By default, Windows has opened five ports: 135, 137, 138, 139 and 445, which are mainly convenient for beginners to operate, that is, they can use network communication and enjoy various services without making necessary settings. But in this way, users will randomly start some services when they don't want to start or don't need them. After connecting to the Internet, they will reveal local information without the user's knowledge. Therefore, we should know the functions of these ports as much as possible, weigh the advantages and disadvantages of opening them, and then formulate corresponding security countermeasures. Port 135 Among the five typical ports that Windows opens by default, port 135 is the most complicated and most likely to cause external attacks. If we use a "IEen" software developed by SecurityFriday to verify the security of the port, we can clearly see that it is very dangerous to open this port. IEen is a tool for remotely operating IE browser. You can not only get the information in IE browser of other computers, but also operate the browser yourself. Specifically, you can get a list of windows of the running IE browser, the URL and Cookie of the website displayed in each window, and the search keywords entered in the search site. IEen uses DCOM (Distributed Component Object Module), which is a distributed object technology integrated with Windows NT4.0/2000/XP standard, and can remotely operate DCOM applications in other computers. This technology uses RPC (Remote Procedure Call) function to call functions of other computers. This RPC uses port 135. RPC is a remote procedure calling protocol used by Windows operating system. RPC provides a communication mechanism between processes, through which a program running on a computer can successfully execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but some Microsoft-specific extensions have been added. Because the program using RPC does not need to know the network protocol that supports communication, RPC improves the interoperability of the program. Because the program that makes the request in RPC is the client program, and the program that provides the service is the server. When using RPC function to communicate, it will ask the port 135 of the other computer which port can communicate. This way, the other computer will tell you the port number that can be used. In the unencrypted state, using IEen, you can see the data that the other computer should be protected by SSL, and even directly see the bank cash card password entered in the online banking. Therefore, it is inevitable to expose loopholes. An attacker can exploit this vulnerability to run code on the affected system with local system privileges, perform any operation, including installing programs, viewing, changing or deleting data, or establishing an account with system administrator privileges. There are many worms aiming at this vulnerability. In the early days, these worms only attacked this vulnerability, causing the remote system to crash. The "shock wave" that broke out in August last year will use this loophole to spread quickly, easily control other people's IP addresses and registered names, and make more individuals or company systems suffer. The best way to avoid this danger is to shut down the RPC service. For example, a Web server, a mail server or a DNS server that does not use DCOM-specific applications will have no problem even if the 135 port is closed. The way to close the RPC service is to select the service in the management tool of the control panel, open the remote procedure call property in the service window, set the startup type to disabled in the property window (Figure 0 1), and then restart the computer, and RPC will no longer run. You can also open the registry editor and change the "Start" value of "HKEY _ local _ machine \ \ system \ \ current control set \ \ service \ \ rpcss" from 0x04 to 0x02, which will take effect after restarting the machine. However, shutting down the RPC service will have a great impact on the operation of Windows. Because many services of Windows depend on RPC, these services will not start normally after RPC is set to invalid. For example, if the client closes port 135, it cannot connect to the Exchange Server using Outlook, because services such as MSDTC for managing distributed processing, MSMQ for exchanging information between applications, and DHCP for dynamically assigning addresses to computers connected to the network also use this port. At the same time, Windows will start very slowly. The disadvantages of shutting down RPC service are very great, and it is generally not easy to shut down. However, in order to avoid being attacked, network clients can prohibit remote login to the computer. The method is to select control panel, administrative tools, and local security policy in turn, open the window of local security settings, select the assignment of user rights in local policy, and then use "Deny access to this computer from the network" under this item to specify the objects that are denied access (Figure 02). If you want to deny all access, you'd better specify "Everyone" (Figure 03). Within the company, if you don't want other computers to operate your own computer, you can set DCOM to be invalid. The method is to run the dcomcnfg.exe tool integrated with Windows NT/2000/XP standard with DOS command. From the Distributed COM Configuration Properties window that opens, select the Default Properties tab and uncheck the Enable Distributed COM on this computer option. DCOM (Distributed Object Model) is a protocol that allows software components to communicate directly through the network. DCOM used to be called "network OLE", which can be transmitted on various networks including Internet protocols (such as HTTP). A detailed description of DCOM can be found at /com /com/tech/dcom.asp. Ports 137 and 138 only need to send a packet asking about the connection status to the port 137 of other windows, and then they can get the computer name and registered user name of the computer, whether the computer is the main domain controller and main browser, whether it is used as a file server and whether it is. Not only the company's internal network, but also the computers connected to the Internet. As long as you know the IP address of the other party, you can send a request to the 137 port of this computer and get a lot of information. If you capture a packet communicated through port 137, you can also get the startup and shutdown times of the target host. This is because when Windows is started or shut down, a specific packet will be sent through port 137. If you know the startup time of the target host, you can easily use the software such as IEen mentioned last time to operate DCOM. The other end of 137 port passes through 135 port. Why do all kinds of data packets leak into the network? This is because the 137 port is used in the computer name management function of the Windows network communication protocol-"NetBIOS over TCP/IP (NBT)" (computer name management refers to the function that computers in the Windows network obtain the actual IP address through the name used for mutual identification-NetBIOS name). ) In order to obtain the IP address of the communication object, the port 137 must exchange many packets. There are two main ways to leak the packet of 137 port: one way is to manage the computer name between