Closing the PPTP Port Under Windows 2000?

phnork asks: "I have asked many skilled Win2K users and networking specialists how to close Port 1723 in my Win2K system. I have searched the net unsuccessfully, browsed news groups, asked my ISP techies, and even asked my wife. But, although all agree the port normally used for PPTP (VPN) should not be open, no one has taken the time to document how nor post the solution where it can be found. In fact, I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not. Not even Microsoft! If they did, the solution would be as easy and straight forward as setting up a printer. Networks and security are still relegated to the nether worlds of the 80s where we used to have problems with every printer installation and computers were hauled to a grinding stop by the inability of the protocol lords to arrive at a consensus. But, maybe now the solution is at hand. Now that I have asked for help maybe someone will come forward with those super words, 'Try this...'." What other hard-to-close ports have you found open in your Win2k install. What did you have to do to close them?

Re:Fuckin terrorist!

[LittleBigLui]

No, teh H4x0r that broke into your machine through port 1723 did.

RRAS?

[Grizzletooth]

Are you running Routing and Remote Access Services on that machine? I don't see 1723 as a default open port on my servers that don't have RRAS enabled.

Re:RRAS?

yeah what's the prob it's not open by default
Technet - The Cable Guy - January 2003
Virtual Private Networks for Windows 2000

PPTP?!?

Couldn't they think of a better name? That always sounded like a restroom on an Indian reservation to me...

Re:PPTP?!?

[sharkey]

It's certainly better than "You pee 'n' pee".

hardware firewalls / nat routers

[Feztaa]

Putting your win2k box behind a NAT Router or a hardware firewall of some sort will block connections to that port from the internet. While not an optimal solution, it beats having the port open to the internet! ;)

Re:hardware firewalls / nat routers

[storem]

I had the same problems until I installed an IPCop Firewall box. In my opinion it's always better to have a dedicated firewall machine. You never know what is open (by mistake) on your workstation and/or servers.

my e$0.02

Re:hardware firewalls / nat routers

[linzeal]

I have had better luck with Astaro. The built in SOCKS server and Anti-Virus email protection help lots.

Re:hardware firewalls / nat routers

[booch]

That still leaves you vulnerable to viruses that exploit holes in the service implementation on that port. Most of the (non-email) viruses I've seen recently were spread from the inside of a company. One system -- a laptop that someone had hooked up at home against company policy -- was infected, then spread to all the other internal systems. We don't have (many) firewalls segregating our internal network, so the virus was free to spread.

There are 3 ways to prevent this. In order of preference: turning off unused ports; "personal" firewalls running on every system; internal segmentation with ACLs/firewalls. Ideally, all 3. None of these seem to be common practice on Windows systems. :(

And of course, keep your patches up to date.

Try TCPView from sysinternals

[Fat+Cow]

That should tell you which process is listening on that port. Then you can stop the appropriate service or kill the appropriate process.

Re:Try TCPView from sysinternals

No need to download anything. Just run netstat -a -o to get process IDs that have listening ports. For a more fine-grained solution run the following command:

for /f "tokens=*" %a in ('netstat -a -o') do @echo %a | findstr /i ":pptp.*listening"

Re:Try TCPView from sysinternals

[Chase]

On Win2k?

Here is what I got when I tried your suggestion.

C:\>netstat -a -o

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s
option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to specify
a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.

I suggest downloading fport. Its very similar in function to lsof.

Re:Try TCPView from sysinternals

You're right. I was on a Windows XP box when I typed that. The -o option must be a new feature. Mods: mod my last comment down.

Re:Try TCPView from sysinternals

[ameoba]

Bah. Why mod the post down? Just force the guy to upgrade to XP; I mean, what's the point in running outdated software?

Try this...

[skinfitz]

ZoneAlarm

Alternatively you can block any port on a Windows 2000 LAN adapter by enabling TCP/IP Filtering under the TCP/IP properties for that adapter. The way it works is you enable it which will block everything, then you must enable the services you would like to use.

Re:Try this...

ZoneAlarm

Better with Kerio. ZA's as leaky as a sieve.

Re:Try this...

[tengwar]

Quoth the AC: Better with Kerio. ZA's as leaky as a sieve.

Source?

Re:Try this...

