RE: FW: RE: Is TCP 135 clamped down?

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 19 Aug 2003 16:06:50 -0700

It's coming in mail as well...
Your clients can bring it from home.
It didn't pass through ISA if you have packet filtering turned on and you
didn't create a packet filter allowing TCP-135.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 19, 2003 15:16
Subject: [isalist] RE: FW: RE: Is TCP 135 clamped down?


http://www.ISAserver.org


yes: good idea ;)  I have to correct myself though: these setting expose
netbios services (137, 138, 139), NOT 135. Sorry for the confusion here.
I'm not aware that there are infection mechanisms making use of netbios.


You should also disable netbios in the tcp/ip settings. Read the article
I posted the link of. Have there been error messages in the eventlog
stating that the firewall service was unable to bind to certain ports?

Regarding the turning off of firewall clients, as I already said: this
has nothing to do with the protection of your network. Having said that
I wonder how the virus got in. Let me sleep over it ;)

Mark


-----Original Message-----
From: Simon Weaver [mailto:Simon.Weaver@xxxxxxxx]
Posted At: Wednesday, August 20, 2003 12:34 AM
Posted To: www.isaserver.org
Conversation: [isalist] RE: Is TCP 135 clamped down?
Subject: [isalist] FW: RE: Is TCP 135 clamped down?


http://www.ISAserver.org


Mark
Just discovered on the External Interfacr "Client For MS
Networks was ticked" as well as "File / Printer Sharing". I have now
unticked this!

Any comments?

Simon Weaver
Technical Consultant
MCSE+Internet / MCSE Windows 2000
Integrated Solutions Corp. Ltd
http://www.iscl.net <http://www.iscl.net/>

-----Original Message-----
From: Mark Hippenstiel
[mailto:M.Hippenstiel@xxxxxxxxxxxx]
Sent: 19 August 2003 21:18
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Is TCP 135 clamped down?


http://www.ISAserver.org


Hi Simon,

sorry I don't quite understand your question, but it's
late already. If you plug an infected sytsem into the network and
nothing is patched you'll end up having blaster on all your machines
(including SBS/ISA).

Having the MS network client bound to the external
interface exposes tcp 135 to the internet. Anyone correct me if that's
wrong, that's what I recall. This could be another way for the virus to
get in.

The virus gets into a system via port 135. As long as a
system's not patched, it is vulnerable to the exploit. It doesn't matter
if it's a server or workstation. Once infected, the machine will try to
establish the virus on all machines on the same subnet.

I can't think of any other ways the virus could have got
into the network. Well that's not exactly true, my mail scanner isolated
an email with msblast.exe attached, but this was on purpose :) The virus
itself does not contain a mass email element.

Hope I could help.
Mark


------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: isaserver@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » FW: RE: Is TCP 135 clamped down?
• » FW: RE: Is TCP 135 clamped down?
• » RE: FW: RE: Is TCP 135 clamped down?
• » RE: FW: RE: Is TCP 135 clamped down?
• » RE: FW: RE: Is TCP 135 clamped down?
• » RE: FW: RE: Is TCP 135 clamped down?
• » RE: FW: RE: Is TCP 135 clamped down?

1. Home
2. isalist
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---