Slashdot Mirror

← Back to Stories (view on slashdot.org)

Closing the PPTP Port Under Windows 2000?

Posted by Cliff on from the advice-clear/close-your-ports/none-can-say-how dept.

phnork asks: "I have asked many skilled Win2K users and networking specialists how to close Port 1723 in my Win2K system. I have searched the net unsuccessfully, browsed news groups, asked my ISP techies, and even asked my wife. But, although all agree the port normally used for PPTP (VPN) should not be open, no one has taken the time to document how nor post the solution where it can be found. In fact, I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not. Not even Microsoft! If they did, the solution would be as easy and straight forward as setting up a printer. Networks and security are still relegated to the nether worlds of the 80s where we used to have problems with every printer installation and computers were hauled to a grinding stop by the inability of the protocol lords to arrive at a consensus. But, maybe now the solution is at hand. Now that I have asked for help maybe someone will come forward with those super words, 'Try this...'." What other hard-to-close ports have you found open in your Win2k install. What did you have to do to close them?

29 of 70 comments (clear)

  1. Re:Fuckin terrorist! by LittleBigLui · · Score: 2, Funny

    No, teh H4x0r that broke into your machine through port 1723 did.

    --
    Free as in mason.
  2. RRAS? by Grizzletooth · · Score: 5, Informative

    Are you running Routing and Remote Access Services on that machine? I don't see 1723 as a default open port on my servers that don't have RRAS enabled.

  3. PPTP?!? by Anonymous Coward · · Score: 5, Funny

    Couldn't they think of a better name? That always sounded like a restroom on an Indian reservation to me...

  4. hardware firewalls / nat routers by Feztaa · · Score: 4, Informative

    Putting your win2k box behind a NAT Router or a hardware firewall of some sort will block connections to that port from the internet. While not an optimal solution, it beats having the port open to the internet! ;)

    1. Re:hardware firewalls / nat routers by storem · · Score: 4, Insightful

      I had the same problems until I installed an IPCop Firewall box. In my opinion it's always better to have a dedicated firewall machine. You never know what is open (by mistake) on your workstation and/or servers.

      my e$0.02

      --
      StarTrek.org Free Webmail
  5. Try TCPView from sysinternals by Fat+Cow · · Score: 5, Informative

    That should tell you which process is listening on that port. Then you can stop the appropriate service or kill the appropriate process.

    --
    stay frosty and alert
    1. Re:Try TCPView from sysinternals by Anonymous Coward · · Score: 3, Informative
      No need to download anything. Just run netstat -a -o to get process IDs that have listening ports. For a more fine-grained solution run the following command:
      for /f "tokens=*" %a in ('netstat -a -o') do @echo %a | findstr /i ":pptp.*listening"
    2. Re:Try TCPView from sysinternals by Chase · · Score: 4, Informative

      On Win2k?

      Here is what I got when I tried your suggestion.

      C:\>netstat -a -o

      Displays protocol statistics and current TCP/IP network connections.

      NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

      -a Displays all connections and listening ports.
      -e Displays Ethernet statistics. This may be combined with the -s
      option.
      -n Displays addresses and port numbers in numerical form.
      -p proto Shows connections for the protocol specified by proto; proto
      may be TCP or UDP. If used with the -s option to display
      per-protocol statistics, proto may be TCP, UDP, or IP.
      -r Displays the routing table.
      -s Displays per-protocol statistics. By default, statistics are
      shown for TCP, UDP and IP; the -p option may be used to specify
      a subset of the default.
      interval Redisplays selected statistics, pausing interval seconds
      between each display. Press CTRL+C to stop redisplaying
      statistics. If omitted, netstat will print the current
      configuration information once.

      I suggest downloading fport. Its very similar in function to lsof.

      --
      -==-
    3. Re:Try TCPView from sysinternals by Anonymous Coward · · Score: 3, Informative

      You're right. I was on a Windows XP box when I typed that. The -o option must be a new feature. Mods: mod my last comment down.

  6. Try this... by skinfitz · · Score: 4, Informative

    ZoneAlarm

    Alternatively you can block any port on a Windows 2000 LAN adapter by enabling TCP/IP Filtering under the TCP/IP properties for that adapter. The way it works is you enable it which will block everything, then you must enable the services you would like to use.

  7. software firewall by ajagci · · Score: 2, Informative

    Any decent software firewall will let you shut down whatever port you like. Perhaps even the built-in Microsoft firewall lets you do that now if you configure it correctly.

  8. Good luck by rixstep · · Score: 4, Funny

    Good luck, my friend. I hope someone in here has a good tip. But this biz about not even MS themselves knowing: I remember a few years back when a writer for the MSJ, aware of how hard it was to find anyone in MS who knew anything, spent a day on the campus chasing down people who might know why and how byte offset 12 in the VFAT Unicode directory entries were formatted (something like that). He gave up at 5 PM after a whole day at it - with no answer in sight.

