Slashdot Mirror
Closing the PPTP Port Under Windows 2000?
phnork asks: "I have asked many skilled Win2K users and networking specialists how to close Port 1723 in my Win2K system. I have searched the net unsuccessfully, browsed news groups, asked my ISP techies, and even asked my wife. But, although all agree the port normally used for PPTP (VPN) should not be open, no one has taken the time to document how nor post the solution where it can be found. In fact, I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not. Not even Microsoft! If they did, the solution would be as easy and straight forward as setting up a printer. Networks and security are still relegated to the nether worlds of the 80s where we used to have problems with every printer installation and computers were hauled to a grinding stop by the inability of the protocol lords to arrive at a consensus. But, maybe now the solution is at hand. Now that I have asked for help maybe someone will come forward with those super words, 'Try this...'." What other hard-to-close ports have you found open in your Win2k install. What did you have to do to close them?
No, teh H4x0r that broke into your machine through port 1723 did.
Free as in mason.
Are you running Routing and Remote Access Services on that machine? I don't see 1723 as a default open port on my servers that don't have RRAS enabled.
Couldn't they think of a better name? That always sounded like a restroom on an Indian reservation to me...
Putting your win2k box behind a NAT Router or a hardware firewall of some sort will block connections to that port from the internet. While not an optimal solution, it beats having the port open to the internet! ;)
That should tell you which process is listening on that port. Then you can stop the appropriate service or kill the appropriate process.
stay frosty and alert
ZoneAlarm
Alternatively you can block any port on a Windows 2000 LAN adapter by enabling TCP/IP Filtering under the TCP/IP properties for that adapter. The way it works is you enable it which will block everything, then you must enable the services you would like to use.
Any decent software firewall will let you shut down whatever port you like. Perhaps even the built-in Microsoft firewall lets you do that now if you configure it correctly.
Good luck, my friend. I hope someone in here has a good tip. But this biz about not even MS themselves knowing: I remember a few years back when a writer for the MSJ, aware of how hard it was to find anyone in MS who knew anything, spent a day on the campus chasing down people who might know why and how byte offset 12 in the VFAT Unicode directory entries were formatted (something like that). He gave up at 5 PM after a whole day at it - with no answer in sight.
This is a joke right?
:)
Go download Active Ports and see what program is actually casuing that port to be open.
You can also try running this document in the reverse order to uninstall PPTP
I use Zone Alarm and also utilize Steve Gibson's Shields Up! to check my ports.
Though I don't have a Win2K machine handy to test right now, I don't believe it's normal for that port to be open for no reason. I can verify that neither my WinXP PC and my Win2003 server have it open, and I don't recall it ever being opened on Win2K.
Are you running Win2K Professional? Do you have the RRAS service running? Have you tried any diagnostic tools like TCPView to isolate the process? Up to date virus scan and adware scans? Any communication on that port? Any odd processes in TaskManager? If you shutdown background tasks, does that port remain open? Oh, and since you seem to be lacking in ability, how did you come to the conclusion that port was open?
The solution is simple. Stop the process listening on that port. I don't think anyone needs to write a HOWTO on that. And seeing that I haven't heard of anyone else complaining about this (nor seen it myself), I'm inlcined to believe it's something unique to your setup - not Windows.
Perhaps those that think they are "in the know, do not" (like ISP techs). But those of actually in the know do know how to track down a process holding a port open.I think, phnork, that you may want to hold off on your anti-MS diatribe until you find what the issue actually is. Dollars to doughnuts it's your fault, not MS.
I prefer to use multiple layers on machines that matter... If security is important to you, use IP filtering, a hardware firewall, and software firewall. If you need to use PPTP, a decent hardware firewall will have a mechanism for allowing you to open the port from the inside only... There is another subtle non-technical issue present - its this dramatic "nobody in the whole world can fit it" tone. Closing a port is a simple task. Either your "technical" contacts are lousy, or you did not explain the problem to them correctly (or to us for that matter) Some things that would help are: 1. A Windows 2000 Pro. MCSE Certification Book 2. A shrink 3. Google Seriously, the cert. book is an excellent resource for end users. Though it won't make you a guru, you will at least have a clue ;)
X
By default RPC/135 listens on 0.0.0.0, but you can change this by using MS's rpccfg.exe to listen on the loopback only.
e sk it/tools/new/rpccfg-o.asp
r am eters\TransportBindName from '\Device\' to nothing. You can't use the workstation service|CIFS outbound either when you do this though, and you have to reboot for it to take should you want to switch back.
http://www.microsoft.com/windows2000/techinfo/r
Also, port 445 is open, even if you disable File and Print Sharing. To fix that hole, open up regedit and change:
HKLM\System\CurrentControlSet\Services\NetBT\Pa
I've never had a problem with PPTP or the port you mentioned, maybe try disabling Routing and Remote Access, or other services.
I have my Win2k3 box only listening on 22, OpenSSHd and scp work like a champ.
Michael Johnson took over the NetworkSimplicity OpenSSH installer, which makes it too easy not to use SSH on Windows.
http://lexa.mckenna.edu/sshwindows/
-Vlad
My firm changed routers 2 weeks ago. With the defaults, all the other boxes (Windows) can browse, send/receive mail, etc; however my Linux box can't.
