by Jean-Baptiste Marchand (25/03/2005)
-[ Minimizing Windows Server 2003 network services ]-
1. Introduction
This document is an evolution of the document
Minimizing Windows network services - Examples with Windows 2000 and Windows XP
published for the first time in September 2002
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
and explains how the same methodology can be applied to minimize network services
of Windows Server 2003 systems.
Windows network services are presented in details in the _Windows network
services internals_ paper, available at
http://www.hsc.fr/ressources/articles/win_net_srv/
2. Target
The hardening recommendations presented in this document will only be used for
isolated Windows Server 2003 systems (systems that are not part of an Active
Directory domain).
Depending on the target environment, only a subset of the recommendations will
be implemented.
Yet, it is possible to apply all recommendations on hardened systems (such as
servers used in DMZ).
3. Overview of default Windows Server 2003 network services
The netstat command can be used to enumerate running network services on a
default Windows Server 2003 system:
C:\>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 680
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 508
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 992
TCP 192.70.106.144:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 508
UDP 0.0.0.0:1027 *:* 992
UDP 0.0.0.0:1029 *:* 912
UDP 0.0.0.0:4500 *:* 508
UDP 127.0.0.1:123 *:* 992
UDP 192.70.106.144:123 *:* 992
UDP 192.70.106.144:137 *:* 4
UDP 192.70.106.144:138 *:* 4
When the -o netstat option is used, the PID column contains the process
identifier of the process that bound a socket.
The tasklist command displays the translation between process identifiers and
executable names:
C:\>tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ =========== ============
System Idle Process 0 Console 0 16 K
System 4 Console 0 212 K
smss.exe 372 Console 0 456 K
csrss.exe 428 Console 0 3 656 K
winlogon.exe 452 Console 0 1 988 K
services.exe 496 Console 0 3 052 K
lsass.exe 508 Console 0 8 284 K
svchost.exe 680 Console 0 2 732 K
svchost.exe 728 Console 0 3 748 K
svchost.exe 912 Console 0 3 792 K
svchost.exe 964 Console 0 1 868 K
svchost.exe 992 Console 0 17 352 K
spoolsv.exe 1220 Console 0 4 876 K
msdtc.exe 1248 Console 0 3 944 K
svchost.exe 1340 Console 0 1 748 K
svchost.exe 1372 Console 0 1 304 K
dfssvc.exe 1568 Console 0 3 116 K
wmiprvse.exe 1932 Console 0 4 564 K
explorer.exe 1816 Console 0 17 012 K
ctfmon.exe 560 Console 0 2 304 K
msiexec.exe 204 Console 0 3 168 K
wpabaln.exe 1004 Console 0 2 460 K
cmd.exe 280 Console 0 1 468 K
wmiprvse.exe 276 Console 0 4 744 K
tasklist.exe 1268 Console 0 3 244 K
4. TCP and UDP ports used by Windows Server 2003 default network services
4.1 IPSEC Services (PolicyAgent)
The IPSEC Services service opens two UDP sockets:
- one UDP socket bound to UDP port 500 (ISAKMP support)
- one UDP socket bound to UDP port 4500 (NAT-T support)
These two UDP ports appear in netstat's output:
UDP 0.0.0.0:500 *:* 508
UDP 0.0.0.0:4500 *:* 508
^^^
508 corresponds to the PID of lsass.exe (the PolicyAgent service runs inside
the LSA process):
C:\>tasklist /svc /fi "pid eq 508"
Image Name PID Services
========================= ====== =============================================
lsass.exe 508 PolicyAgent, ProtectedStorage, SamSs
Stopping the PolicyAgent service immediately closes the two UDP sockets:
C:\>net stop policyagent
The IPSEC Services service is stopping.
The IPSEC Services service was stopped successfully.