    1. Re:Good luck by zero_offset · · Score: 5, Insightful
      That's probably the dumbest way to find an answer up there. If he truly ran around on campus all day, that explains why he didn't get anywhere. The MS campus is physically huge, there are thousands of people there, and that doesn't include their satellite offices in Bellview and other surrounding areas. Running from building to building (which would eat up a significant portion of your day, in itself) is about the least effective way I can imagine to try to find anybody there.

      We occasionally need heavy-duty tech support (for example, a couple years ago we identified an obscure but severe bug in COM), and I can usually hook up with the right person with only two or three e-mails and a few hours of waiting. All unofficial, and all back-channel, but not terribly difficult. And most of those addresses I've culled from public articles over the years. Only a few were given to me in person as a "here's my address, keep it to yourself" kind of thing. I've found that even if you contact the wrong person up there, if the request is serious, well-written (e.g. not "d00d, cn U help me? thx"), and appears to be reasonably outside the capabilities of their usual support services, they'll go out of their way to try to put you in touch with the right person. Not only have I always reached somebody who was quite knowledgable, but very often I reach the person who wrote (or currently maintains) the code in question.

      And frankly, I'd be surprised if a staff MSJ writer didn't have those kinds of contacts.

      --

      Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005

  9. joke.. right? by undef24 · · Score: 5, Informative

    This is a joke right?

    Go download Active Ports and see what program is actually casuing that port to be open.

    You can also try running this document in the reverse order to uninstall PPTP :)

  10. Also this... by boobox · · Score: 4, Informative

    I use Zone Alarm and also utilize Steve Gibson's Shields Up! to check my ports.

  11. Is this all the info you got? by shyster · · Score: 5, Insightful
    I don't know what "skilled Win2K users and networking specialists" you've been talking to, but I think some more info may be in order here.

    Though I don't have a Win2K machine handy to test right now, I don't believe it's normal for that port to be open for no reason. I can verify that neither my WinXP PC and my Win2003 server have it open, and I don't recall it ever being opened on Win2K.

    Are you running Win2K Professional? Do you have the RRAS service running? Have you tried any diagnostic tools like TCPView to isolate the process? Up to date virus scan and adware scans? Any communication on that port? Any odd processes in TaskManager? If you shutdown background tasks, does that port remain open? Oh, and since you seem to be lacking in ability, how did you come to the conclusion that port was open?

    ..,no one has taken the time to document how nor post the solution where it can be found.

    The solution is simple. Stop the process listening on that port. I don't think anyone needs to write a HOWTO on that. And seeing that I haven't heard of anyone else complaining about this (nor seen it myself), I'm inlcined to believe it's something unique to your setup - not Windows.

    I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not.
    Perhaps those that think they are "in the know, do not" (like ISP techs). But those of actually in the know do know how to track down a process holding a port open.

    I think, phnork, that you may want to hold off on your anti-MS diatribe until you find what the issue actually is. Dollars to doughnuts it's your fault, not MS.

    1. Re:Is this all the info you got? by Khazunga · · Score: 2, Insightful
      Are you running Win2K Professional? Do you have the RRAS service running? Have you tried any diagnostic tools like TCPView [sysinternals.com] to isolate the process? Up to date virus scan and adware scans? Any communication on that port? Any odd processes in TaskManager? If you shutdown background tasks, does that port remain open? Oh, and since you seem to be lacking in ability, how did you come to the conclusion that port was open?
      Doesn't anyone else find it extremely cumbersome and security error prone to allow processes to open listen ports as they wish? Isn't there an equivalent to ipfilter in the Windows kernel?
      --
      If at first you don't succeed, skydiving is not for you
    2. Re:Is this all the info you got? by Spoing · · Score: 2, Informative
      1. Doesn't anyone else find it extremely cumbersome and security error prone to allow processes to open listen ports as they wish? Isn't there an equivalent to ipfilter in the Windows kernel?

      Agreed. That doesn't make any sense. While I know folks can add-on tools like Zone Alarm, not having a built-in configuration for this seems strange.

      Along those lines though, the per-process/app/server block of ZA and other Windows firewalls could have some uses on Linux. I guess with SE Linux, that will come along for-free, though I don't know that for a fact. Anyone?

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    3. Re:Is this all the info you got? by secolactico · · Score: 3, Interesting

      Isn't there an equivalent to ipfilter in the Windows kernel?

      Yes. The Win2k has port filtering but it's disabled in the default install. And it sucks at maintaining UDP state (and is not granular enough for my purposes...)

