6 de abr de 2010

Improve Windows Security By Closing Open Ports

Improve Windows Security By Closing Open Ports: "
A standard Windows operating system has a number of ports open after installation. Some of these ports are needed for the system to function properly while others might not. These ports can pose a security risk as every open port on a system might be an entry point for a malicious user.
A port basically allows communication to or from the device. Characteristics are a port number, an IP address and a protocol type. This article will give you the tools at hand to identify and evaluate the open ports on your Windows system to make a decision in the end whether they can or should be closed or left open.
Software programs and tools that we will use:
  • CurrPorts: Available for 32-bit and 64-bit editions of Windows. It is a port monitor that displays all open ports on a computer system. We will use it to identify the ports and the programs that are using them.
  • Windows Task Manager: Also used to identify the programs and link some ports to programs.
  • Search Engine: Searching for port information is necessary for some ports that cannot be identified that easily.
It would be an impossible task to go through all of the ports that are open, we will therefor use a few examples to enable everyone to understand the process and go on from there.
Fire up CurrPorts and take a look at the populated main area.
The program displays the process name and ID, local port, protocol and local port name among others.

The easiest ports to identify are those with a process name that corresponds to a running program like RSSOwl.exe with the process ID 3216 in the above example that is listing on the local ports 50847 and 52016. Those ports are usually closed when the program closes.
The more important ports are the ones that cannot be linked to a program right away like the System ports shown in the above screenshot.
There are a few ways to identify the services and programs linked to those ports. There are other indicators that we can use to discover the services and applications besides the process name.
The most important ones are the port number, the local port name and the process ID.
With the process ID we can take a look in the Windows Task Manager to try and link it to a process running on the system. To do that you need to start the task manager (press Ctrl Shift Esc). Click on View, Select Columns and enable the PID (Process Identifier) to be shown. That’s the process ID that is also shown in CurrPorts.

Now we can link process IDs in Currports to running processes in the Windows Task Manager.
Let us take a look at some examples:
ICSLAP, TCP Port 2869
Here we have a port that we cannot identify immediately. The local port name is icslap, the port 2869, it uses the TCP protocol, has the process ID 4 and the process name system.
It is usually a good idea to search for the local port name first if it cannot be identified right away. Fire up Google and search for icslap port 2869 or something similar.
Often there are several suggestions or possiblities. For Icslap they are Internet Connection Sharing, Windows Firewall or Local Network Sharing. It took some research to find out that in this case it was used by the Windows Media Player Network Sharing Service.
A good option to find out if this is indeed the case is to stop the service if it is running and refresh the port listing to see if the port is not appearing anymore. In this case it was closed after stopping the Windows Media Player Network Sharing Service.
epmap, TCP port 135
Research shows that it is linked to the dcom server process launcher. Research also shows that it is not a good idea to disable the service. It is however possible to block the port in the firewall instead to close it down.
llmnr, UDP port 5355
If you look in Currports your notice that the local port name llmnr uses the UDP port 5355. PC Library has information on the service. It is referring to the Link Local Multicast Name Resolution protocol which is related to the DNS service. Windows users who do not need the DNS service can disable it in the Services Manager. This closes the ports from being open on the computer system.
It is not always easy to identify ports and the services or applications they are linked to. Research on search engines usually provides enough information to find out which service is responsible with ways to disable it if it not needed.
A good first approach before starting to hunt down ports would be to take a close look at all started services in the Services Manager and stop and disable those that are necessary for the system. A good starting point to evaluate those is the services configuration page at BlackViper.

Nenhum comentário:

Postar um comentário