To set the startup mode of the PolicyAgent service to manual instead of
automatic (default configuration), use the following command:
C:\>sc config policyagent start= demand
[SC] ChangeServiceConfig SUCCESS
4.2 Windows Time service (w32time)
The Windows Time service opens one UDP socket bound to UDP port 123 for each
network adapter present on the system, plus the loopback IPv4 address
(127.0.0.1):
UDP 127.0.0.1:123 *:* 992
UDP 192.70.106.144:123 *:* 992
^^^
svchost.exe 992 Console 0 17 352 K
^^^^^^^^^^^ ^^^
992 corresponds to the svchost.exe instance that hosts the w32time service.
Stopping the w32time immediately closes all sockets bound to UDP port 123:
C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopping successfully.
To set the startup mode of the w32time service to manual instead of
automatic (default configuration), use the following command:
C:\>sc config w32time start= demand
[SC] ChangeServiceConfig SUCCESS
4.3 NetBIOS over TCP/IP driver (NetBT support)
By design, the NetBIOS over TCP/IP driver binds 3 sockets on the IP address of
each network adapter.
These 3 sockets correspond to the 3 NetBIOS over TCP/IP services:
- 137/UDP : NetBIOS name resolution service
- 138/UDP : NetBIOS datagram service
- 139/TCP : NetBIOS session service
In our example, 3 sockets are bound to the network adapter:
TCP 192.70.106.144:139 0.0.0.0:0 LISTENING 4
UDP 192.70.106.144:137 *:* 4
UDP 192.70.106.144:138 *:* 4
^
4 corresponds to the System process and confirms that these sockets are bound by
the NetBIOS over TCP/IP driver (netbt.sys), running in kernel-mode.
NetBIOS over TCP/IP is not needed if all systems of the environment are running
Windows 2000 or later.
Disabling NetBIOS over TCP/IP support on all network adapters (choose
Disable NetBIOS over TCP/IP in the WINS tab of the network adapter's Advanced
TCP/IP Settings window) closes sockets bound to 137/udp, 138/udp and
139/tcp.
4.4 NetBIOS over TCP/IP driver (raw SMB support)
Starting with Windows 2000, the SMB protocol (Windows protocol behind Windows
resource sharing and remote administration capabilities) can be carried directly
into TCP, using TCP port 445.
Thus, the netbt.sys driver of recent Windows systems (including Windows Server
2003) binds two sockets, one on TCP port 445 and one on UDP port 445.
The purpose of the UDP socket is, to the best of our knowledge, not documented.
These two sockets are bound to all network adapters (0.0.0.0):
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
To close these two sockets, it is possible to either:
- stop the NetBT driver
- set the SmbDeviceEnabled registry value to 0
The NetBT driver can be stopped with the following command:
C:\>net stop /y srv
The following services are dependent on the Server service.
Stopping the Server service will also stop these services.
Distributed File System
Computer Browser
The Distributed File System service was stopped successfully.
The Computer Browser service is stopping.
The Computer Browser service was stopped successfully.
The Server service is stopping.
The Server service was stopped successfully.
C:\>net stop rdr
The Workstation service is stopping.
The Workstation service was stopped successfully.
The netbt driver can then be stopped with the following command:
C:\>net stop /y netbt
The following services are dependent on the NetBios over Tcpip service.
Stopping the NetBios over Tcpip service will also stop these services.
TCP/IP NetBIOS Helper
The TCP/IP NetBIOS Helper service was stopped successfully.
The NetBios over Tcpip service was stopped successfully.