[stanmann]

Download it... :) I'm pretty sure since it's a fork from tiny Personal firewall it is open.

Re:Try this...

[tengwar]

I use ZA - it does function as a firewall, which is not exactly surprising.

Re:Try this...

[stanmann]

OH, I thought you wanted the source for Kerio aka TPF(Tiny Personal Firewall)? Which are free.. unlike ZA..

Re:Try this...

[stanmann]

MY claim??

software firewall

[ajagci]

Any decent software firewall will let you shut down whatever port you like. Perhaps even the built-in Microsoft firewall lets you do that now if you configure it correctly.

Good luck

[rixstep]

Good luck, my friend. I hope someone in here has a good tip. But this biz about not even MS themselves knowing: I remember a few years back when a writer for the MSJ, aware of how hard it was to find anyone in MS who knew anything, spent a day on the campus chasing down people who might know why and how byte offset 12 in the VFAT Unicode directory entries were formatted (something like that). He gave up at 5 PM after a whole day at it - with no answer in sight.

Re:Good luck

[zero_offset]

That's probably the dumbest way to find an answer up there. If he truly ran around on campus all day, that explains why he didn't get anywhere. The MS campus is physically huge, there are thousands of people there, and that doesn't include their satellite offices in Bellview and other surrounding areas. Running from building to building (which would eat up a significant portion of your day, in itself) is about the least effective way I can imagine to try to find anybody there.

We occasionally need heavy-duty tech support (for example, a couple years ago we identified an obscure but severe bug in COM), and I can usually hook up with the right person with only two or three e-mails and a few hours of waiting. All unofficial, and all back-channel, but not terribly difficult. And most of those addresses I've culled from public articles over the years. Only a few were given to me in person as a "here's my address, keep it to yourself" kind of thing. I've found that even if you contact the wrong person up there, if the request is serious, well-written (e.g. not "d00d, cn U help me? thx"), and appears to be reasonably outside the capabilities of their usual support services, they'll go out of their way to try to put you in touch with the right person. Not only have I always reached somebody who was quite knowledgable, but very often I reach the person who wrote (or currently maintains) the code in question.

And frankly, I'd be surprised if a staff MSJ writer didn't have those kinds of contacts.

Re:Good luck

[rixstep]

Whatever!

It was either Richter or Oney. And I think both of them would know where to go. But even the people who work there don't have the answers. The ones that do may have quit. For years there was no one dared touch the Win16 GDI, USER, KRNL for precisely this reason.

Another example: what's the gibberish between the DOS and PE headers that came with MSC 12? Do you know? Can you find anyone who does?

Good luck my friend.

joke.. right?

[undef24]

This is a joke right?

Go download Active Ports and see what program is actually casuing that port to be open.

You can also try running this document in the reverse order to uninstall PPTP :)

Re:joke.. right?

[crmurphey]

Active ports doesn't tell you _which_ service has the port open, but rather that services.exe, etc. process has the port open.

Also this...

[boobox]

I use Zone Alarm and also utilize Steve Gibson's Shields Up! to check my ports.

Is this all the info you got?

[shyster]

I don't know what "skilled Win2K users and networking specialists" you've been talking to, but I think some more info may be in order here.

Though I don't have a Win2K machine handy to test right now, I don't believe it's normal for that port to be open for no reason. I can verify that neither my WinXP PC and my Win2003 server have it open, and I don't recall it ever being opened on Win2K.

Are you running Win2K Professional? Do you have the RRAS service running? Have you tried any diagnostic tools like TCPView to isolate the process? Up to date virus scan and adware scans? Any communication on that port? Any odd processes in TaskManager? If you shutdown background tasks, does that port remain open? Oh, and since you seem to be lacking in ability, how did you come to the conclusion that port was open?

..,no one has taken the time to document how nor post the solution where it can be found.

The solution is simple. Stop the process listening on that port. I don't think anyone needs to write a HOWTO on that. And seeing that I haven't heard of anyone else complaining about this (nor seen it myself), I'm inlcined to believe it's something unique to your setup - not Windows.

I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not.

Perhaps those that think they are "in the know, do not" (like ISP techs). But those of actually in the know do know how to track down a process holding a port open.

I think, phnork, that you may want to hold off on your anti-MS diatribe until you find what the issue actually is. Dollars to doughnuts it's your fault, not MS.

