information for security audit.

During a recent security audit we were asked whether we had block off any of the following services / firewall

check server message block (smb) netbios, tftp, rpc, rlogin, rsh, rexec?

I don't even recognise some of these, so can anyone advise how we would go about checking?

We have a pretty default installation of Windows 2012 R2 running Hyperv which runs 2 virtual servers, One being our main file server / DC and the other is an additional file server. In addition we have exchange server 2010 running on a single Windows 2012 STD server.

If anyone could offer any advice on these services etc, I would be much obliged.

Many thanks.
LVL 1
nigelbeatsonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russ SuterCommented:
It's probably easier to just check your firewall to see what services you've explicitly allowed/forwarded. If your firewall's default posture is to deny incoming traffic (which it should be) then unless you've explicitly allowed the connection it will be blocked.

The services you mentioned do have default ports that they typically communicate on, for example TFTP usually communicates over port 69, but pretty much any service can be configured to listen on other ports instead.
0
btanExec ConsultantCommented:
-msrpc, netbios-ssn' and microsoft-ds - Ports 137, 138 and 139 are for NetBIOS, and are not required for the functionality of MSRPC (remote procedure calls). Actually these are legacy, you can acquire name resolution through other means (DNS,) and assuming the remote service itself is not dependent on NetBIOS.

- Adding on, Port 139 is also known technically as ‘NBT over IP’, and Port 445 is ‘SMB over IP’. SMB stands for ‘Server Message Blocks’. Server Message Block in modern language is also known as Common Internet File System.

- rsh stands for remote shell and allows you to execute non-interactive programs on another system.
- rexec stands for remote exec and like rsh, allows you to execute non-interactive programs on another system.  

The difference between rsh and rexec is that rexec requires you to specify a valid password for the other system and rsh does not. rexec uses TCP port 512.

- rcp stands for remote copy and allows you to transfer files to and from another system over the network.  So unlike FTP, it is totally non-interactive and does not require you to log in or specify a password for the other system.  

For the rlogin, rsh, rexec commands / services, they are present in windows 2003 but no more in Windows 2008 and above.

In any case, any of those service or port found, close them if not using and actually they are not really necessary. They just open up avenue on identified target device for further recon for vulnerabilities etc.

Tools commonly used include nmap or Nessus.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nigelbeatsonAuthor Commented:
Very helpful, Many thanks to all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.