Because of services dependencies, if the NetBT driver is disabled, the startup
mode of the following services must be set to manual or disabled:
- Computer Browser service (Browser)
- Distributed File System service (Dfs)
- Server service (lanmanserver)
- Workstation service (lanmanworkstation)
- TCP/IP NetBIOS Helper (lmhosts)
To prevent the netbt.sys to be started at the next system startup, its startup
mode must be set to manual:
C:\>sc config netbt start= demand
[SC] ChangeServiceConfig SUCCESS
Startup modes of all services that depend on it must also be modified:
C:\>sc config lmhosts start= demand
[SC] ChangeServiceConfig SUCCESS
C:\>sc config dfs start= demand
[SC] ChangeServiceConfig SUCCESS
C:\>sc config browser start= demand
[SC] ChangeServiceConfig SUCCESS
C:\>sc config lanmanserver start= demand
[SC] ChangeServiceConfig SUCCESS
C:\>sc config lanmanworkstation start= demand
[SC] ChangeServiceConfig SUCCESS
In addition, the Remote Registry service (RemoteRegistry) can be disabled
because it is not possible to remotely access the registry when the server
service is not started:
C:\>sc config remoteregistry start= demand
[SC] ChangeServiceConfig SUCCESS
4.5 DNS Client service (Dnscache)
The Windows Server 2003 DNS Client service is a caching DNS resolver used by
applications that need a DNS resolution service.
When started, the Dnscache service binds a UDP socket to communicate with DNS
servers on UDP port 53.
The UDP socket used by the Dnscache service appears in netstat's output:
UDP 0.0.0.0:1029 *:* 912
^^^
912 corresponds to the svchost.exe instance that hosts the Dnscache service:
C:\>tasklist /svc /fi "pid eq 912"
Image Name PID Services
========================= ====== =============================================
svchost.exe 912 Dhcp, Dnscache
^^^^^^^^
Stopping the Dnscache service closes the dynamic UDP port:
C:\>net stop dnscache
The DNS Client service is stopping.
The DNS Client service was stopped successfully.
4.6 RPC services listening on TCP
Windows Server 2003 LSA runs several RPC services that can be reached via a
dynamic TCP port:
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 508
^^^
As seen earlier, 508 corresponds to the LSA process (lsass.exe):
C:\>tasklist /svc /fi "pid eq 508"
Image Name PID Services
========================= ====== =============================================
lsass.exe 508 ProtectedStorage, SamSs
The Task Scheduler service runs several RPC services and also opens a dynamic TCP
port:
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 992
Finally, the MSRPC portmapper and COM SCM, started by the RpcSs service both use
TCP port 135:
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 680
680 corresponds to the svchost.exe instance that hosts the RpcSs service:
C:\>tasklist /svc /fi "pid eq 680"
Image Name PID Services
========================= ====== =============================================
svchost.exe 680 RpcSs
^^^^^
In Windows Server 2003, the netsh rpc context can be used to specify that RPC
services listening on TCP ports (ncacn_ip_tcp protocol sequence) should only
bind to a specific network adress.
Using netsh, it is possible to restrict these three RPC services so that they
only bind to the loopback IPv4 address (127.0.0.1):
C:\>netsh -c rpc
netsh rpc>show interfaces
Subnet Interface Status Description
127.0.0.0 127.0.0.1 Enabled MS TCP Loopback interface
192.70.106.128 192.70.106.144 Disabled AMD PCNET Family PCI Ethernet Adapter
netsh rpc>show settings
Default
netsh rpc>add 127.0.0.0
netsh rpc>show settings
Add List
127.0.0.0
After a reboot, the three RPC services only bind to 127.0.0.1, as shown below:
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:135 0.0.0.0:0 LISTENING 740
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 788
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 516
4.7 Setting a port range for dynamic ports used by RPC services
By default, dynamic (TCP or UDP) ports opened by RPC servers are allocated in
the Windows default range of dynamic ports: 1025-5000.
It is possible to use a dedicated port range for these RPC services, so that it
is is easier to identify running RPC services.
