|
等 级:资深长老 |
经 验 值:3149 |
魅 力 值:204 |
龙 币:10460 |
积 分:4499.6 |
注册日期:2002-04-27 |
|
|
|
我来贴一个,照着做后网络安全应该有相当提高
Minimization of network services on Windows systems
par Jean-Baptiste Marchand (02/09/2002)
-=[ Minimizing Windows network services ]=-
[ Examples with Windows 2000 and Windows XP ]
Lecteurs francophones : ce document est également disponible en fran?ais, voir
该网址不再展示
----[ Introduction ]----
A default Windows system comes with different network services, enabled by
default. Usually, it is wise to disable most of them and even all of them,
if the system does not offer network services to other systems.
In this document, we give a possible methodology to complete this task.
Technical details are described in a separate document, currently only available
in french, _Services réseaux des systèmes Windows - Etude de cas avec Windows
2000 et Windows XP_, available at
该网址不再展示 .
Systems used as examples are Windows 2000 (server version) and Windows XP, as
installed by default (DHCP was disabled and IPv4 address 192.70.106.143 was
assigned to the unique network interface). Of course, the best solution is to
choose only required services at installation, even if it does not exempt you
from all the setup described here.
----[ Services identification ]----
A quick way to identify running network services is to list opened TCP and UDP
ports with the netstat command.
On a Windows 2000 system, the netstat -an command returns:
C:WINNT>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4983 0.0.0.0:0 LISTENING
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1028 *:*
UDP 0.0.0.0:1029 *:*
UDP 0.0.0.0:3456 *:*
UDP 192.70.106.143:137 *:*
UDP 192.70.106.143:138 *:*
UDP 192.70.106.143:500 *:*
On a Windows XP system, the netstat -ano command returns:
C:WINDOWS>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1160
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:135 *:* 884
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 704
UDP 0.0.0.0:1026 *:* 1112
UDP 0.0.0.0:1027 *:* 976
UDP 127.0.0.1:123 *:* 976
UDP 127.0.0.1:1900 *:* 1160
UDP 192.70.106.143:123 *:* 976
UDP 192.70.106.143:137 *:* 4
UDP 192.70.106.143:138 *:* 4
UDP 192.70.106.143:1900 *:* 1160
_Warning_:
The netstat command does not exactly report TCP and UDP ports states. Instead,
it reports state of TDI transport addresses and connection endpoints, whereas
only TDI connection endpoints represent TCP or UDP sockets.
In particular, when a Windows system establishes an outgoing TCP connection
(active open), the local port used as source is reported as in the LISTENING
state.
In the following example, the local system has established a TCP connection from
source port 1367 to destination port 22 of a remote system.
The netstat command output, filtered to show only lines containing port number
1367 is:
C:WINDOWS>netstat -anp tcp | find ":1367"
TCP 0.0.0.0:1367 0.0.0.0:0 LISTENING
TCP 192.70.106.142:1367 192.70.106.76:22 ESTABLISHED
The second line shows the established connection, from local port 1367 to remote
port 22. However, the first line is incorrect because it reports local port 1367
in the LISTENING state, whereas no TCP server is available on this port.
Thus, for each outgoing TCP connection, an additional line will appear in
netstat output, showing a TCP port in LISTENING state. It is important to make
the difference between an opened TCP port and one incorrectly reported by netstat
in the LISTENING state.
Note: this bug has been fixed in recent builds of Windows .NET Server, starting
with build 3606.
Once opened ports are identified, we present recipes to get them closed, step
by step.
----[ Disabling unused services ]----
To minimize opened ports, the first thing to do is to disable services. In our
examples, we will stop services (using the net stop command). However, to
prevent a service from starting at next system restart, startup mode of service must
either be set to manual or disabled. Some services have to be explicitly
disabled, otherwise they will be manually started by the system.
On Windows 2000, the service manager allows modification of startup type of a
service.
