Re: Audited an ISA 2000 - part I

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Tristan Kington [MSFT] (tristank_at_online.microsoft.com)
Date: 11/04/04 

Date: Fri, 5 Nov 2004 10:47:39 +1100

Forgot to mention another possible cause - a misconfigured LAT. 

-- 
http://blogs.msdn.com/tristank/
--
This post is provided "AS-IS", and confers no warranty.
"Doug Fox" <dfox168@hotmail.com> wrote in message 
news:ek9wTFswEHA.3416@TK2MSFTNGP09.phx.gbl...
> Did an internal and an external port scan on a production ISA 2000 server
> and found the following ports opened, but seems quite unusual.  Any
> comments/suggestions are appreciated.
>
> The external scan, i.e., scanning the server from the internet, which
> reported the following ports are open:
>
> TCP Ports
> 110 (POP3)
> 135 (DCE endpoint resolution)
> 139 (NETBIOS Session Service)
> 515 (Spooler
> 1027 (unknown or ICQ?)
> 3372 (Microsoft Distributed Transaction Coordinator (MSDTC) / TIP 2)
> 10000 Webmin / Network Data Management Protocol
>
> UDP Port:
> 137 (NETBIOS Name Service)
>
> The internal scan, i.e., scanning the server's internal interface, the
> result is:
>
> TCP Ports
> 135 (DCE endpoint resolution) (also appears on the external interface.)
> 139 (NETBIOS Session Service) (also appears on the external interface.)
> 445 (Microsoft-DS)
> 515 (Spooler) (also appears on the external interface.)
> 1027 (unknown) (also appears on the external interface.)
> 1080 (socks)
> 1745 (ISA Server proxy autoconfig /  remote winsock)
> 3372 (Microsoft Distributed Transaction Coordinator (MSDTC) / TIP 2) (also
> appears on the external interface.)
> 8080 (HTTP/HTTP Proxy)
> 10000 Webmin / Network Data Management Protocol (also appears on the
> external interface.)
>
> UDP Ports
> 137 (NETBIOS Name Service)(also appears on the external interface.)
> 2967 (SSC-AGENT / Norton Anti-virus)
>
> I
>
>

Relevant Pages

  • Re: ZoneAlarm Security Alert - My own ISP?
    ... What about other NetBIOS Session alerts? ... which is a direct connection to the Internet, then you remove Client for MS ... and the NetBios ports are closed. ...
    (comp.security.firewalls)
  • Audited an ISA 2000 - part I
    ... Did an internal and an external port scan on a production ISA 2000 server ... and found the following ports opened, ... The external scan, i.e., scanning the server from the internet, which ... 135 (also appears on the external interface.) ...
    (microsoft.public.isaserver)
  • Ports open on a firewall
    ... the following ports were opened, ... The external scan, i.e., scanning the server from the internet, which ... 135 (also appears on the external interface.) ... 139 (NETBIOS Session Service) ...
    (comp.security.firewalls)
  • Re: Ports open on a firewall
    ... the following ports were opened, ... The external scan, i.e., scanning the server from the internet, which ... 135 (also appears on the external interface.) ... 139 (NETBIOS Session Service) ...
    (comp.security.firewalls)
  • Re: NETBIOS_DGM & NETBIOS_NS probe by my ISP
    ... > it comes to the morning I see that my d/l have stopped and my internet ... > connection is dead, so I run ipconfig to check my IP, it looks ok, but no ... > As someone who knows nothing about firewalls and netbios, ... intentionally block those ports from any computer except computers YOU own. ...
    (comp.security.firewalls)