unusual port 445 connections
Posted on 2004-11-11
I'm running a member server in an AD domain that functions like the domain controller for my workgroup. In other words, the workstations connect to the server for file sharing, but the server itself isn't at the top of the AD domain, just a member server in my delegated OU. Anyway, I try to restrict access to the workstations and the server as much as possible, but I'm relatively new to all of this so I have to utilize a guess-and-check method more often than not.
I've noticed that the member (win 2k3) server has connections that I thought were blocked. In the GPO for the server, I allow acces to the computer from only the computers in my OU and the DC (obviously), and I only allow logins from my OU users. That being said, I find connections with netstat -a that are connecting to port 445 from unauthorized computers. Since the computers in question aren't authorized to log in, nor to access the computer from the network, I'm wondering how TCP/IP connections can be established at all, even if they aren't showing up as attempted logins in the security log.
I also notice that another member server in the domain is able to login (according to the security log) as ANONYMOUS LOGON, even though anonymous connections are forbidden (the DC logs in that way as well, but that doesn't bother me because I can't override the DC's authority). I've never had any formal training in network administration, and while I can keep things running fine, I'm frustrated at some of the confusing hair-splitting involved here. I don't believe my server is being hacked, but I also don't know why systems other than the DC and the workstations in my OU are connecting when only the latter two were granted access.