C:WINDOWS>services.msc
The Startup Type (Automatic, Manual or Disabled) can be set under the General
tab of the Properties of each service.
On Windows XP, the sc command (also available in Windows 2000 Resource
Kit) can change the startup type of a service, with such a command:
C:WINDOWS>sc config service_name start= disabled
(space between start= and disabled is mandatory).
The following command
C:WINDOWS>sc config service_name start= manual
configures the startup mode of a service to manual.
--[ Windows 2000 ]--
-[ IIS 5 ]-
On Windows 2000, IIS 5 runs by default and is composed of SMTP, HTTP and IIS
administration services. To close TCP ports 25, 80, 443, UDP port 3456, one
port used by IIS administration website (4983 in our example) and two
ports, higher than 1023 for RPC services, these services must be stopped.
The quickest way to stop these services is to stop the iisadmin service (other
services depend on it):
C:WINNT>net stop iisadmin
The following services are dependent on the IIS Admin Service service.
Stopping the IIS Admin Service service will also stop these services.
World Wide Web Publishing Service
Simple Mail Transport Protocol (SMTP)
Do you want to continue this operation? (Y/N) [N]: y
The World Wide Web Publishing Service service is stopping.
The World Wide Web Publishing Service service was stopped successfully.
The Simple Mail Transport Protocol (SMTP) service is stopping.
The Simple Mail Transport Protocol (SMTP) service was stopped successfully.
...
The IIS Admin Service service was stopped successfully.
Output of the netstat -an command shows that the number of opened ports has been
reduced:
C:WINNT>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1029 *:*
UDP 192.70.106.143:137 *:*
UDP 192.70.106.143:138 *:*
UDP 192.70.106.143:500 *:*
Finally, the easiest way to prevent IIS services to start next time is by
removing IIS components, via Add/Remove Programs in configuration panel.
-[ IPsec ]-
UDP port 500, used by IKE protocol (Internet Key Exchange) can be closed by
stopping IPsec services service.
C:WINNT>net stop policyagent
The IPSEC Services service is stopping.
The IPSEC Services service was stopped successfully.
UDP port 500 then disappears from netstat -an output:
C:WINNT>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1029 *:*
UDP 192.70.106.143:137 *:*
UDP 192.70.106.143:138 *:*
-[ Distributed Transaction Coordinator ]-
Distributed Transaction Coordinator service is enabled by default on a Windows
2000 server and opens TCP port 3372, and one TCP port higher than 1023 (1025 in
our example).
Stopping this service closes two TCP ports:
C:WINNT>net stop msdtc
The Distributed Transaction Coordinator service is stopping.
The Distributed Transaction Coordinator service was stopped successfully.
List of opened ports is now:
C:WINNT>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1029 *:*
UDP 192.70.106.143:137 *:*
UDP 192.70.106.143:138 *:*
--[ Windows XP ]--
Services that can easily be disabled are:
IPsec services (PolicyAgent)
SSDP Discovery Service (SSDPSRV)
Windows Time (W32Time)
The following commands stop these services:
C:WINDOWS>net stop policyagent
The IPSEC Services service is stopping.
The IPSEC Services service was stopped successfully.
C:>WINDOWS>net stop ssdpsrv
The SSDP Discovery Service service is stopping.
The SSDP Discovery Service service was stopped successfully.
C:>WINDOWS>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.
netstat -ano command shows that the number of opened ports has been reduced (TCP
ports 5000 and UDP 123, 500 and 1900 have been closed):
C:WINDOWS>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:135 *:* 884
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:1026 *:* 1112
UDP 0.0.0.0:1027 *:* 976
UDP 192.70.106.143:137 *:* 4
UDP 192.70.106.143:138 *:* 4
---[ NetBIOS over TCP/IP (NetBT) ]---
NetBIOS over TCP/IP is typically used on Windows systems to transport the CIFS
protocol (also known as SMB). CIFS is the protocol behind resources sharing
(typically, file and printer sharing).
NetBIOS over TCP/IP uses UDP ports 137, 138 and TCP port 139. To close
these ports, NetBIOS over TCP/IP must be disabled on each network adapter.
For each network adapter in the Network and Dial-up Connection, select
Properties and choose Properties of Internet Protocol (TCP/IP). Click on
the Advanced button, select the WINS tab and check Disable NetBIOS over TCP/IP.
This will close UDP ports 137 and 138 and TCP port 139 on configured adapter.
The lmhosts service, used for NetBIOS name resolution can also be stopped and
disabled:
C:WINDOWS>net stop lmhosts
The TCP/IP NetBIOS Helper service was stopped successfully.
On Windows 2000, the list of opened ports becomes:
C:WINNT>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1029 *:*
On Windows XP:
C:WINDOWS>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976
UDP 0.0.0.0:135 *:* 884
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:1026 *:* 1112
UDP 0.0.0.0:1027 *:* 976
---[ CIFS over TCP ]---
Before Windows 2000, the CIFS protocol was typically transported in NetBIOS over
TCP/IP, via TCP port 139. Starting with Windows 2000, CIFS can be transported
directly in TCP/IP, without an intermediary NetBT layer. In that case, TCP port
445 is used (see 该网址不再展示 for more
information).
To disable listening on TCP port 445, two methods are possible:
1. disable the NetBT driver
2. add a value in the registry to disable transport of CIFS in TCP
In both cases, a reboot of the system is necessary because port 445 is opened by
the NetBT driver at system startup.
We prefer to use the second method. With the regedit tool, the following value
can be added in the registry:
Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters
Value: SmbDeviceEnabled
Type: DWORD value (REG_DWORD)
Content: 0 (to disable)
After a reboot, TCP port 445 will no longer be opened by the NetBT driver.
The following ports remain opened on Windows 2000:
C:WINNT>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:1029 *:*
Under Windows XP:
C:WINDOWS>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976
UDP 0.0.0.0:135 *:* 884
UDP 0.0.0.0:1026 *:* 1112
UDP 0.0.0.0:1027 *:* 976
---[ RPC services ]---
Remaining ports are used by RPC services (Remote Procedure Call). The RPC
portmapper and the COM service control manager (COM SCM) both use port 135.
Ports immediately higher than 1023 are used by RPC services and are reachable
via RPC or DCOM (ORPC). As these ports are dynamically allocated, a port mapping
service is needed, the portmapper, to give the port on which a given RPC service
can be reached.
If you want to identify which RPC services is using which TCP or UDP port on
your own system, you can use the rpcdump tool to obtain the list of registered
RPC services in the portmapper database
(该网址不再展示 ).
-[ Windows 2000 ]-
With rpcdump, we can determine that, on our test system, UDP port 1029 is used
by RPC services started by the Messenger service. After disabling this service
(as explained in the Disabling unused services section) and rebooting the
system, this port will be closed.
Also, UDP port 135 will no longer be opened because:
- the last RPC service reachable via UDP has been disabled
- DCOM is not reachable via UDP by default, thus the COM SCM does not listen
on UDP port 135.
TCP port 1026 is used by RPC services started by the Task Scheduler service
(Schedule). It is thus possible to close this port after disabling this service
and rebooting.
Remote Access Connection Manager (RasMan) must also be disabled.
-[ Windows XP ]-
On our Windows XP system, UDP port 1027 is used by RPC services started by the
Messenger service. As in Windows 2000, this port and UDP port 135 will no longer
be opened after disabling this service and rebooting.
TCP port 1025 is used by RPC services of the Task Scheduler service. Again, as
in Windows 2000, this service must be disabled.
--[ Interfaces restriction on Windows 2000 ]--
_Warning_: the interfaces restriction technique described here currently only
works on Windows 2000 (i.e, not on Windows XP).
Until now, we have disabled services that start RPC services, in order to close
the dynamic ports they use. However, sometimes some services such as the Task
Scheduler are needed.