Re:Is this all the info you got?

[Khazunga]

Are you running Win2K Professional? Do you have the RRAS service running? Have you tried any diagnostic tools like TCPView [sysinternals.com] to isolate the process? Up to date virus scan and adware scans? Any communication on that port? Any odd processes in TaskManager? If you shutdown background tasks, does that port remain open? Oh, and since you seem to be lacking in ability, how did you come to the conclusion that port was open?

Doesn't anyone else find it extremely cumbersome and security error prone to allow processes to open listen ports as they wish? Isn't there an equivalent to ipfilter in the Windows kernel?

Re:Is this all the info you got?

[Spoing]

1. Doesn't anyone else find it extremely cumbersome and security error prone to allow processes to open listen ports as they wish? Isn't there an equivalent to ipfilter in the Windows kernel?

Agreed. That doesn't make any sense. While I know folks can add-on tools like Zone Alarm, not having a built-in configuration for this seems strange.

Along those lines though, the per-process/app/server block of ZA and other Windows firewalls could have some uses on Linux. I guess with SE Linux, that will come along for-free, though I don't know that for a fact. Anyone?

Re:Is this all the info you got?

[secolactico]

Isn't there an equivalent to ipfilter in the Windows kernel?

Yes. The Win2k has port filtering but it's disabled in the default install. And it sucks at maintaining UDP state (and is not granular enough for my purposes...)

Re:Is this all the info you got?

[anticypher]

Reply or moderate? Well, since shyster's post is already at +5, here I go...

My first reaction was that he has somehow managed to install RRAS. Its astonishing how many people have shit installed on their boxes they don't know how or when were installed.

A quick nmap of a default install win2k box shows only a handful of open ports: 135, 445, 1025, 1026. Turning on netBios over IP also opens ports 137, 138, 139. Beyond that, ports only get opened up by enabling or installing other software. RRAS will open up various ports, depending on which options you configure: 1723(pptp), 1701(l2tp), 520(rip) and if you configure OSPF or RIPv2, appropriate multicast addresses will appear. Installing Access, which installs ODBC/MSSQL, opens up port 1434, which unpatched allows the slammer worm to propagate.

Every network aware product you install on 'doze may leave ports open. Any moderately experienced system admin knows this, so if the OP wasn't able to get a response, that is because he didn't truly ask anyone knowlegable.

The OP was a troll, but this is /., where a good troll can always get a story posted.

the AC

Nobody_can_fix_it tizzy

[jcasey]

I prefer to use multiple layers on machines that matter... If security is important to you, use IP filtering, a hardware firewall, and software firewall. If you need to use PPTP, a decent hardware firewall will have a mechanism for allowing you to open the port from the inside only... There is another subtle non-technical issue present - its this dramatic "nobody in the whole world can fit it" tone. Closing a port is a simple task. Either your "technical" contacts are lousy, or you did not explain the problem to them correctly (or to us for that matter) Some things that would help are: 1. A Windows 2000 Pro. MCSE Certification Book 2. A shrink 3. Google Seriously, the cert. book is an excellent resource for end users. Though it won't make you a guru, you will at least have a clue ;)

RPC Config

[Vlad_Drak]

By default RPC/135 listens on 0.0.0.0, but you can change this by using MS's rpccfg.exe to listen on the loopback only.

http://www.microsoft.com/windows2000/techinfo/re sk it/tools/new/rpccfg-o.asp

Also, port 445 is open, even if you disable File and Print Sharing. To fix that hole, open up regedit and change:

HKLM\System\CurrentControlSet\Services\NetBT\Par am eters\TransportBindName from '\Device\' to nothing. You can't use the workstation service|CIFS outbound either when you do this though, and you have to reboot for it to take should you want to switch back.

I've never had a problem with PPTP or the port you mentioned, maybe try disabling Routing and Remote Access, or other services.

I have my Win2k3 box only listening on 22, OpenSSHd and scp work like a champ.

Michael Johnson took over the NetworkSimplicity OpenSSH installer, which makes it too easy not to use SSH on Windows.

http://lexa.mckenna.edu/sshwindows/

-Vlad

TCP/IP settings...

[ameoba]

Doesn't the advanced TCP/IP settings under 2K allow you to filter ports?

