Help identifying/blocking ports on a Win2k3 server 2

[EvanK]

In the process of trying to beef up security, I ran nmap against a Windows 2003 server to determine what ports were open. After removing any known and used services (http, wms, rdp), I'm left with all these flapping in the internet breeze:

135/tcp   open  msrpc
139/tcp   open  netbios-ssn
1025/tcp  open  NFS-or-IIS
1026/tcp  open  LSA-or-nterm
1027/tcp  open  IIS
10160/tcp open  unknown

Now, some of them I don't even know exactly what they are ("unknown" isnt real helpful), and others I just don't know how to disable.

For a bit of background, the server has two disjoint networks, a 66.* address that connects directly to the internet, and a 192.* address behind a firewalled microsoft network. The above ports are open on the 66.* address

As you can see in the screenshot, I've disabled the Client for Microsoft Networks and File and Printer Sharing on the external network connection (one of two disjoint networks), but netbios is still open to the outside world.

IIS is already running on port 80 (as it should be), but why is it also listening on 1025 and 1027? As for the others, how would I close them off to the outside world (honestly, aside from netbios and IIS, i dont think i need any of them at all).

 

[LawnBoy]

Netbios is broadcasting your computername to any WINS server that might be out there. To turn that off, in the adapter properties goto tcp/ip -> properties -> advanced -> WINS tab.

Can't answer all of your questions but that open port at 10160 looks wrong to me.

 

[Diancecht]

Any qb database server around?

Cheers,
Dian

 

[EvanK]

yep, it was still broadcasting NetBIOS in the advanced tab...turned that off so port 139 is secured. And my predecessor had never turned quickbooks off, which was the 10160 port, that's now secured.

i'm unsure whether I need msrpc running (the only remote thing i'm running is remote desktop) and if not, how i'd disable it. as for the other ones, they all seem to have something to do with IIS, which I dont understand because I thought it just needed the standard http port 80.

thanks for the help so far, and if anyone could offer further hints I'd really appreciate it! here's the result of a netstat command, since that may help:

  TCP    0.0.0.0:135            LISTENING
  RpcSs
  [svchost.exe]

  TCP    0.0.0.0:1025           LISTENING
  [msdtc.exe]

  TCP    0.0.0.0:1026           LISTENING
  [lsass.exe]

  TCP    0.0.0.0:1027           LISTENING
  [inetinfo.exe]

 

[MichealC4]

IIS does NNTP, HTTP/S, SMTP, and FTP, so there's more than just web. However, inetinfo.exe will use 1027 (among other ports) for RPC, which it makes use of. If you don't need IIS for anything, which it sounds like you don't, uninstall it. That's one less service to worry about. I wouldn't just turn it off though. However, ensure that you don't need it before you do anything. I would also do the same for MSDTC if you don't need it. Typically you won't in a small environment, but make sure first. MSDTC has in the past had some buffer overflows that led to remote code execution and compromises of a server, so if it isn't necessary, get rid of it.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt