How to Disable Microsoft Networking Port Listeners?

  • Thread starter Thread starter CHANGE USERNAME TO westes
  • Start date Start date
C

CHANGE USERNAME TO westes

On a machine that must be directly on the Internet (it is acting just as a
sniffer), I have disabled Microsoft client and server, and just about every
service that wasn't critical for system function. When I do a netstat -a
command, I still see the following services:

TCP EPMAP
TCP MICROSOFT-DS
TCP 1025
TCP NETBIOS-SSN
UDP MICROSOFT-DS
UDP 1026
UDP NETBIOS-NS
UDP NETBIOS-DGM
UDP ISAKMP

I don't want all of these Microsoft domain and NETBIOS listeners running on
this machine. Even though in theory they are set off, the fact that there
are listeners still means there is a code path inside of code that is
notoriously buggy and ridden with back doors that hackers can exploit. Is
there any way to make the machine safe?

Yes I can use a firewall or packet filters if necessary, but I prefer to
just turn off all of the options on the machine before I start to look at
firewalls.
 
Do not install MS Networks Service. And disable some of the services. under
Administrative Tools.
 
If you open Control Panel | Add Remove a Program | Windows Components, there
is no option to install or not install "MS Networks Service" under Windows
2000.

What are you referring to? Can you be explicit about which Windows 2000
applications to open and when menus and dialogs to select?
 
I never heard of removing it. Disabling them is the right thing to do,..as
I believe you have done. It is unrealistic to expect them to vanish from
Netstat because there are multiple "interfaces" on a machine even if there
is only one NIC,...remember there is always the 127.0.0.1 (localhost) and if
there is a Firewire interface (many are built into the MB now) it will also
act as an active interface. I don't believe that "Netstat -a" indicates
which specific interface something is listening on,...it is just going to
list what is listening at all anywhere as far as I know.

You have to keep the right perspective and not chase after ghosts. If
something is not "bound" to a particular interface then it is not going to
be available to that interface no matter where ever else it is "listening".
If that isn't the case, there is no point to the "binding" in the first
place and an OS that is that "sloppy" would have it's poor condition shouted
from the mountaintops, everyone in the business would know about it, and it
would have never survived in the market.
 
If I were dealing with something simple, that could be understood, then I
would take your perspective. But Windows 2000 is a set of hackishly
interelated black boxes, most of which don't work well, and most of which
have tons of undefined behaviors that hackers exploit. You say don't
fight ghosts, but after 20 years of dealing with this stuff, I am starting
to feel that there are as many ghosts as there are real things. If
netstat -a shows active listeners on some undefined interface(s), that means
the code is active somewhere. I would sleep better knowing that
Microsoft's networking code wasn't running at all.

As far as business success, that reminds me of an experience. I remember
walking into a famous company whose first letters of the first two words in
their name are HP (draw your own conclusions about the name :). When the
project lead went to get us a file on their network, I was shocked beyond
words. Hundreds of computers in totally disorganized loose collections,
with no standards for naming, or security. When we attached our notebook,
we were instantly attacked by viruses all over this network.

The reason MS succeeded in ignoring security until just the last few years
is that it was selling to a vast ocean of companies that were simply unaware
about, or didn't care, about safe computing. I have walked into way too
many companies whose networks were being hacked blind, who simply didn't
care. What they could not see with their eyes did not exist. I won't
judge what is secure by who survives in the market. I think Microsoft's
survival in the market has a lot more to do with extremely perceptive
pricing decisions, and by the way they used pricing to effectively put every
other commercial DOS clone out of business in the 1980s.

--
Will
westes AT earthbroadcast.com


Phillip Windell said:
I never heard of removing it. Disabling them is the right thing to do,..as
I believe you have done. It is unrealistic to expect them to vanish from
Netstat because there are multiple "interfaces" on a machine even if there
is only one NIC,...remember there is always the 127.0.0.1 (localhost) and if
there is a Firewire interface (many are built into the MB now) it will also
act as an active interface. I don't believe that "Netstat -a" indicates
which specific interface something is listening on,...it is just going to
list what is listening at all anywhere as far as I know.

You have to keep the right perspective and not chase after ghosts. If
something is not "bound" to a particular interface then it is not going to
be available to that interface no matter where ever else it is "listening".
If that isn't the case, there is no point to the "binding" in the first
place and an OS that is that "sloppy" would have it's poor condition shouted
from the mountaintops, everyone in the business would know about it, and it
would have never survived in the market.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


CHANGE USERNAME TO westes said:
If you open Control Panel | Add Remove a Program | Windows Components, there
is no option to install or not install "MS Networks Service" under Windows
2000.

What are you referring to? Can you be explicit about which Windows 2000
applications to open and when menus and dialogs to select?
Click to expand...
t
as
Click to expand...
prefer
to look
at
Click to expand...
Click to expand...
 
CHANGE USERNAME TO westes said:
If I were dealing with something simple, that could be understood, then I
would take your perspective. But Windows 2000 is a set of hackishly
interelated black boxes, most of which don't work well, and most of which
have tons of undefined behaviors that hackers exploit. You say don't
Click to expand...

I don't believe that.
fight ghosts, but after 20 years of dealing with this stuff, I am starting
to feel that there are as many ghosts as there are real things. If
netstat -a shows active listeners on some undefined interface(s), that means
the code is active somewhere. I would sleep better knowing that
Microsoft's networking code wasn't running at all.
Click to expand...

I guess you will have to run Linux, ...then no Microsoft Networking code
would be running.
 
Phillip Windell said:
I guess you will have to run Linux, ...then no Microsoft Networking code
would be running.
Click to expand...

For some things Linux works, and for others it does not. My current
application requires Windows, and I just want to shut down as many black
boxes inside the W2K kernel as I can.
 
Back
Top