computers in the same group by using the broadcast function. When a computer starts up or connects to the network, it will ask all computers in the same group if any computer uses the same NetBIOS name as itself. If each computer receiving the query uses the same NetBIOS name as itself, it will send a notification packet. These communications are performed by using port 137. Another method is to use WINS(Windows Internet Name Service) to manage computer names. The computer named WINS server has a lookup table of IP address and NetBIOS name. When the system is started or connected to the network, the WINS client sends its NetBIOS name and IP address to the WINS server. When communicating with other computers, it sends the NetBIOS name to the WINS server and asks for the IP address. This method also uses port 137. Disclosing this information at will is like telling an attacker how to attack his computer in a friendly way. In this way, malicious attackers can invade without looking through port scanning. For example, if you know that the IIS service is running, you can easily understand the services that have been started on this computer. For intruders, malicious attacks are simply too convenient. Port 138 provides NetBIOS browsing function. In this function, the computer called the main browser manages the browsing list of the computer list connected to the network. For example, in Windows2000, you can clearly see all neighbor computers connected to the network after selecting "All Networks" from "Network Neighbors". Port 138 provides NetBIOS browsing function. This function uses a different operation mechanism from the computer name management of port 137, and is mainly used to display the list of computers connected to the network. Each computer will use port 138 to broadcast its NetBIOS name and send its computer information to all computers in the same group when starting or connecting to the network. The host browser that receives the NetBIOS name will add the computer to the browse list. Broadcast a list display request when the list needs to be displayed, and the main browser that receives the request will send a browsing list. When the computer is turned off, the machine will notify the main browser so that the main browser can delete its NetBIOS name from the list. Although the information content of 138 port is not as much as that of 137 port, there are also security risks that cannot be ignored. NetBIOS service mainly uses ports 137 and 138 to send its own information. NetBIOS is mainly used for Windows networks. Although Windows 2000 and above can manage computer names without NetBIOS, NBT can be completely stopped, but it will reduce the convenience of using Windows network, for example, the information of finding files can not be displayed for appreciation. Computers that build Windows networks based on the company's internal network environment still need NetBIOS services. To stop the NetBIOS service, first select the currently used network connection from the control panel, and view the properties of "Internet Protocol (TCP/IP)" in the properties window. Click the Advanced button in the General tab and select Disable NetBIOS over TCP/IP in the wins tab (figure 04). In this way, the ports 137, 138 and 139 mentioned later can be closed. One thing to note. If NetBEUI protocol is valid, NetBIOS service will continue to run. NetBIOS is installed by default in Windows 95. In a later version of Windows, you can install it if you want. So we should not only stop NBT, but also confirm whether NetBEUI is working. If you use NetBEUI, even if you close the 137 port, it is still possible to disclose information to the outside. The functions of ports 139 and 445 139 and 445 are mainly to obtain IP addresses through ports 137 and 138 to realize file sharing and printer sharing. The communication process of ports 139 and 445 is realized by SMB (server information block) protocol. That is, according to the name list information in the DNS server, find the object that needs to communicate. If the IP address of the object is successfully obtained, the * * * resource can be accessed. Windows before Windows 2000 used NetBIOS protocol to solve the problem of computer name. Get the IP address by sending the NetBIOS name of the communication object to the WINS server. CIFS used in newer versions of Windows uses DNS to solve the naming problem of computers. In SMB communication, we must first obtain the IP address of the communication object, and then send a request to the communication object to start communication. If the other party allows communication, a session will be established. And use it to send user name and password information to another party for authentication. If the authentication is successful, you can access each other's * * * files. Port 139 is used for these communication series. In addition, Windows 2000 and XP also use port 445. The file * * * has the same function as port 139, but the port uses a different protocol from SMB. This is the latest CIFS (Common Internet File System) protocol used in Windows 2000. CIFS and SMEs solve computer names in different ways. SMB uses NetBIOS and WINS to resolve computer names, while CIFS uses DNS. Therefore, ports 139 and 445 cannot be closed in the company's internal network environment where the file server and print server use Windows. By default, Windows will open TCP port 139 that provides file services. Once the file * * * service is started, the system will enter a waiting state. Net command can be used to easily allocate * * * resources. Although drive C can't be enjoyed without administrator's permission, if the Guest account is set to be valid carelessly, an attacker can easily access drive C and destroy the hard disk. If the client is using a network composed of more than 2000 Windows versions, and files are not leaked, these two ports can be closed. This is because, as mentioned above, the network can only share files using port 445. Because DNS is used to resolve computer names, ports 137 and 138 can also be closed. However, at present, basically all network systems are still using the version of Windows before 2000. In many cases, file * * * and printer * * * must communicate with each other through SMB protocol using port 139 in ordinary business, so it is impossible to close port 139. In addition, 137 ~ 139 port is required for browsing. Open servers must close these ports, and open servers on the Internet are another matter. It is very dangerous to open 139 and 445 ports to public servers. As mentioned at the beginning of this article, if there is a Guest account and no password is set, people can easily steal files through the Internet. If write permission is set for this account, you can even easily tamper with the file. In other words, these ports should not be opened on open servers. Using the file server through the Internet is tantamount to suicide, so be sure to close ports 139 and 445. It can be said that the same is true for client machines that use ADSL to access the Internet permanently. Just like ports 139 and 138, they can choose to "set NetBIOS over TCP/IP to invalid". However, if port 445 is to be closed, other work must be done. Use the registry editor to add the DWORD value named "SMBDeviceEnabled" to "HKEY _ Local _ Machine System Current Control Settings Service Network Parameters" and set it to 0, then restart the machine.