Even my VMware XP inside Linux can get on (it's how I write this message at the moment) but Linux proper is blocked.
traceroute shows incredible lag, ping is slow, and DNS is slowed to a crawl. How the hell would the router do this?
The guy who installed the router (**Not me!**) doesn't have a clue how to fix it, and the router's support people haven't deigned to reply to several e-mails. Googling for the router brand and model (among other searches) doesn't seem to help.
I have noticed that the Win mail clients sometimes will bomb the router into submission, and as a result the router will need to be reset. Increasing the router timeouts doesn't seem to help. Moreover, the router has no information in its firewall set that blocks my static IP in particular.
If someone could just point me to a resource I'd be most grateful.
========================================
Death will come, and will have your eyes
-- Pavese
Doesn't the advanced TCP/IP settings under 2K allow you to filter ports?
Alternately, you could write a dummy service that listens on a port, accepts connections & throws all data away, forcing attackers to time-out.
my sig's at the bottom of the page.
windows services
My guess is Routing and Remote Access, which along with the alarming Remote Registry Service, should be one of the things you turn off by default on a new install. No different from turning off all the crap that is installed on a typical default Linux installation.
It's 10 PM. Do you know if you're un-American?
Alright. I just checked my 'mostly default' install and it's closed. I have the IPSec service disabled, as I don't USE IPSec. Just having IPSec sitting there in the networking layer doesn't do any good unless it's configured anyway.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
I purchased some gasoline and returned to the drivers seat of my car. I looked in the side view mirror, and to my horror, the fuel tank door was still open!
There is no documentation anywhere about how to return the fuel tank door to the "closed" position. I even called the dealer and they just laughed and said that nothing is wrong... please help!
Conformity is the jailer of freedom and enemy of growth. -JFK
I have searched the net unsuccessfully, browsed news groups, asked my ISP techies, and even asked my wife.
If this is something that she might know, I suggest you improve your communication. If it's not, why did you bother? On the off-chance that she was bored from playing Minesweeper one day, so went tooling through her firewall configuration file?
--
$tar -xvf
i have a XP box and windows is listerning on ... :P ...
all kindda strange ports (>1024).
so what i did is listen around for a free software
firewall and i ended up chosing "KERIO personal
firewall".
then i did a portscan on the computer (from a
different one). KERIO would pop-up and notify me
of an incoming connection (because i'm port scanning)
i'd have KERIO setup a rule to DENY all incoming and outgoing connection on ports i don't need or
don't know what they do
i haven't broken anything yet. it can be abit
annoying to "train" (e.g. build ther rules) for
the firewall.
but i found "the system" (basically the
NT-system core) listening on ports (3472?), which
did give me a scare
so basically you can't close the port but you can
have software intercept it before
good luck.
p.s. ad-ware reports NO spyware (except alexa
which seems to be in the registry even after
clean install and no internet connection...)
PC-CILLIN (virusdef.747) reports NO viruses.
Of course, the only way to be sure is to try and cut pay to the longshoremen. Nothing will shut down a port tighter than a longshoremen's strike.
Oh, wait. This is slashdot.ORG not slashdot.MIL.
Never mind....
My links on Windows Security Software should give you some starting points.
Also note that PPTP uses not only TCP/UDP but also GRE (protocol 47).
Format c: | Insert Linux CD
Frink: Nice try floyd, but you were designed for scrubbing, and scrubbing is what you shall do.
PPTP uses the GRE protocol, protocol number 47.
Let me back up and explain:
IP datagrams just specify machines. They say packets are going from one computer to another, but they don't care what kind of data is in the packet.
Inside that packet is a specific protocol number. TCP packets use protocol number 6, UDP packets use protocol number 17, and ICMP packets use protocol number 1.
Then, based on the protocol number, the computer interprets the contents of the packet.
In this case, PPTP uses TCP traffic (I think) to set up the connection but uses GRE for the actual payload. If you block GRE then PPTP can't operate.
So find some way to make your network or your computer block protocol number 47, and you'll be good to go.
No Windows box should be directly connected to the Internet.
I might even go so far as to say no desktop OS (Including Mdk, RH, SuSE and MacOS) should be directly connected.
Firewalls like IPCop, Smoothwall or OpenBSD can run on very modest hardware (486, maybe 386).
Sure it helps to close the ports on your workstations if you can, but firewall them too.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
Go to the device manager, show hidden devices on the view menu if necessary, browse to the network adapters and disable the WAN Miniport (PPTP) and others if you like.
As a side benefit you're machine will use less resources aswell.
Look at the back of the PC. You'll see a fan grill next to a thick black or gray cable with a large plug. Remove said cable, and the port is secured.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
"network aware", that's great spin on crap that phones home and listens on random ports without telling you. Great of you also to mention how this helps worms propagate.
How about giving the man the benifit of the doubt and telling him what applications might be listening to 1723? He already knows that pptp or something is litening. What he needs to know is how to turn the shit off. My recomendation is, as always, to avoid M$ junk in the first place.
Friends don't help friends install M$ junk.