misd19
asked on
Ports 137-139 security issue?
One of our software vendors is installing an application on our web server and requests opening ports at our firewall (ASA) in order for the apps to run. Ports are 137-139 and 1433 bidirectional. Web server is located in dmz; I know those ports are considered as very unsecure but they did not give me any alternative. Also, the same ports needs to be opened to our email server which is in our LAN.
Now my question to all security experts: How high is the security risks?
thanks,
Now my question to all security experts: How high is the security risks?
thanks,
The risk here is basically information disclosure, an attacker may be able to establish a Netbios NULL session & enumerate lots of information from the server's registry including user names , share names ,etc..
if your server is a Windows 2003 machine , please try the below
Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. enable those two policies
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
This can also be done using through the below registry keys:
HKLM\System\CurrentControl Set\Contro l\Lsa\Rest rictAnonym ous=1 (This disallows enumeration of shares)
HKLM\System\CurrentControl Set\Contro l\Lsa\Rest rictAnonym ousSAM=1 (Default, not allowing enumeration of user accounts)
hope this helps.
if your server is a Windows 2003 machine , please try the below
Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. enable those two policies
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
This can also be done using through the below registry keys:
HKLM\System\CurrentControl
HKLM\System\CurrentControl
hope this helps.
If you do need to allow this access, make sure your firewall only allows one IP (or a few), do not open the ports to the internet at large...
If they cannot give you a fixed IP, you need a new vendor.
Vendor_IP 1.2.3.4 any port -> Your_IP 4.5.6.7 port 139
More preferable is a VPN connection, I suspect they have experience with one or both of these scenerios, so ask them how they communicate to their other customers. It's not a question you should of had to ask, they, the vendor should of informed you of a secure method of connecting, everyone knows what these ports are for. Frankly it doesn't matter what port they asked you to open, its the method of connection, if they mentioned VPN, good for them, if not shame on them. If they told you to open port xyand z, but failed to give you their own IP address or address space, then they messed up (possibly forgot to tell you?) or they don't care about security at all.
I hope they aren't providing security services ;)
-rich
If they cannot give you a fixed IP, you need a new vendor.
Vendor_IP 1.2.3.4 any port -> Your_IP 4.5.6.7 port 139
More preferable is a VPN connection, I suspect they have experience with one or both of these scenerios, so ask them how they communicate to their other customers. It's not a question you should of had to ask, they, the vendor should of informed you of a secure method of connecting, everyone knows what these ports are for. Frankly it doesn't matter what port they asked you to open, its the method of connection, if they mentioned VPN, good for them, if not shame on them. If they told you to open port xyand z, but failed to give you their own IP address or address space, then they messed up (possibly forgot to tell you?) or they don't care about security at all.
I hope they aren't providing security services ;)
-rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't know about what can be exploited through the port, so I guess I'm not answering your question, but it sounds bad.
I guess you want to know if it's absolutely necessary, and if so, then perhaps you could add some TCP/IP filtering to make sure you're only accepting traffic from their IP range.
For the email server, it would be a lot safer if you had a Front-End mail srever in the DMZ, and open the ports into that, rather than into your internal LAN.