Slashdot Mirror
Closing the PPTP Port Under Windows 2000?
phnork asks: "I have asked many skilled Win2K users and networking specialists how to close Port 1723 in my Win2K system. I have searched the net unsuccessfully, browsed news groups, asked my ISP techies, and even asked my wife. But, although all agree the port normally used for PPTP (VPN) should not be open, no one has taken the time to document how nor post the solution where it can be found. In fact, I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not. Not even Microsoft! If they did, the solution would be as easy and straight forward as setting up a printer. Networks and security are still relegated to the nether worlds of the 80s where we used to have problems with every printer installation and computers were hauled to a grinding stop by the inability of the protocol lords to arrive at a consensus. But, maybe now the solution is at hand. Now that I have asked for help maybe someone will come forward with those super words, 'Try this...'." What other hard-to-close ports have you found open in your Win2k install. What did you have to do to close them?
Are you running Routing and Remote Access Services on that machine? I don't see 1723 as a default open port on my servers that don't have RRAS enabled.
Putting your win2k box behind a NAT Router or a hardware firewall of some sort will block connections to that port from the internet. While not an optimal solution, it beats having the port open to the internet! ;)
That should tell you which process is listening on that port. Then you can stop the appropriate service or kill the appropriate process.
stay frosty and alert
ZoneAlarm
Alternatively you can block any port on a Windows 2000 LAN adapter by enabling TCP/IP Filtering under the TCP/IP properties for that adapter. The way it works is you enable it which will block everything, then you must enable the services you would like to use.
Any decent software firewall will let you shut down whatever port you like. Perhaps even the built-in Microsoft firewall lets you do that now if you configure it correctly.
This is a joke right?
:)
Go download Active Ports and see what program is actually casuing that port to be open.
You can also try running this document in the reverse order to uninstall PPTP
I use Zone Alarm and also utilize Steve Gibson's Shields Up! to check my ports.
By default RPC/135 listens on 0.0.0.0, but you can change this by using MS's rpccfg.exe to listen on the loopback only.
e sk it/tools/new/rpccfg-o.asp
r am eters\TransportBindName from '\Device\' to nothing. You can't use the workstation service|CIFS outbound either when you do this though, and you have to reboot for it to take should you want to switch back.
http://www.microsoft.com/windows2000/techinfo/r
Also, port 445 is open, even if you disable File and Print Sharing. To fix that hole, open up regedit and change:
HKLM\System\CurrentControlSet\Services\NetBT\Pa
I've never had a problem with PPTP or the port you mentioned, maybe try disabling Routing and Remote Access, or other services.
I have my Win2k3 box only listening on 22, OpenSSHd and scp work like a champ.
Michael Johnson took over the NetworkSimplicity OpenSSH installer, which makes it too easy not to use SSH on Windows.
http://lexa.mckenna.edu/sshwindows/
-Vlad
Doesn't the advanced TCP/IP settings under 2K allow you to filter ports?
Alternately, you could write a dummy service that listens on a port, accepts connections & throws all data away, forcing attackers to time-out.
my sig's at the bottom of the page.
Insure that ECN is not enabled on the Linux box.
windows services
My guess is Routing and Remote Access, which along with the alarming Remote Registry Service, should be one of the things you turn off by default on a new install. No different from turning off all the crap that is installed on a typical default Linux installation.
It's 10 PM. Do you know if you're un-American?
Agreed. That doesn't make any sense. While I know folks can add-on tools like Zone Alarm, not having a built-in configuration for this seems strange.
Along those lines though, the per-process/app/server block of ZA and other Windows firewalls could have some uses on Linux. I guess with SE Linux, that will come along for-free, though I don't know that for a fact. Anyone?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Reply or moderate? Well, since shyster's post is already at +5, here I go...
/., where a good troll can always get a story posted.
My first reaction was that he has somehow managed to install RRAS. Its astonishing how many people have shit installed on their boxes they don't know how or when were installed.
A quick nmap of a default install win2k box shows only a handful of open ports: 135, 445, 1025, 1026. Turning on netBios over IP also opens ports 137, 138, 139. Beyond that, ports only get opened up by enabling or installing other software. RRAS will open up various ports, depending on which options you configure: 1723(pptp), 1701(l2tp), 520(rip) and if you configure OSPF or RIPv2, appropriate multicast addresses will appear. Installing Access, which installs ODBC/MSSQL, opens up port 1434, which unpatched allows the slammer worm to propagate.
Every network aware product you install on 'doze may leave ports open. Any moderately experienced system admin knows this, so if the OP wasn't able to get a response, that is because he didn't truly ask anyone knowlegable.
The OP was a troll, but this is
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on