Alternately, you could write a dummy service that listens on a port, accepts connections & throws all data away, forcing attackers to time-out.

Re:TCP/IP settings...

[rekkanoryo]

Yes, it can. It's just buried deeper than most people care to look. Unfortunately it's only an accept or drop setting; you can't configure stateful filtering.

Re:OT, but of interest?

[Bishop]

Insure that ECN is not enabled on the Linux box.

Re:OT, but of interest?

[twilight30]

Bishop, you may have just saved my life. Thank you for pointing this out (haven't looked at ECN since early on in 2.4 release days) but I will check it immediately.

Re:OT, but of interest?

[twilight30]

Thanks Bishop. It worked. Amazing how the simplest things can evade me sometimes ;)

Windows services

[Hard_Code]

windows services

My guess is Routing and Remote Access, which along with the alarming Remote Registry Service, should be one of the things you turn off by default on a new install. No different from turning off all the crap that is installed on a typical default Linux installation.

Re:Windows services

[Khazunga]

No different from turning off all the crap that is installed on a typical default Linux installation.

Small correction needed: No respectable distro nowadays will install any network service, except for the ocasional sshd.

Help, Ask Slashdot!

[duffbeer703]

I purchased some gasoline and returned to the drivers seat of my car. I looked in the side view mirror, and to my horror, the fuel tank door was still open!

There is no documentation anywhere about how to return the fuel tank door to the "closed" position. I even called the dealer and they just laughed and said that nothing is wrong... please help!

Closing Ports

[MountainLogic]

The fastest way to shut down a port is an air strike. This only tends to work in the sort term as the government can rebuild. It may take weeks or so of steaming, but mining is a much better long term way to shut a port down. If you just want to take control of a port I'd send in a SEAL team to take out key defences then follow up with the Marines.

Of course, the only way to be sure is to try and cut pay to the longshoremen. Nothing will shut down a port tighter than a longshoremen's strike.

Oh, wait. This is slashdot.ORG not slashdot.MIL.

Never mind....

defense in depth

[rakerman]

1. disable the service 2. you may also want to add a software firewall, or enable the built-in firewalling, or both 3. you may also want to add a hardware firewall

My links on Windows Security Software should give you some starting points.

Also note that PPTP uses not only TCP/UDP but also GRE (protocol 47).

Don't block a port, block a protocol!

[Michael+Spencer+Jr.]

PPTP uses the GRE protocol, protocol number 47.

Let me back up and explain:

IP datagrams just specify machines. They say packets are going from one computer to another, but they don't care what kind of data is in the packet.

Inside that packet is a specific protocol number. TCP packets use protocol number 6, UDP packets use protocol number 17, and ICMP packets use protocol number 1.

Then, based on the protocol number, the computer interprets the contents of the packet.

In this case, PPTP uses TCP traffic (I think) to set up the connection but uses GRE for the actual payload. If you block GRE then PPTP can't operate.

So find some way to make your network or your computer block protocol number 47, and you'll be good to go.

Not the answer you're looking for

[yuri+benjamin]

No Windows box should be directly connected to the Internet.
I might even go so far as to say no desktop OS (Including Mdk, RH, SuSE and MacOS) should be directly connected.

Firewalls like IPCop, Smoothwall or OpenBSD can run on very modest hardware (486, maybe 386).

Sure it helps to close the ports on your workstations if you can, but firewall them too.

Try disabling the Network adapter

[steeph]

Go to the device manager, show hidden devices on the view menu if necessary, browse to the network adapters and disable the WAN Miniport (PPTP) and others if you like.
As a side benefit you're machine will use less resources aswell.

Easy fix.

[sharkey]

Look at the back of the PC. You'll see a fan grill next to a thick black or gray cable with a large plug. Remove said cable, and the port is secured.

Geeze, thanks for all the help.

[twitter]

Every network aware product you install on 'doze may leave ports open. Any moderately experienced system admin knows this...

"network aware", that's great spin on crap that phones home and listens on random ports without telling you. Great of you also to mention how this helps worms propagate.

How about giving the man the benifit of the doubt and telling him what applications might be listening to 1723? He already knows that pptp or something is litening. What he needs to know is how to turn the shit off. My recomendation is, as always, to avoid M$ junk in the first place.