Audited an ISA 2000 - part I

From: Doug Fox (dfox168_at_hotmail.com)
Date: 11/04/04 

Date: Thu, 4 Nov 2004 17:55:06 -0500

Did an internal and an external port scan on a production ISA 2000 server
and found the following ports opened, but seems quite unusual. Any
comments/suggestions are appreciated.

The external scan, i.e., scanning the server from the internet, which
reported the following ports are open:

TCP Ports
110 (POP3)
135 (DCE endpoint resolution)
139 (NETBIOS Session Service)
515 (Spooler
1027 (unknown or ICQ?)
3372 (Microsoft Distributed Transaction Coordinator (MSDTC) / TIP 2)
10000 Webmin / Network Data Management Protocol

UDP Port:
137 (NETBIOS Name Service)

The internal scan, i.e., scanning the server's internal interface, the
result is:

TCP Ports
135 (DCE endpoint resolution) (also appears on the external interface.)
139 (NETBIOS Session Service) (also appears on the external interface.)
445 (Microsoft-DS)
515 (Spooler) (also appears on the external interface.)
1027 (unknown) (also appears on the external interface.)
1080 (socks)
1745 (ISA Server proxy autoconfig / remote winsock)
3372 (Microsoft Distributed Transaction Coordinator (MSDTC) / TIP 2) (also
appears on the external interface.)
8080 (HTTP/HTTP Proxy)
10000 Webmin / Network Data Management Protocol (also appears on the
external interface.)

UDP Ports
137 (NETBIOS Name Service)(also appears on the external interface.)
2967 (SSC-AGENT / Norton Anti-virus)

I