Solved

mountd daemon is running over a non reserved port on a Windows server

Posted on 2007-04-02
2
989 Views
Last Modified: 2013-12-04
I have several Windows 2000 and 2003 servers running Microsoft Windows Services for Unix 3.5 to share out a mount point for several Sun servers.  Everything works just fine, but......A recent ISS Internet Security Scan showed these servers as having the following vulnerability:
MountdReserved: NFS mount daemon operating on an non-reserved port
The mountd daemon is running over a non-reserved port. This daemon is probably vulnerable to port hijacking and should be moved to a reserved port.

Does anyone know if this is a configurable parameter?
0
Comment
Question by:jehrbear
2 Comments
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 500 total points
ID: 18953343
Network ports and protocols that are used by services in Windows Services for UNIX 3.5: http://support.microsoft.com/kb/891759

[quote]
nfsd      2049      TCP, UDP      Server for NFS      By default, this service is enabled.
Additionally, Windows Services for UNIX 3.5 can use other ports. For example, the following table lists the Network File System (NFS)-related services that register with the Open Network Computing (ONC) Remote Procedure Call (RPC) service:
Service name      
mapsvc      User Name Mapping service
mountd      NFS mount daemon
nlockmgr      NFS lock manager
status      Network status monitor
The four services that are listed in the table listen for both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic and do not use designated ports. Instead, the services use a port that is available at that particular time and register the port with the Portmapper service. For example, when you run the rpcinfo - p command, you receive the following output:

program  version  protocol   port
----------------------------------------------
100000       2      udp      111    portmapper
100000       2      tcp      111    portmapper
351455       1      tcp      844    mapsvc
351455       1      udp      845    mapsvc
351455       2      tcp      846    mapsvc
351455       2      udp      847    mapsvc
100005       1      udp     1048    mountd
100005       2      udp     1048    mountd
100005       3      udp     1048    mountd
100005       1      tcp     1048    mountd
100005       2      tcp     1048    mountd
100005       3      tcp     1048    mountd
100021       1      udp     1047    nlockmgr
100021       2      udp     1047    nlockmgr
100021       3      udp     1047    nlockmgr
100021       4      udp     1047    nlockmgr
100021       1      tcp     1047    nlockmgr
100021       2      tcp     1047    nlockmgr
100021       3      tcp     1047    nlockmgr
100021       4      tcp     1047    nlockmgr
100024       1      udp     1039    status
100024       1      tcp     1039    status
100003       2      udp     2049    nfs
100003       3      udp     2049    nfs
100003       2      tcp     2049    nfs
100003       3      tcp     2049    nfs

In this example, only the Portmapper service and the NFS service use standard ports.

Additional notes:
•      Custom Interix applications and third-party Interix applications may bind to additional ports.
•      If you add a "camp-" prefix to the name of the service in the /etc/inetd.conf file, Interix determines the port that the service uses. However, Interix does not the start the service when a request is made. By adding the prefix, you disable the service, and you restrict other applications from using that port.

Note Do not include the quotation marks in the prefix.
For additional information about the network ports and protocols that are used by the Microsoft Windows server system, click the following article number to view the article in the Microsoft Knowledge Base:
832017 (http://support.microsoft.com/kb/832017/) Port requirements for the Microsoft Windows server system
For additional information about the ports that must be open for a Windows Services for UNIX product to work with Microsoft Windows XP Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
883105 (http://support.microsoft.com/kb/883105/) Description of the ports that have to be open for a Windows Services for UNIX product to work correctly
[/quote]

You could change the ports in /etc/inetd.conf file, but you'll have to change these in all of your Sun servers [PITA] and not worth it.

Description of the ports that have to be open for a Windows Services for UNIX product to work correctly: http://support.microsoft.com/kb/883105/
0
 

Author Comment

by:jehrbear
ID: 18966150
Awesome.  Thank you!!!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Compromised PC? 17 175
PDFMate free PDF Merger. Security concern 8 87
forensics tools for file amendments/associations 2 64
Sweet32 Vulnerability in Microsoft IIS7.5 6 56
OfficeMate Freezes on login or does not load after login credentials are input.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now