Closing the PPTP Port Under Windows 2000? 70
phnork asks: "I have asked many skilled Win2K users and networking specialists how to close Port 1723 in my Win2K system. I have searched the net unsuccessfully, browsed news groups, asked my ISP techies, and even asked my wife. But, although all agree the port normally used for PPTP (VPN) should not be open, no one has taken the time to document how nor post the solution where it can be found. In fact, I have found that most security issues that abound in the Wide World of Windows occur because those in the know, do not. Not even Microsoft! If they did, the solution would be as easy and straight forward as setting up a printer. Networks and security are still relegated to the nether worlds of the 80s where we used to have problems with every printer installation and computers were hauled to a grinding stop by the inability of the protocol lords to arrive at a consensus. But, maybe now the solution is at hand. Now that I have asked for help maybe someone will come forward with those super words, 'Try this...'." What other hard-to-close ports have you found open in your Win2k install. What did you have to do to close them?
Re:Fuckin terrorist! (Score:2, Funny)
RRAS? (Score:5, Informative)
Re:RRAS? (Score:1, Insightful)
Technet - The Cable Guy - January 2003 [microsoft.com]
Virtual Private Networks for Windows 2000 [microsoft.com]
PPTP?!? (Score:5, Funny)
Re:PPTP?!? (Score:1)
hardware firewalls / nat routers (Score:5, Informative)
Re:hardware firewalls / nat routers (Score:4, Insightful)
my e$0.02
Re:hardware firewalls / nat routers (Score:1)
Re:hardware firewalls / nat routers (Score:2)
There are 3 ways to prevent this. In order of preference: turning off
Try TCPView from sysinternals (Score:5, Informative)
Re:Try TCPView from sysinternals (Score:3, Informative)
Re:Try TCPView from sysinternals (Score:4, Informative)
Here is what I got when I tried your suggestion.
C:\>netstat -a -o
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s
option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to specify
a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
I suggest downloading fport. Its very similar in function to lsof.
Re:Try TCPView from sysinternals (Score:3, Informative)
Re:Try TCPView from sysinternals (Score:2)
Try this... (Score:5, Informative)
Alternatively you can block any port on a Windows 2000 LAN adapter by enabling TCP/IP Filtering under the TCP/IP properties for that adapter. The way it works is you enable it which will block everything, then you must enable the services you would like to use.
Re:Try this... (Score:1, Informative)
Better with Kerio. ZA's as leaky as a sieve.
Re:Try this... (Score:2)
Source?
Re:Try this... (Score:1)
Re:Try this... (Score:2)
Re:Try this... (Score:1)
Re:Try this... (Score:1)
software firewall (Score:3, Informative)
Good luck (Score:5, Funny)
Re:Good luck (Score:5, Insightful)
We occasionally need heavy-duty tech support (for example, a couple years ago we identified an obscure but severe bug in COM), and I can usually hook up with the right person with only two or three e-mails and a few hours of waiting. All unofficial, and all back-channel, but not terribly difficult. And most of those addresses I've culled from public articles over the years. Only a few were given to me in person as a "here's my address, keep it to yourself" kind of thing. I've found that even if you contact the wrong person up there, if the request is serious, well-written (e.g. not "d00d, cn U help me? thx"), and appears to be reasonably outside the capabilities of their usual support services, they'll go out of their way to try to put you in touch with the right person. Not only have I always reached somebody who was quite knowledgable, but very often I reach the person who wrote (or currently maintains) the code in question.
And frankly, I'd be surprised if a staff MSJ writer didn't have those kinds of contacts.
Re:Good luck (Score:2)
It was either Richter or Oney. And I think both of them would know where to go. But even the people who work there don't have the answers. The ones that do may have quit. For years there was no one dared touch the Win16 GDI, USER, KRNL for precisely this reason.
Another example: what's the gibberish between the DOS and PE headers that came with MSC 12? Do you know? Can you find anyone who does?
Good luck my friend.
joke.. right? (Score:5, Informative)
Go download Active Ports [webattack.com] and see what program is actually casuing that port to be open.
You can also try running this document in the reverse order to uninstall PPTP [microsoft.com]
Re:joke.. right? (Score:1)
Also this... (Score:4, Informative)
Is this all the info you got? (Score:5, Insightful)
Though I don't have a Win2K machine handy to test right now, I don't believe it's normal for that port to be open for no reason. I can verify that neither my WinXP PC and my Win2003 server have it open, and I don't recall it ever being opened on Win2K.
Are you running Win2K Professional? Do you have the RRAS service running? Have you tried any diagnostic tools like TCPView [sysinternals.com] to isolate the process? Up to date virus scan and adware scans? Any communication on that port? Any odd processes in TaskManager? If you shutdown background tasks, does that port remain open? Oh, and since you seem to be lacking in ability, how did you come to the conclusion that port was open?
The solution is simple. Stop the process listening on that port. I don't think anyone needs to write a HOWTO on that. And seeing that I haven't heard of anyone else complaining about this (nor seen it myself), I'm inlcined to believe it's something unique to your setup - not Windows.
Perhaps those that think they are "in the know, do not" (like ISP techs). But those of actually in the know do know how to track down a process holding a port open.I think, phnork, that you may want to hold off on your anti-MS diatribe until you find what the issue actually is. Dollars to doughnuts it's your fault, not MS.