It is possible to restrict listening network interfaces for some RPC services,
more precisely, for those services that do not explicitly listen on all network
interfaces.
A registry value allows the system to configure the list of network interfaces
on which RPC services will listen. The value contains a list of integers that
correspond to network interfaces indexes.
Before Windows 2000, this value contained network devices names, as described in
the 'Configuring the Windows XP/2000/NT Registry Port Allocations and Selective
Bindings' entry in Microsoft Platform SDK documentation, available somewhere at
该网址不再展示 . Starting with Windows 2000, the systems expects
network interfaces indexes, starting at 1.
The two following keys, Rpc and RpcLinkage, do not exist by default in the
registry and must be created under the following key:
Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
The value to add is:
Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRpcLinkage
Value: Bind
Type: REG_MULTISZ
Content: list of network interfaces indexes
Network interface indexes can be obtained using the rpccfg tool, available at
该网址不再展示
.
The -l option of rpccfg gives the mapping between network adapters and
interfaces indexes:
C:WINDOWS>rpccfg -l
Subnet Description
1 127.0.0.0 1 MS TCP Loopback interface
2 192.70.106.128 1 3Com EtherLink PCI (Microsoft's Packet Scheduler)
The interface index appears in the first column.
On our system, the first index corresponds to the loopback interface (IPv4
address 127.0.0.1). Thus, if we put "1" in the Bind value, RPC services that
don't explicly listen on all interface will only listen on the IPv4 adress
127.0.0.1.
Remark: note that on Windows 2000, only regedt32 can create registry values of
type REG_MULTISZ.
For more information, see the 'Configuring the Windows XP/2000/NT Registry Port
Allocations and Selective Bindings' entry in Microsoft Platform SDK
documentation.
-[ The case of the portmapper ]-
By default, the portmapper RPC service binds to all network interfaces.
A registry value, ListenOnInternet, controls whether the portmapper RPC service
binds to all interfaces or not. By default, this value does not exist and has
implicitly a default value of "Y":
Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRpcSs
Value: ListenOnInternet
Type: REG_SZ
Content: "Y" or "N"
When set to "N", TCP port 135 will only listen on interfaces specified by the
Bind value described in the previous section.
-[ Limits of the interfaces restriction technique ]-
The interfaces restriction technique has some limitations:
- it only works for RPC services that do not explicitly listen on all interfaces.
- it is a global setting, i.e. restrictions can not be implemented on a per-RPC
service basis.
- it seems to work only for TCP transport of RPC services
Tests have shown that the interfaces restriction technique works on Windows 2000
for the TCP transport of the following services:
RPC service of the Distributed Transaction Coordinator service
RPC service of the Task Scheduler service
RPC service of the inetinfo service
It does not work with the UDP transport of the following services (in fact, it
probably does not work with UDP transport at all):
RPC service of the messenger service
RPC service of the inetinfo service
-[ RPC dynamic ports range restriction ]-
By default, TCP and UDP ports for RPC services are allocated in the dynamic
ports range, which starts at 1025 (port 1024 does not seem to be used on Windows
systems). This explains why most of the RPC services lauched at startup listen
on TCP and UDP ports immediately higher than 1023.
It is possible to configure a specific range for ports allocated to RPC
services. This is typically used to ease ports filtering on IP filtering
devices. It can also be used to make a clear distinction between dynamic ports
(typically used when the system is a TCP or UDP client) and ports allocated to
RPC services.
For more information, see the 'Configuring the Windows XP/2000/NT Registry Port
Allocations and Selective Bindings' entry in Microsoft Platform SDK
documentation and the rpccfg tool, available at
该网址不再展示
.
--[ DCOM ]--
The only remaining opened port is TCP port 135. It is opened by the Remote
Procedure Call (RpcSs) service and it is not possible to disable it because this
service contains the COM service control manager, used by local processes.
