These files don't do any of that. NT does not use them for determining
what services are active: they are standard (ie used in the *X world)
and are used in the following ways

Hosts: maps friendly names to IP addresses (obviated by DNS, DDNS, and
WINS)

Lmhosts: like hosts, but allows some NT specific features (obviated by
WINS in a large network or DDNS in Wni2K

Networks: maps friendly names to IP Subnets

Protocol: Maps IP Protocol numbers to the friendly names they
represent (Would be used mostly if you were using this machine as a
router; should be used in the TCP/IP filtering dialog, but they don't,
because they're silly :))

resolv.conf: does your dns for old fashioned DNS clients

Services: maps TCP/UDP services to their standard port number

Now, NT doesn't use any of this for anything. It exists for the sake
of *X apps ported to NT, which would look for them (for example, if
the people who ported NMAP to NT had wanted to, they could've used the
Services file instead of their own services file.)

Even in the unix world, these files don't control what your computer
can and can't do; they mostly just make it easier to refer to hosts,
networks, IP protocol, and TCP/UDP services. Its what allows me to
type in:

Also, portscanners return open port numbers; services file allows the
portscanner to translate the port numbers to friendly names.

Anyways, just wanted to head off a possible mistake in the making;
editing these files won't do anything to disable these services.

HTH

Henry

> -----Original Message-----
> From: James Carter [mailto:jcarterGENUITY.NET]
> Sent: Thursday, April 05, 2001 1:33 PM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Re: Windows 2000 Server Questions
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Raphael,
>
> Yes, I apologize I forgot to say '#' or comment out the
> particular
> ports and services. As a rule I generally disable ALL services that
I
> have no intent on using then any other ports/services that I see
open
> (ie....that open behind the scenes) I will comment out '#'.
>
> Well the popular way to do this sort of thing in the win32
> world......hmmmmmmm
>
> http://www.symantec.com/product/home-is.html
>
> http://www.pgp.com/products/dtop-security/default.asp
>
> http://www.zonelabs.com/
>
> http://www.tinysoftware.com/pwall.php
>
> http://www.pandasoftware.com
>
> www.mcafee.com (doesn't seem to want to pull up right now)
>
>
> My personal favorite is PGP, because of the functionality of the
> entire suite. I also like TinySoftware's firewall. These are easier
> for users to set-up and configure and some work quite well. Plus
they
> are a bit more forgiving to the novice user as well.
>
> Give it a shot, play with it.......lock down more than you need (on
a
> test box) see things fail......open up what is 'necessary'.
>
> Cheers.
>
> - -----Original Message-----
> From: Focus on Microsoft Mailing List
> [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Raphael PAILLARD
> Sent: Wednesday, April 04, 2001 9:41 AM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Re: Windows 2000 Server Questions
>
>
> Hi,
>
> When you say edit "C:\WINNT\system32\drivers\etc\-anyfiles" for
> example
> "services", it's mean that is possible to lock down a port with a
> simple "#"
> at the start of the line ?
>
> If it's true, it's a very good way to secure a NT Box ! It's also a
> none
> popular way in NT's world.
>
> Regards,
>
> Raphaël
> - ----- Original Message -----
> From: "James Carter" <jcarterGENUITY.NET>
> To: <FOCUS-MSSECURITYFOCUS.COM>
> Sent: Wednesday, April 04, 2001 1:53 AM
> Subject: Re: Windows 2000 Server Questions
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > This is a bit of help.
> >
> > http://windowsupdate.microsoft.com/?IE
> >
> > This site will give you most of the updates you need and keep the
> > reboots to a minimum. However the security patches are another
> > story. Microsoft is a little slow on applying them to the
> > windowsupdate
> > site.
> >
> > IE 5.5 Sp1 is recommended, and go to this site for regularly
> > updated patches as well as info.
> >
> > http://www.microsoft.com/technet/security/default.asp
> >
> > Particular note on the MIME vulnerability, and the necessity of
> > having the right version of IE installed. When you download the
> > patch it has 2 IE versions that you can select from IE 5.01 sp1
and
> > IE 5.5 sp 1 the latter of the 2 I recommend. It should be
painfully
> > obvious that this means these are the versions you should be
> > running but
> > since I have seen countless e-mails and buleetins flaming
Microsoft
> > for their patch not working, I thought it best to bring it up.
> >
> > Also.....to manually lock down ports on the box please do this:
> >
> > Double Click 'My Computer' click 'Tools' Click 'Folder Options'
> > click the 'View' tab, enable display compressed files and folders
> > with
> > alternate colors, display full path in address bar, display full
