Re: Messenger Service (not the instant messenger)

Dr. Indera wrote: 
hello,

i know that the rule of thumb is to turn this service off at home, which i
did, but i can't remember why.


The only applicable "rule of thumb" that might apply to disabling the messenger service is the general principle of disabling services that are not used or needed. Or are you referring to those posts where misinformed individuals erroneously recommend disabling the messenger service as a security measure?


is it to prevent receiving pop-ups even if you have pop-up blocker software
installed or is it something else?

thank you.


The only thing turning off the messenger services does, beyond freeing an insignificantly minuscule amount of system resources, is disable a crude sort of security warning that your firewall has failed.

There is a type of spam that exploits the messenger service, but this is also blocked by a properly configured firewall.

Messenger Service of Windows
http://support.microsoft.com/default.aspx?scid=KB;en-us;168893

Messenger Service Window That Contains an Internet Advertisement
Appears
http://support.microsoft.com/?id=330904

Stopping Advertisements with Messenger Service Titles
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp

Blocking Ads, Parasites, and Hijackers with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

  Whichever firewall you decide upon, be sure to ensure UP ports 135,
137, and 138 and TCP ports 135, 139, and 445 are all blocked.  You
may also disable Inbound NetBIOS  over TCP/IP).  You'll have
to follow the instructions from firewall's manufacturer for the
specific steps.

    You can test your firewall at:

Symantec Security Check
http://security.symantec.com/ssc/vr_main.asp?langid=ie&venid=sym&plfid=23&pkj=GPVHGBYNCJEIMXQKCDT

Security Scan - Sygate Online Services
http://www.sygatetech.com/

    The problem is that turning off the Messenger Service does *not*
block the wide open TCP and UDP ports that the spammers used to
deliver the spam to the Messenger Service for display.  With the
Messenger Service disabled, those spam deliveries are still
continuing, but they're simply not being displayed.  It's like pulling
the battery out of a noisy smoke detector to silence it, rather than
looking for and eliminating the source of the smoke that set it off.

    The danger of this "treat the symptoms" approach has been more
than aptly demonstrated by the advent of the W32.Blaster.Worm, the
W32.Welchia.Worm, the W32.Sasser. Worm, and their variants.  These
worms attack PCs via some of the very same open ports that the
Messenger Service uses.  Need I mention how many hundreds of thousands
of PCs have been infected by these worms since August of 2003?  To date,
according to my records, I have personally responded to over 1000
Usenet posts concerning Blaster/Welchia/Sasser infections since last
then, and I can't possibly have seen and replied to every one that
there's been posted in this period.

    Now, how many of those infected with Blaster/Welchia had turned
off the Messenger Service to hide spam?  I can't say, and I don't
think anyone can.  What I can say with absolutely certainty is that if
they'd all had a properly configured firewall in place, they would
have blocked the annoying spam _and_ been safe from a great many other
dangers, particularly Blaster/Welchia/Sasser.

    Of course, like the Messenger Service Buffer Overrun threat, there
is also a patch available to fix a PC's vulnerability to
Blaster/Welchia, which was available to the general public a full
month before the first instances of Blaster/Welchia "in the wild."  If
people learned to stay aware of computer security issues and updated
their systems as needed, a whole lot of grief could have been avoided.
The problem with relying upon patches, however, is that they're
sometimes not available until _after_ the exploit has become
wide-spread.  Antivirus software suffers from this same weakness; it's
simply not always possible to provide protection from threats that
have not yet been developed and/or discovered.  Both approaches, while
important, are re-active in nature.

    There are several essential components to computer security:  a
knowledgeable and pro-active user, a properly configured firewall,
reliable and up-to-date antivirus software, and the prompt repair (via
patches, hotfixes, or service packs) of any known vulnerabilities.
The weak link in this "equation" is, of course, the computer user.
All too many people have bought into the various PC/software
manufacturers marketing claims of easy computing.  They believe that
their computer should be no harder to use than a toaster oven; they
have neither the inclination or desire to learn how to safely use
their computer.  All to few people keep their antivirus software
current, install patches in a timely manner, or stop to really think
about that cutesy link they're about to click.  Therefore, I (and
anyone who's thought about the matter) always recommend the use of a
firewall.  Naturally, properly configuring a firewall requires an
investment of time and effort that most people won't give, but even
the default settings of the firewall will offer more automatic
protection than is currently present.

    Now, as for the Messenger Service itself, it generally doesn't
hurt any thing to turn it off, although I never recommend doing so.
Granted, the service is of little or no use to most home PC users
(Although I've had uses it on my home LAN.), and turning off
unnecessary services is part of any standard computer security
protocol.  However, I feel that the potential benefits of leaving the
Messenger Service enabled out-weigh any as-yet-theoretical risks that
it presents.  It will indirectly let the computer user know that
his/her firewall has failed by displaying the Messenger Service spam.
Think of it as the canary that miners used to take down into the
mine shafts with them.  There are others, of course, who disagree with
me on this point and advise turning off the service because it isn't
needed; you'll have to make up your own mind here.



--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH
.

Relevant Pages

  • Re: lockups & popups
    ... properly configured firewall. ... And ignoring or just "putting up with" the security gap represented by these messages is particularly foolish. ... Messenger Service of Windows ... to -- protect the computer user from him/herself. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: lockups & popups
    ... with" the security gap represented by these messages is particularly ... Messenger Service of Windows ... Whichever firewall you decide upon, be sure to ensure UDP ports 135, ... to -- protect the computer user from him/herself. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Messenger Service
    ... Internet Security 2002 came up for renewal last year (at a cost ... Sygate's Personal Firewall. ... > messenger service interrupting every few minutes, ...
    (microsoft.public.win2000.general)
  • Re: A wierd Messenger Service Pop-Up
    ... P.S i have mcafee virusscan and firewall installed, ... ignoring or just "putting up with" the security gap represented by ... Messenger Service of Windows ... to -- protect the computer user from him/herself. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: messenger service
    ... messenger service uses. ... TCP and UDP ports that the spammers used to deliver the spam to the ... Blaster/Welchia infections since last August, ... they'd all had a properly configured firewall in place, ...
    (microsoft.public.windowsxp.general)