yes: good idea ;) I have to correct myself though: these setting expose netbios services (137, 138, 139), NOT 135. Sorry for the confusion here. I'm not aware that there are infection mechanisms making use of netbios. You should also disable netbios in the tcp/ip settings. Read the article I posted the link of. Have there been error messages in the eventlog stating that the firewall service was unable to bind to certain ports? Regarding the turning off of firewall clients, as I already said: this has nothing to do with the protection of your network. Having said that I wonder how the virus got in. Let me sleep over it ;) Mark -----Original Message----- From: Simon Weaver [mailto:Simon.Weaver@xxxxxxxx] Posted At: Wednesday, August 20, 2003 12:34 AM Posted To: www.isaserver.org Conversation: [isalist] RE: Is TCP 135 clamped down? Subject: [isalist] FW: RE: Is TCP 135 clamped down? http://www.ISAserver.org Mark Just discovered on the External Interfacr "Client For MS Networks was ticked" as well as "File / Printer Sharing". I have now unticked this! Any comments? Simon Weaver Technical Consultant MCSE+Internet / MCSE Windows 2000 Integrated Solutions Corp. Ltd http://www.iscl.net <http://www.iscl.net/> -----Original Message----- From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] Sent: 19 August 2003 21:18 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Is TCP 135 clamped down? http://www.ISAserver.org Hi Simon, sorry I don't quite understand your question, but it's late already. If you plug an infected sytsem into the network and nothing is patched you'll end up having blaster on all your machines (including SBS/ISA). Having the MS network client bound to the external interface exposes tcp 135 to the internet. Anyone correct me if that's wrong, that's what I recall. This could be another way for the virus to get in. The virus gets into a system via port 135. As long as a system's not patched, it is vulnerable to the exploit. It doesn't matter if it's a server or workstation. Once infected, the machine will try to establish the virus on all machines on the same subnet. I can't think of any other ways the virus could have got into the network. Well that's not exactly true, my mail scanner isolated an email with msblast.exe attached, but this was on purpose :) The virus itself does not contain a mass email element. Hope I could help. Mark ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')