> > path in title bar, enable show hidden files and folders, disable
> > hide file extensions for known file types, disable hide protected
> > operating
> > system files(your gonna need this and can disable when finished
and
> > is recommended espescially if you will have others messing with
> > stuff). Leave everything else like it is and click 'APPLY' then
> > click 'LIKE CURRENT FOLDER'. This will then propagate the same
view
> > to any location you open up via a double click on my computer and
> > browsing down the file tree.
> >
> >
> > Now, for the meat of it. Browse down the file tree to:
> > C:\WINNT\system32\drivers\etc (this was copied and pasted because
> > of the ease of use brought upon by enabling some of the afore
> > mentioned features)
> > here you will see files you will want to modify to lock down the
> > server at the port level.
> > Most specifically, 'protocol' and 'networks', these will open up
> > simply enough with 'notepad.exe'.
> >
> > This should help somewhat, good luck.
> >
> > - -----Original Message-----
> > From: Focus on Microsoft Mailing List
> > [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Kyle Buehler
> > Sent: Monday, April 02, 2001 11:09 AM
> > To: FOCUS-MSSECURITYFOCUS.COM
> > Subject: Windows 2000 Server Questions
> >
> >
> > So here's the situation. I'm the "New IT Guys". There have been 3
> > before me, and I'm working on a Windows 2000 Server that has been
> > setup via a tagteam of consultants. I'm not a Miscrosoftie by
> > nature, but I deal with it here and there and in Advanced Windows
> > 2000 at
> > school. *joke* None the less, I'm getting into it. Anyway, here's
> > some problems that are confusing me at the current moment ...
> >
> > 1. I did a security audit against the server using Nessus and it
> > came back with ports 34555/udp, 27444/udp, 18753/udp, and
10498/tcp
> > possibly running Trin00, Trin00, Shaft, and mstream respectively.
I
> > ran a few nmap scans against it and did not find the port open.
> > netstat -an didn't yield any info either. I thought at first it
was
> > just catching normal traffic , but multiple scans have come out
the
> > same. Any idea what this could be? McAfee is up to date and
running
> > full scans once a night, and research shows that it should catch
> > all the possible trojans.
> >
> > 2. Ports 6666 and 6667 are open also, but yield no warnings from
> > Nessus. I know we are not running an irc server, so is there any
2k
> > serive that claims those ports? Again, netstat didn't show
anything
> > useful.
> >
> > In my scan I found that only SP1 had been applied and the server
> > was in desperate need of netbios-ssn hotfixes since I'm not quite
> > sure wheather I have a cracker on my tail or not. I downloaded the
> > required patches and applied them individually.
> >
> > 3. Is there a way to apply the patches without having to reboot
> > everytime? This is a server that takes 5-10 minutes for a full
> > cycle. Once I applied the patches I ran my scans again and the
> > "problem"
> > hadn't been fixed. Am I doing something wrong just running them?
> >
> > 4. Nessus found /_vti_bin/_vti_aut/dvwssr.dll ... I read up on
> > this, except I can't find it in the directory shown, and that file
> > doesn't come up by name in a find. Does it have another alias or
> > counterpart?
> >
> > 5. The server is running Exchange, and it allows open relaying
> > which I am kind of concerned about. Currently the consultant is
the
> > one
> > working the Exchange Setup ( I plan to remedy that eventually),
but
> > where can I get some info on configuring something like that. Just
> > looking at the Server Manager really looks like he got it working,
> > and didn't go any farther than that.
> >
> > An help would be appreciated.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 7.0.3 for non-commercial use
> > <http://www.pgp.com>
> >
> > iQEVAwUBOspie1Dumg0FbJxvAQFOAAf+NGGHaNM1EtOBitIYTCjQxwZP1Y2a6ZKC
> > 6OafAvyR+EG+Uk+45eHgsBM5RCfmFfwLUDOy/jFTKPO1Tuqfh467RuLOilzB9SRe
> > sVaf5TL3JRRjsZIGX/Tws0Cc1/RVE9gIZt1aEwN/thXSfbt89fZgVX4cHHeHIKT4
> > gMBf5O45YSW0Ms5u1LloImIhLcyhGq5ejNi+u1z7XmGdnXuNvK1dy11qoRhoAQE1
> > g0dAwMId5deNXjZlvgGypEQs8NN9u/4yhNdZwTXRtUkOK16ye652P5QGihwbXvVL
> > cRZhPboXSdIkhFnYo6OqMYG+RcAuPuSOnFGTYauDolByqefEgSsLkA==
> > =ib31
> > -----END PGP SIGNATURE-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use
<http://www.pgp.com>
>
> iQEVAwUBOsy6P1Dumg0FbJxvAQHVHwf/SUe2pgz97jTqgBxlvcYmt1zSo5DimNF6
> fmBP+Ake3u8KJ3fFXUJT5rfrqtZKgnRPrN0wBlzSr0NAnB4s60Zt+k3Yyinpp6Sf
> EaizbTpb4sBo80qYXMDGGwKpQuaEunV/o1VDXG0fxz5T3vqZRjCO4cmmieqScfts
> Z5MKpwkfbodOqoxBpMUzvMLt+u5B/smAKWnYCO7vjV0oX0Mr5cjs1L+FHCi5xE3R
> 4ZhQFPZjNd9dFl7GyGSVYcZdntM6g2xp5UFRaq/FbV+GkJKISRhwflvX60F7HP6E
> B+NKjr0nUnD0oFYFCCiTL/Wq7iTJlnQNDtBxUbkCbc88mLbYlIzrNw==
> =e9C3
> -----END PGP SIGNATURE-----
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]