Closing Unused and Dangerous Ports
Another RPC vulnerability was reported in Window recently–one that affects Windows Versions Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, in fact (see MS Security Bulletin MS03-026: www.microsoft.com/security/security_bulletins/ms03-026.asp)–that once again exposes problems with TCP Port 135, most commonly used by RPC but also used as part of NetBIOS-based service advertisements of many kinds. According to a recent story at SearchSecurity (http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci915074,00.html) the “potential severity involved has prompted the Polish research group that found the vulnerability to withhold the exploit code its members created. The Last Stage of Delirium (LSD) group normally releases such code to help users combat vulnerabilities.”
According to the group’s research, this particular flaw leaves unpatched systems extremely vulnerable to various types of exploits that can result in loss of administrative access and complete takeover of targeted machines.
Here’s the point of this spotlight, however: author Ed Hurley goes on to point out that “Companies who block the RPC port [TCP Port 135] from the outside world with their firewalls aren’t vulnerable to attack.” The same is true for other potentially suspect ports, such as UDP Port 1434 (the target of the infamous SQL Slammer worm that surfaced in January, 2003).
Best practice argues strongly for a stateful firewall, With letters from the Business Software Alliance more or less routine in the business world, operations of all sizes need to know what software is … Short of this approach, it’s wise to block all unused or potentially suspect ports by default, and only allow needed ports to be open at all.
Services like Steve Gibson’s (http://grc.com/) Shields UP, Probe My Ports, and other from-the-Web scans (including the ShieldsUP Port Probe test which explicitly checks 135) and Security Space (www.securityspace.com) which offers a free trial security scan that covers the entire UDP and TCP range of port numbers, are well worth using on a regular basis.
Follow-up action is strongly urged for those who show unwanted or unneeded open ports. Do what you must to close them!