The rpccfg tool, part of Windows Server 2003 Resource Kit tools, can be used to
setup a port range (5050-5070 in the following example):
C:\>rpccfg /pe 5050-5070
The following ports/port range will be used for Internet ports
5050-5070
Default port allocation is from Intranet ports
C:\>rpccfg /d 0
The following ports/port range will be used for Internet ports
5050-5070
Default port allocation is from Internet ports
Finally, the complete configuration of the RPC runtime can be displayed with the
/q option of rpccfg:
C:\>rpccfg /q
Admit List
Subnet Description
1 127.0.0.0 1 MS TCP Loopback interface
The following ports/port ranges will be used for Internet ports
5050-5070
Default port allocation is from Internet ports
After a reboot, the three remaining RPC services only bind to 127.0.0.1 and the
two RPC services that previously used dynamic ports from the default range
(1025-5000) now use the first two ports from the range for Internet ports (5050
and 5051):
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:135 0.0.0.0:0 LISTENING 752
TCP 127.0.0.1:5050 0.0.0.0:0 LISTENING 844
TCP 127.0.0.1:5051 0.0.0.0:0 LISTENING 516
5. Windows Server 2003 SP1
In Windows Server 2003 SP1, a new netstat option, -b, can be used to directly
display the Windows service or process that open sockets.
The output of the netstat -anb command on a default Windows Server 2003 SP1
system is shown below:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1244
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 856
[lsass.exe]
TCP 192.70.106.144:139 0.0.0.0:0 LISTENING 4
[System]
UDP 0.0.0.0:4500 *:* 856
[lsass.exe]
UDP 0.0.0.0:500 *:* 856
[lsass.exe]
UDP 0.0.0.0:445 *:* 4
[System]
UDP 0.0.0.0:1026 *:* 1296
Dnscache
[svchost.exe]
UDP 127.0.0.1:123 *:* 1344
W32Time
[svchost.exe]
UDP 192.70.106.144:137 *:* 4
[System]
UDP 192.70.106.144:123 *:* 1344
W32Time
[svchost.exe]
UDP 192.70.106.144:138 *:* 4
[System]
It seems that in Windows Server 2003 SP1, the Task Scheduler service no longer
opens a TCP port for its RPC services.
Thus, compared to a default Windows Server 2003 system, there is one less
listening TCP socket on a default Windows Server 2003 SP1 system.
Otherwise, opened sockets are the same as the one found on a default Windows
Server 2003 system and the same methodology can be used.
6. Conclusion
Depending on the role and the environment, only a subset or all Windows Server
2003 network services will be minimized.
An isolated Windows Server 2003 system can be configured so that no listening
TCP port appear when scanned remotely with a network scanner.
However, when dealing with network services minimization, the most important
thing is not necessarily to close all ports but instead to determine which
network communications are needed, analyze the risks associated to the network
services and decide which network services are needed, must be hardened,
filtered or disabled.
7. List of TCP and UDP ports used by Windows Server 2003 network services
TCP:
135/tcp: Remote Procedure Call (RPC) service (RpcSs)
139/tcp: NetBIOS over TCP/IP driver (netbt.sys)
445/tcp: NetBIOS over TCP/IP driver (netbt.sys)
One dynamic TCP port (LSA RPC services): lsass.exe
One dynamic TCP port (RPC services): Task Scheduler service (schedule)
-> not in Windows Server 2003 SP1
UDP:
123/udp: Windows Time service (w32time)
137/udp, 138/udp: NetBIOS over TCP/IP driver (netbt.sys)
445/udp: NetBIOS over TCP/IP driver (netbt.sys)
500/udp, 4500/udp: IPSEC Services service (PolicyAgent)
One dynamic UDP port: DNS Client service (Dnscache)
For further information, see the list of network ports used by Windows systems
found in the #832017 Microsoft knowledge base article:
http://support.microsoft.com/?id=832017
Because the RpcSs service can not be disabled nor the lsass.exe process stopped,
a Windows Server 2003 system will, at a minimum, always have two listening TCP
sockets, that can be bound only to 127.0.0.1 if the rpc subsystem has been
configured explictly with netsh, as shown earlier:
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:135 0.0.0.0:0 LISTENING 740
TCP 127.0.0.1:5050 0.0.0.0:0 LISTENING 788
$Id: min_w2k3_net_srv.tip,v 1.10 2005/04/07 08:16:18 marchand Exp $
Friday, October 3, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment