sticky port that make me ...

  • Thread starter Thread starter Before The Gods
  • Start date Start date
B

Before The Gods

Hello

We are in the process of putting in production a whole farm of servers
and I have been in charge of everything regarding security. My work
covers firewall configuration and servers securization.

The 18 machines of the farm are running under Windows 2000 Advanced
Server. Of course, the machines will have a different usage, some
being Web servers, other DB Servers, etc.

But prior to their "specialization", all machines have to go through
several checklists I have made. One of these checklists is a
step-by-step procedure to minimalize the tcp/udp ports that are opened
by default, following a "vanilla" Windows 2000 installation. I come
fro the UNIX world and I think that an OS should be installed with NO
default opened port.

After closing everything (including CIFS, RPC services, RPC portmapper
and DCOM) I still have this sticky process using port TCP 1025. With
fport command, I found that this port is used by the PID number 8
(System) with no other precision.

What is this port?? How can I find what is using it? I read that all
ports over 1024 are bind to RPC services. If this is a RPC service,
how is it possible since I completely shut down RPC?

Thanks,
BTG
 
TCPView and Process Explorer from SysInternals can help in further tracking down the
process. Use TCPView first and then use Process Explorer and find the process and
look in properties for tcp/ip to view the ports used and services to see the related
services. If you still have RPC using a port see the link below which may help in
disabling it. I have not tried these registry mods myself and if you implement any be
sure to check that your applications run correctly. You can also use ipsec filtering
by creating a policy with permit and deny rules to further protect your computers.
Ipsec, while not meant to be a full featured internet firewall, has it's uses, is
built in/free, does not require a reboot, assigned/unassigned policies take effect
almost immediately, and can be configure remotely via Terminal Services Remote
Administration. The links below provide more information. --- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml -- TCPView
http://www.securityfocus.com/infocus/1559 -- ipsec filtering
http://msdn.microsoft.com/library/d...or_port_allocations_and_selective_binding.asp
 
Back
Top