Solved

Ports 137-139 security issue?

Posted on 2009-04-01
4
958 Views
Last Modified: 2013-12-04
One of our software vendors is installing an application on our web server and requests opening ports at our firewall (ASA) in order for the apps to run. Ports are 137-139 and 1433 bidirectional. Web server is located in dmz; I know those ports are considered as very unsecure but they did not give me any alternative. Also, the same ports needs to be opened to our email server which is in our LAN.
Now my question to all security experts: How high is the security risks?
thanks,
0
Comment
Question by:misd19
4 Comments
 
LVL 14

Expert Comment

by:theras2000
ID: 24040320
Here's an article from Shields Up http://www.grc.com/port_137.htm
I don't know about what can be exploited through the port, so I guess I'm not answering your question, but it sounds bad.

I guess you want to know if it's absolutely necessary, and if so, then perhaps you could add some TCP/IP filtering to make sure you're only accepting traffic from their IP range.
For the email server, it would be a lot safer if you had a Front-End mail srever in the DMZ, and open the ports into that, rather than into your internal LAN.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24042649
The risk here is basically information disclosure, an attacker may be able to establish a Netbios  NULL session & enumerate lots of information from the server's registry including user names , share names ,etc.. 
if your server is a Windows 2003 machine , please try the below
Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. enable those two policies
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled


This can also be  done using  through the below registry keys:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 (This disallows enumeration of shares)
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1 (Default, not allowing enumeration of user accounts)


hope this helps.


0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 24046256
If you do need to allow this access, make sure your firewall only allows one IP (or a few), do not open the ports to the internet at large...
If they cannot give you a fixed IP, you need a new vendor.
Vendor_IP 1.2.3.4 any port -> Your_IP 4.5.6.7 port 139

More preferable is a VPN connection, I suspect they have experience with one or both of these scenerios, so ask them how they communicate to their other customers. It's not a question you should of had to ask, they, the vendor should of informed you of a secure method of connecting, everyone knows what these ports are for. Frankly it doesn't matter what port they asked you to open, its the method of connection, if they mentioned VPN, good for them, if not shame on them. If they told you to open port xyand z, but failed to give you their own IP address or address space, then they messed up (possibly forgot to tell you?) or they don't care about security at all.
I hope they aren't providing security services ;)
-rich
0
 
LVL 4

Accepted Solution

by:
TurboBorland earned 500 total points
ID: 24154141
If you are using Vista, I wouldn't be worried about it as it automatically requires authentication before use.

Null sessions are very old and hardly working anymore due to the havoc it had caused in the past.  Vista and beyond will not allow a default setup to have a null session created.

Even if you are to exploit this due to null session on old Windows operating systems, you are in a DMZ.  Only old worms will attempt to exploit this vulnerability.  All of which will be stopped by your malware signature database, if you use any malware detection tools.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Modify local Group Policy through powershell 5 103
default domain policy in AD exemptions 3 80
Windows Master Password 11 58
Cannot take ownership of a folder 8 45
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question