name. Get the IP address by sending a NetBIOS name of a communication object to the WINS server. The CIFS used by Windows will use DNS to resolve the computer's naming problem. Look for objects that need to be communicated according to the list of names in the DNS server. If you get the IP address of the object smoothly, you can access the shared resource.
In SMB communication, first, the above-described computer name interpretation function is used, and the IP address of the communication object is obtained, and then the request to start communication will be issued to the communication object. If the other party is allowed to communicate, the session layer is established. And use it to send username and password information to the other party, and certify. If the authentication is successful, you can access the other party's shared file. The 139 port is used in these series of communications.
Windows 2000 and XP also use 445 ports in addition to this. The file sharing feature itself is the same as the 139 port, but the port is used in different protocols with SMB. This is the latest CIFS (General Internet File System) protocol in Windows 2000.
CIFS and SMB solve the different ways of computer names. SMB uses the NetBios name broadcast and WINS to resolve the computer name, while CIFS uses DNS.
Therefore, in the file server and print server use Windows's internal network environments, the 139 and 445 ports cannot be turned off. In many cases, file sharing and printer sharing are indispensable in ordinary services. If the client does not disclose the file itself, you can close these two ports.
If it is a network that is only 2,000 version of Windows, the 139 port can be turned off. This is because, as mentioned earlier, the network can share file sharing only with a 445 port. 137 and 138 ports can be turned off by using DNS during the computer name. However, in the current situation, basic all network systems are still mixed using 2000 Windows versions. In a hybrid network environment, since the 139 port must be communicated via the SMB protocol, the 139 port cannot be turned off. In addition, 137 to 139 ports are required when browsing.
The public server should definitely close these ports
The server disclosed on the Internet is another matter. The open server opens 139 and 445 ports are a very dangerous thing. Just as the beginning of this article, if there is a guest account, and if you do not set any password, you can easily pirate files through the Internet. If you set a write permission to the account, you can even easily tamper. That is to say, these ports should not be opened in the server that is open to the outside. Use the file server through the Internet to use suicide behavior, so it must be turned off 139 and 445 ports. The same is true for client machines that use ADSL permanent access to the Internet.
To close the 139 port, like the 137 and 138 ports, you can choose "Setting the NetBIOS over TCP / IP is invalid". To close the 445 port, you must do other work. Use the Registry Editor to add DWORD values called "SMBDeviceEnable" in "HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / NetBt / Parameters" and set it to 0 and then restart the machine.
Is the security policy in .NET changed?
As mentioned before, there is a variety of hazards that use existing Windows directly under default settings. This is because Windows can be used to make beginners can be used without complex settings.
For example, Windows 2000 Server, you will automatically install IIS when installing the system. And just start a personal computer, the IIS service will start. Although Windows NT 4.0 Server can select whether to install IIS, the check box for this service under default conditions is valid. Like 2000, the IIS service will automatically start when starting the computer.
LINUX takes a completely different ideas in many ways. For example, RedHat Linux 7.3 must set the firewall during the installation process. Since the firewall has "high", "medium", "low", the intercepted packets are also different. If you select all ports other than 53 (DNS), 67, and 68 (DHCP), if you select "in", although the port 1024 or more, only 53,67 open in the port of the average person's well-known port. And 68.
Install the application when installing the application is also different. Redhat Linux 7.3 You can select "Workstation", Server, and Desktop "in the installation. So even if you select "Server", if the user does not choose to construct a file server "Samba" and web server "Apache", etc., it will not be installed. In addition, even after installation, it will not be directly started. If the user explicitly launches the necessary service, no settings utilize the filter software filtering packet, the corresponding port will not open.
If you only consider convenience, Windows should be better. This is because even if there is no complex setting, the system can automatically start various services. However, it is even very likely to start a service that users don't want to start, and these services are often started without knowing the user. It can be said that if you want to run the server safely, or you want to protect your client's personal computer from danger, it is best not to install and set up. US Microsoft has also proposed a plan of "TrustWorthy Computing" and is planned to use "Windows .Net Server" that is scheduled to start listed in early 2003 to implement "default security". Unlike Windows 2000, IIS services will no longer be installed. Even if the IIS component is added, the service will not run automatically when the OS starts.
However, if you use the beta, 135, 137, 138, 139, and 445 ports are opened under default conditions. In addition, the use of "Internet Connection Firewall (ICF)" imported from Windows XP is ineffective under default conditions. To achieve high security with Linux, you can say that the most steady method is set to be valid, then the user selects the service of the service according to your own needs.