Re:Is this all the info you got? (Score:3, Insightful)
Doesn't anyone else find it extremely cumbersome and security error pr
Re:Is this all the info you got? (Score:3, Informative)
Agreed. That doesn't make any sense. While I know folks can add-on tools like Zone Alarm, not having a built-in configuration for this seems strange.
Along those lines though, the per-process/app/server block of ZA and other Windows firewalls could have some uses on Linux. I guess with SE Linux, that will come alon
Re:Is this all the info you got? (Score:4, Interesting)
Yes. The Win2k has port filtering but it's disabled in the default install. And it sucks at maintaining UDP state (and is not granular enough for my purposes...)
Re:Is this all the info you got? (Score:4, Informative)
My first reaction was that he has somehow managed to install RRAS. Its astonishing how many people have shit installed on their boxes they don't know how or when were installed.
A quick nmap of a default install win2k box shows only a handful of open ports: 135, 445, 1025, 1026. Turning on netBios over IP also opens ports 137, 138, 139. Beyond that, ports only get opened up by enabling or installing other software. RRAS will open up various ports, depending on which options you configure: 1723(pptp), 1701(l2tp), 520(rip) and if you configure OSPF or RIPv2, appropriate multicast addresses will appear. Installing Access, which installs ODBC/MSSQL, opens up port 1434, which unpatched allows the slammer worm to propagate.
Every network aware product you install on 'doze may leave ports open. Any moderately experienced system admin knows this, so if the OP wasn't able to get a response, that is because he didn't truly ask anyone knowlegable.
The OP was a troll, but this is
the AC
Geeze, thanks for all the help. (Score:2)
"network aware", that's great spin on crap that phones home and listens on random ports without telling you. Great of you also to mention how this helps worms propagate.
How about giving the man the benifit of the doubt and telling him what applications might be listening to 1723? He already knows that pptp or something is litening. What he needs to know is how to turn the shit off
Nobody_can_fix_it tizzy (Score:1)
RPC Config (Score:5, Informative)
http://www.microsoft.com/windows2000/techinfo/r
Also, port 445 is open, even if you disable File and Print Sharing. To fix that hole, open up regedit and change:
HKLM\System\CurrentControlSet\Services\NetBT\Pa
I've never had a problem with PPTP or the port you mentioned, maybe try disabling Routing and Remote Access, or other services.
I have my Win2k3 box only listening on 22, OpenSSHd and scp work like a champ.
Michael Johnson took over the NetworkSimplicity OpenSSH installer, which makes it too easy not to use SSH on Windows.
http://lexa.mckenna.edu/sshwindows/
-Vlad
OT, but of interest? (Score:1, Offtopic)
Even my VMware XP inside Linux can get on (it's how I write this message at the moment) but Linux proper is blocked.
traceroute shows incredible lag, ping is slow, and DNS is slowed to a crawl. How the hell would the router do this?
The guy who installed the router (**Not me!**) doesn't have a clue how to fix it, and the router's support people haven't deigned
Re:OT, but of interest? (Score:4, Informative)
Re:OT, but of interest? (Score:1)
Re:OT, but of interest? (Score:2, Funny)
TCP/IP settings... (Score:5, Informative)
Alternately, you could write a dummy service that listens on a port, accepts connections & throws all data away, forcing attackers to time-out.
Re:TCP/IP settings... (Score:2)
Windows services (Score:5, Informative)
My guess is Routing and Remote Access, which along with the alarming Remote Registry Service, should be one of the things you turn off by default on a new install. No different from turning off all the crap that is installed on a typical default Linux installation.
Re:Windows services (Score:2)
Try disabling IPSec. Really. (Score:1, Redundant)
Help, Ask Slashdot! (Score:5, Funny)
There is no documentation anywhere about how to return the fuel tank door to the "closed" position. I even called the dealer and they just laughed and said that nothing is wrong... please help!
She knows? (Score:1, Offtopic)
I have searched the net unsuccessfully, browsed news groups, asked my ISP techies, and even asked my wife.
If this is something that she might know, I suggest you improve your communication. If it's not, why did you bother? On the off-chance that she was bored from playing Minesweeper one day, so went tooling through her firewall configuration file?
Closing Ports (Score:5, Funny)
Of course, the only way to be sure is to try and cut pay to the longshoremen. Nothing will shut down a port tighter than a longshoremen's strike.
Oh, wait. This is slashdot.ORG not slashdot.MIL.
Never mind....
defense in depth (Score:2)
My links on Windows Security Software [akerman.ca] should give you some starting points.
Also note that PPTP uses not only TCP/UDP but also GRE (protocol 47).
Don't block a port, block a protocol! (Score:2)
Let me back up and explain:
IP datagrams just specify machines. They say packets are going from one computer to another, but they don't care what kind of data is in the packet.
Inside that packet is a specific protocol number. TCP packets use protocol number 6, UDP packets use protocol number 17, and ICMP packets use protocol number 1.
Then, based on the protocol number, the computer interprets the contents of the packet.
In this case, PPTP uses TCP traffic
Not the answer you're looking for (Score:3, Insightful)
I might even go so far as to say no desktop OS (Including Mdk, RH, SuSE and MacOS) should be directly connected.
Firewalls like IPCop, Smoothwall or OpenBSD can run on very modest hardware (486, maybe 386).
Sure it helps to close the ports on your workstations if you can, but firewall them too.
Try disabling the Network adapter (Score:2, Interesting)
As a side benefit you're machine will use less resources aswell.
Easy fix. (Score:2, Funny)