Solved

Ports 137-139 security issue?

Posted on 2009-04-01
4
951 Views
Last Modified: 2013-12-04
One of our software vendors is installing an application on our web server and requests opening ports at our firewall (ASA) in order for the apps to run. Ports are 137-139 and 1433 bidirectional. Web server is located in dmz; I know those ports are considered as very unsecure but they did not give me any alternative. Also, the same ports needs to be opened to our email server which is in our LAN.
Now my question to all security experts: How high is the security risks?
thanks,
0
Comment
Question by:misd19
4 Comments
 
LVL 14

Expert Comment

by:theras2000
ID: 24040320
Here's an article from Shields Up http://www.grc.com/port_137.htm
I don't know about what can be exploited through the port, so I guess I'm not answering your question, but it sounds bad.

I guess you want to know if it's absolutely necessary, and if so, then perhaps you could add some TCP/IP filtering to make sure you're only accepting traffic from their IP range.
For the email server, it would be a lot safer if you had a Front-End mail srever in the DMZ, and open the ports into that, rather than into your internal LAN.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24042649
The risk here is basically information disclosure, an attacker may be able to establish a Netbios  NULL session & enumerate lots of information from the server's registry including user names , share names ,etc.. 
if your server is a Windows 2003 machine , please try the below
Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. enable those two policies
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled


This can also be  done using  through the below registry keys:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 (This disallows enumeration of shares)
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1 (Default, not allowing enumeration of user accounts)


hope this helps.


0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24046256
If you do need to allow this access, make sure your firewall only allows one IP (or a few), do not open the ports to the internet at large...
If they cannot give you a fixed IP, you need a new vendor.
Vendor_IP 1.2.3.4 any port -> Your_IP 4.5.6.7 port 139

More preferable is a VPN connection, I suspect they have experience with one or both of these scenerios, so ask them how they communicate to their other customers. It's not a question you should of had to ask, they, the vendor should of informed you of a secure method of connecting, everyone knows what these ports are for. Frankly it doesn't matter what port they asked you to open, its the method of connection, if they mentioned VPN, good for them, if not shame on them. If they told you to open port xyand z, but failed to give you their own IP address or address space, then they messed up (possibly forgot to tell you?) or they don't care about security at all.
I hope they aren't providing security services ;)
-rich
0
 
LVL 4

Accepted Solution

by:
TurboBorland earned 500 total points
ID: 24154141
If you are using Vista, I wouldn't be worried about it as it automatically requires authentication before use.

Null sessions are very old and hardly working anymore due to the havoc it had caused in the past.  Vista and beyond will not allow a default setup to have a null session created.

Even if you are to exploit this due to null session on old Windows operating systems, you are in a DMZ.  Only old worms will attempt to exploit this vulnerability.  All of which will be stopped by your malware signature database, if you use any malware detection tools.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question