Solved

Ports 137-139 security issue?

Posted on 2009-04-01
4
978 Views
Last Modified: 2013-12-04
One of our software vendors is installing an application on our web server and requests opening ports at our firewall (ASA) in order for the apps to run. Ports are 137-139 and 1433 bidirectional. Web server is located in dmz; I know those ports are considered as very unsecure but they did not give me any alternative. Also, the same ports needs to be opened to our email server which is in our LAN.
Now my question to all security experts: How high is the security risks?
thanks,
0
Comment
Question by:misd19
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 14

Expert Comment

by:theras2000
ID: 24040320
Here's an article from Shields Up http://www.grc.com/port_137.htm
I don't know about what can be exploited through the port, so I guess I'm not answering your question, but it sounds bad.

I guess you want to know if it's absolutely necessary, and if so, then perhaps you could add some TCP/IP filtering to make sure you're only accepting traffic from their IP range.
For the email server, it would be a lot safer if you had a Front-End mail srever in the DMZ, and open the ports into that, rather than into your internal LAN.
0
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24042649
The risk here is basically information disclosure, an attacker may be able to establish a Netbios  NULL session & enumerate lots of information from the server's registry including user names , share names ,etc.. 
if your server is a Windows 2003 machine , please try the below
Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. enable those two policies
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled


This can also be  done using  through the below registry keys:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 (This disallows enumeration of shares)
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1 (Default, not allowing enumeration of user accounts)


hope this helps.


0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24046256
If you do need to allow this access, make sure your firewall only allows one IP (or a few), do not open the ports to the internet at large...
If they cannot give you a fixed IP, you need a new vendor.
Vendor_IP 1.2.3.4 any port -> Your_IP 4.5.6.7 port 139

More preferable is a VPN connection, I suspect they have experience with one or both of these scenerios, so ask them how they communicate to their other customers. It's not a question you should of had to ask, they, the vendor should of informed you of a secure method of connecting, everyone knows what these ports are for. Frankly it doesn't matter what port they asked you to open, its the method of connection, if they mentioned VPN, good for them, if not shame on them. If they told you to open port xyand z, but failed to give you their own IP address or address space, then they messed up (possibly forgot to tell you?) or they don't care about security at all.
I hope they aren't providing security services ;)
-rich
0
 
LVL 4

Accepted Solution

by:
TurboBorland earned 500 total points
ID: 24154141
If you are using Vista, I wouldn't be worried about it as it automatically requires authentication before use.

Null sessions are very old and hardly working anymore due to the havoc it had caused in the past.  Vista and beyond will not allow a default setup to have a null session created.

Even if you are to exploit this due to null session on old Windows operating systems, you are in a DMZ.  Only old worms will attempt to exploit this vulnerability.  All of which will be stopped by your malware signature database, if you use any malware detection tools.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question