      --
      No sig
    4. Re:Is this all the info you got? by anticypher · · Score: 3, Informative

      Reply or moderate? Well, since shyster's post is already at +5, here I go...

      My first reaction was that he has somehow managed to install RRAS. Its astonishing how many people have shit installed on their boxes they don't know how or when were installed.

      A quick nmap of a default install win2k box shows only a handful of open ports: 135, 445, 1025, 1026. Turning on netBios over IP also opens ports 137, 138, 139. Beyond that, ports only get opened up by enabling or installing other software. RRAS will open up various ports, depending on which options you configure: 1723(pptp), 1701(l2tp), 520(rip) and if you configure OSPF or RIPv2, appropriate multicast addresses will appear. Installing Access, which installs ODBC/MSSQL, opens up port 1434, which unpatched allows the slammer worm to propagate.

      Every network aware product you install on 'doze may leave ports open. Any moderately experienced system admin knows this, so if the OP wasn't able to get a response, that is because he didn't truly ask anyone knowlegable.

      The OP was a troll, but this is /., where a good troll can always get a story posted.

      the AC

      --
      Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  12. RPC Config by Vlad_Drak · · Score: 5, Informative

    By default RPC/135 listens on 0.0.0.0, but you can change this by using MS's rpccfg.exe to listen on the loopback only.

    http://www.microsoft.com/windows2000/techinfo/re sk it/tools/new/rpccfg-o.asp

    Also, port 445 is open, even if you disable File and Print Sharing. To fix that hole, open up regedit and change:

    HKLM\System\CurrentControlSet\Services\NetBT\Par am eters\TransportBindName from '\Device\' to nothing. You can't use the workstation service|CIFS outbound either when you do this though, and you have to reboot for it to take should you want to switch back.

    I've never had a problem with PPTP or the port you mentioned, maybe try disabling Routing and Remote Access, or other services.

    I have my Win2k3 box only listening on 22, OpenSSHd and scp work like a champ.

    Michael Johnson took over the NetworkSimplicity OpenSSH installer, which makes it too easy not to use SSH on Windows.

    http://lexa.mckenna.edu/sshwindows/

    -Vlad

  13. TCP/IP settings... by ameoba · · Score: 4, Informative

    Doesn't the advanced TCP/IP settings under 2K allow you to filter ports?

    Alternately, you could write a dummy service that listens on a port, accepts connections & throws all data away, forcing attackers to time-out.

    --
    my sig's at the bottom of the page.
  14. Re:OT, but of interest? by Bishop · · Score: 3, Informative

    Insure that ECN is not enabled on the Linux box.

  15. Windows services by Hard_Code · · Score: 4, Informative

    windows services

    My guess is Routing and Remote Access, which along with the alarming Remote Registry Service, should be one of the things you turn off by default on a new install. No different from turning off all the crap that is installed on a typical default Linux installation.

    --

    It's 10 PM. Do you know if you're un-American?
  16. Help, Ask Slashdot! by duffbeer703 · · Score: 4, Funny

    I purchased some gasoline and returned to the drivers seat of my car. I looked in the side view mirror, and to my horror, the fuel tank door was still open!

    There is no documentation anywhere about how to return the fuel tank door to the "closed" position. I even called the dealer and they just laughed and said that nothing is wrong... please help!

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  17. Closing Ports by MountainLogic · · Score: 4, Funny
    The fastest way to shut down a port is an air strike. This only tends to work in the sort term as the government can rebuild. It may take weeks or so of steaming, but mining is a much better long term way to shut a port down. If you just want to take control of a port I'd send in a SEAL team to take out key defences then follow up with the Marines.

    Of course, the only way to be sure is to try and cut pay to the longshoremen. Nothing will shut down a port tighter than a longshoremen's strike.

    Oh, wait. This is slashdot.ORG not slashdot.MIL.

    Never mind....

  18. Not the answer you're looking for by yuri+benjamin · · Score: 2, Insightful

    No Windows box should be directly connected to the Internet.
    I might even go so far as to say no desktop OS (Including Mdk, RH, SuSE and MacOS) should be directly connected.

    Firewalls like IPCop, Smoothwall or OpenBSD can run on very modest hardware (486, maybe 386).

    Sure it helps to close the ports on your workstations if you can, but firewall them too.

    --
    You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
  19. Try disabling the Network adapter by steeph · · Score: 2, Interesting

    Go to the device manager, show hidden devices on the view menu if necessary, browse to the network adapters and disable the WAN Miniport (PPTP) and others if you like.
    As a side benefit you're machine will use less resources aswell.

  20. Easy fix. by sharkey · · Score: 2, Funny

    Look at the back of the PC. You'll see a fan grill next to a thick black or gray cable with a large plug. Remove said cable, and the port is secured.

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.