TCP port 135 remains opened because it is used to receive remote activation
requests of COM objects. A global setting exists to disable DCOM and can be set
in the registry:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle
Value: EnableDCOM
Type: REG_SZ
Content: "Y" (to enable) or "N" (to disable)
This registry value corresponds to the 'Enable Distributed COM on this computer'
setting that appears in the dcomcnfg tool:
C:WINDOWS>dcomcnfg
However, disabling DCOM does not close TCP port 135. To close it, one solution
is to remove IP-based RPC protocols sequences from the list that can be used by
DCOM. In our case, the sequence ncacn_ip_tcp (transport on TCP/IP) can be
removed.
The simplest solution for this is to use the dcomcnfg tool and to remove
'Connection-oriented TCP/IP' in the 'Default Protocols' tab.
Under Windows 2000, dcomcnfg directly shows the DCOM properties of the local
system, in particular, the 'Default Protocols' tab. Under Windows XP, dcomcnfg
launches an MMC console showing three nodes. The 'Default Protocols' tab appears
in the properties of the My Computer node, under the Computer node.
The list shown in the 'Default Protocols' tab is stored in the registry, under
the following value:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpc
Value: DCOM Protocols
Type: REG_MULTI_SZ
Thus, it is also possible to directly edit the registry and remove ncacn_ip_tcp
from the DCOM Protocols value.
After a reboot, all ports should be reported as closed, except one UDP port on
Windows XP, which we study in the next section.
--[ caching DNS service (Windows XP) ]--
Starting with Windows 2000, Windows systems include a caching DNS service
(dnscache), that keeps in memory results of DNS requests.
On Windows 2000, this service sends DNS requests on UDP, using a different UDP
source port for each request. On Windows XP, the same port is always used: it is
allocated at the first DNS request and remains the same, as long as the dnscache
service is running.
On our Windows XP system, the port used by the dnscache service is UDP port
1026. If we stop the dnscache service, this port will be closed.
It is possible to disable the socket caching mechanism used by the Windows XP
dnscache service, adding a registry value under the service key:
Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnscacheParameters
Value: MaxCachedSockets
Type: REG_DWORD
Content: 0
With this setting, the Windows XP dnscache service will behave as under Windows
2000, i.e, different UDP sockets are used for each DNS requests.
--[ RPC services started when using the system ]--
Some RPC services can be started when starting some programs. For instance,
using the Component Services component under Windows XP seems to open two TCP
ports, used by RPC services.
Thus, it is always useful to use IP filtering, in addition to minimization
techniques presented here. For instance, you can use PKtFilter,
(该网址不再展示 ), which configures the IPv4
filtering driver available in Windows 2000/XP/.NET Server.
----[ Summary ]----
Minimization of network services can be realized in three steps:
- disabling of unused services
- disabling of NetBIOS over TCP/IP and CIFS over TCP
- minimization of RPC services
Services to disable are:
Windows 2000:
- IIS 5: iisadmin, w3svc, smtpsvc
- Others: messenger, msdtc, policyagent, schedule
Windows XP:
- messenger, policyagent, schedule, ssdpsrv, w32time
Disabling of NetBIOS over TCP/IP is specific to each network interface. To
globally disable CIFS over TCP (port 445), the SmbDeviceEnabled registry value
must be added and set to 0 in the registry.
Minimization of RPC services starts by disabling services that register RPC
services.
The removal of the 'Connection-oriented TCP/IP' protocol sequence in the dcomcnfg
utility allows to close TCP port 135.
If necessary, listening interfaces restriction can be configured for some RPC
services on Windows 2000, with the registry value
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRpcLinkageBind.
----[ Conclusion ]----
A default installation of a Windows system has many network services. It is
possible and wise to minimize them, leaving only services that are strictly
necessary.
----[ Greetings ]----
Thanks to Jacqueline J. for proofreading this document and suggesting many
improvements.
$Id: min_srv_res_win.en.tip,v 1.10 2003/01/09 16:05:46 marchand Exp $
|
|
|
|