Closing the PPTP Port Under Windows 2000?

phnork asks: "I have asked many skilled Win2K users and networking specialists how to close Port 1723 in my Win2K system. I have searched the net unsuccessfully, browsed news groups, asked my ISP techies, and even asked my wife. But, although all agree the port normally used for PPTP (VPN) should not be open, no one has taken the time to document how nor post the solution where it can be found. In fact, I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not. Not even Microsoft! If they did, the solution would be as easy and straight forward as setting up a printer. Networks and security are still relegated to the nether worlds of the 80s where we used to have problems with every printer installation and computers were hauled to a grinding stop by the inability of the protocol lords to arrive at a consensus. But, maybe now the solution is at hand. Now that I have asked for help maybe someone will come forward with those super words, 'Try this...'." What other hard-to-close ports have you found open in your Win2k install. What did you have to do to close them?

Re:RRAS?

yeah what's the prob it's not open by default
Technet - The Cable Guy - January 2003
Virtual Private Networks for Windows 2000

Re:hardware firewalls / nat routers

[storem]

I had the same problems until I installed an IPCop Firewall box. In my opinion it's always better to have a dedicated firewall machine. You never know what is open (by mistake) on your workstation and/or servers.

my e$0.02

Is this all the info you got?

[shyster]

I don't know what "skilled Win2K users and networking specialists" you've been talking to, but I think some more info may be in order here.

Though I don't have a Win2K machine handy to test right now, I don't believe it's normal for that port to be open for no reason. I can verify that neither my WinXP PC and my Win2003 server have it open, and I don't recall it ever being opened on Win2K.

Are you running Win2K Professional? Do you have the RRAS service running? Have you tried any diagnostic tools like TCPView to isolate the process? Up to date virus scan and adware scans? Any communication on that port? Any odd processes in TaskManager? If you shutdown background tasks, does that port remain open? Oh, and since you seem to be lacking in ability, how did you come to the conclusion that port was open?

..,no one has taken the time to document how nor post the solution where it can be found.

The solution is simple. Stop the process listening on that port. I don't think anyone needs to write a HOWTO on that. And seeing that I haven't heard of anyone else complaining about this (nor seen it myself), I'm inlcined to believe it's something unique to your setup - not Windows.

I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not.

Perhaps those that think they are "in the know, do not" (like ISP techs). But those of actually in the know do know how to track down a process holding a port open.

I think, phnork, that you may want to hold off on your anti-MS diatribe until you find what the issue actually is. Dollars to doughnuts it's your fault, not MS.

Re:Is this all the info you got?

[Khazunga]

Are you running Win2K Professional? Do you have the RRAS service running? Have you tried any diagnostic tools like TCPView [sysinternals.com] to isolate the process? Up to date virus scan and adware scans? Any communication on that port? Any odd processes in TaskManager? If you shutdown background tasks, does that port remain open? Oh, and since you seem to be lacking in ability, how did you come to the conclusion that port was open?

Doesn't anyone else find it extremely cumbersome and security error prone to allow processes to open listen ports as they wish? Isn't there an equivalent to ipfilter in the Windows kernel?

Re:Good luck

[zero_offset]

That's probably the dumbest way to find an answer up there. If he truly ran around on campus all day, that explains why he didn't get anywhere. The MS campus is physically huge, there are thousands of people there, and that doesn't include their satellite offices in Bellview and other surrounding areas. Running from building to building (which would eat up a significant portion of your day, in itself) is about the least effective way I can imagine to try to find anybody there.

We occasionally need heavy-duty tech support (for example, a couple years ago we identified an obscure but severe bug in COM), and I can usually hook up with the right person with only two or three e-mails and a few hours of waiting. All unofficial, and all back-channel, but not terribly difficult. And most of those addresses I've culled from public articles over the years. Only a few were given to me in person as a "here's my address, keep it to yourself" kind of thing. I've found that even if you contact the wrong person up there, if the request is serious, well-written (e.g. not "d00d, cn U help me? thx"), and appears to be reasonably outside the capabilities of their usual support services, they'll go out of their way to try to put you in touch with the right person. Not only have I always reached somebody who was quite knowledgable, but very often I reach the person who wrote (or currently maintains) the code in question.

And frankly, I'd be surprised if a staff MSJ writer didn't have those kinds of contacts.

Not the answer you're looking for

[yuri+benjamin]

No Windows box should be directly connected to the Internet.
I might even go so far as to say no desktop OS (Including Mdk, RH, SuSE and MacOS) should be directly connected.

Firewalls like IPCop, Smoothwall or OpenBSD can run on very modest hardware (486, maybe 386).

Sure it helps to close the ports on your workstations if you can, but firewall them too.