Solved

Ports 137-139 security issue?

Posted on 2009-04-01
4
941 Views
Last Modified: 2013-12-04
One of our software vendors is installing an application on our web server and requests opening ports at our firewall (ASA) in order for the apps to run. Ports are 137-139 and 1433 bidirectional. Web server is located in dmz; I know those ports are considered as very unsecure but they did not give me any alternative. Also, the same ports needs to be opened to our email server which is in our LAN.
Now my question to all security experts: How high is the security risks?
thanks,
0
Comment
Question by:misd19
4 Comments
 
LVL 14

Expert Comment

by:theras2000
ID: 24040320
Here's an article from Shields Up http://www.grc.com/port_137.htm
I don't know about what can be exploited through the port, so I guess I'm not answering your question, but it sounds bad.

I guess you want to know if it's absolutely necessary, and if so, then perhaps you could add some TCP/IP filtering to make sure you're only accepting traffic from their IP range.
For the email server, it would be a lot safer if you had a Front-End mail srever in the DMZ, and open the ports into that, rather than into your internal LAN.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24042649
The risk here is basically information disclosure, an attacker may be able to establish a Netbios  NULL session & enumerate lots of information from the server's registry including user names , share names ,etc.. 
if your server is a Windows 2003 machine , please try the below
Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. enable those two policies
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled


This can also be  done using  through the below registry keys:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 (This disallows enumeration of shares)
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1 (Default, not allowing enumeration of user accounts)


hope this helps.


0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24046256
If you do need to allow this access, make sure your firewall only allows one IP (or a few), do not open the ports to the internet at large...
If they cannot give you a fixed IP, you need a new vendor.
Vendor_IP 1.2.3.4 any port -> Your_IP 4.5.6.7 port 139

More preferable is a VPN connection, I suspect they have experience with one or both of these scenerios, so ask them how they communicate to their other customers. It's not a question you should of had to ask, they, the vendor should of informed you of a secure method of connecting, everyone knows what these ports are for. Frankly it doesn't matter what port they asked you to open, its the method of connection, if they mentioned VPN, good for them, if not shame on them. If they told you to open port xyand z, but failed to give you their own IP address or address space, then they messed up (possibly forgot to tell you?) or they don't care about security at all.
I hope they aren't providing security services ;)
-rich
0
 
LVL 4

Accepted Solution

by:
TurboBorland earned 500 total points
ID: 24154141
If you are using Vista, I wouldn't be worried about it as it automatically requires authentication before use.

Null sessions are very old and hardly working anymore due to the havoc it had caused in the past.  Vista and beyond will not allow a default setup to have a null session created.

Even if you are to exploit this due to null session on old Windows operating systems, you are in a DMZ.  Only old worms will attempt to exploit this vulnerability.  All of which will be stopped by your malware signature database, if you use any malware detection tools.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now