lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: Jean-Baptiste.Marchand at hsc.fr (Jean-Baptiste Marchand)
Subject: Why does a home computer user need DCOM?

* *Hobbit* <hobbit@...an.org> [10/09/03 - 13:31]:

> Once again, I wouldn't mind a way to turn off *ALL* the RPC stuff,
> including the RPC service itself, without paying the price of having
> almost everything I do afterward just sit there and stupidly wait for it
> to respond.  A box with it disabled *will* run, just barely, it'll just
> be sluggish as hell.

It is not really possible to disable the rpcss service (a.k.a _Remote
Procedure Call (RPC)), probably because a Windows NT system heavily uses
Local Procedure Calls (ncalrpc transport), which happen to be handled by
the rpcss service. 

To close port 135 (tcp and udp), used among other things by the MSRPC
endoint mapper, you have to minimize Windows services, i.e stop all
services that register RPC services. 

> Or at the very least a way to run it so it doesn't listen on a socket
> bound to *.  How 'bout localhost-only, or the equivalent of unix-domain
> pipes, or *something* to keep it insulated from the network??  

It is possible to bind RPC services to a specific network interface, for
example the loopback interface (127.0.0.1). This technique works on
Windows 2000 but not for all RPC services (however, it works for port
135). 

For more information, see the _RPC Services_ of our _Minimizing Windows
network services_ paper:

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html


> How 'bout the same for SMB/tcp 445?

Port 445 is opened by the NetBT driver (thus in kernel-mode) and is
always bound to 0.0.0.0 because it was designed as a global device:

http://www.hsc.fr/ressources/presentations/sambaxp2003/slide4.html

If you don't need SMB/CIFS at all, the easiest way to close port 445
(tcp and udp) is to disable the NetBT driver. You can also set the
SmbDeviceEnabled registry value to 0. This is also described in our
minimization paper (_CIFS over TCP_ section).


PS: thanks for netcat and your _CIFS: Common Insecurities Fail Scrutiny_
paper!

Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand@....fr
HSC - http://www.hsc.fr/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