HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Tips > Minimizing Windows Server 2003 network services
Go to: HSC Trainings
Télécharger le catalogue des formations
Search:  
Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o ARJEL
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Team
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication
 
 
o HSC Newsletter
o Bulletin juridique HSC
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|Minimizing Windows Server 2003 network services  

by Jean-Baptiste Marchand (25/03/2005)



	     -[ Minimizing Windows Server 2003 network services ]-


1. Introduction

This document is an evolution of the document

 Minimizing Windows network services - Examples with Windows 2000 and Windows XP

published for the first time in September 2002

 http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

and explains how the same methodology can be applied to minimize network services
of Windows Server 2003 systems.

Windows network services are presented in details in the _Windows network
services internals_ paper, available at

 http://www.hsc.fr/ressources/articles/win_net_srv/


2. Target

The hardening recommendations presented in this document will only be used for
isolated Windows Server 2003 systems (systems that are not part of an Active
Directory domain).

Depending on the target environment, only a subset of the recommendations will
be implemented.

Yet, it is possible to apply all recommendations on hardened systems (such as
servers used in DMZ).


3. Overview of default Windows Server 2003 network services

The netstat command can be used to enumerate running network services on a
default Windows Server 2003 system:

C:\>netstat -ano 

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       680
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       508
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING       992
  TCP    192.70.106.144:139     0.0.0.0:0              LISTENING       4
  UDP    0.0.0.0:445            *:*                                    4
  UDP    0.0.0.0:500            *:*                                    508
  UDP    0.0.0.0:1027           *:*                                    992
  UDP    0.0.0.0:1029           *:*                                    912
  UDP    0.0.0.0:4500           *:*                                    508
  UDP    127.0.0.1:123          *:*                                    992
  UDP    192.70.106.144:123     *:*                                    992
  UDP    192.70.106.144:137     *:*                                    4
  UDP    192.70.106.144:138     *:*                                    4


When the -o netstat option is used, the PID column contains the process
identifier of the process that bound a socket.

The tasklist command displays the translation between process identifiers and
executable names:

C:\>tasklist

Image Name                   PID Session Name        Session#    Mem Usage
========================= ====== ================ =========== ============
System Idle Process            0 Console                    0         16 K
System                         4 Console                    0        212 K
smss.exe                     372 Console                    0        456 K
csrss.exe                    428 Console                    0      3 656 K
winlogon.exe                 452 Console                    0      1 988 K
services.exe                 496 Console                    0      3 052 K
lsass.exe                    508 Console                    0      8 284 K
svchost.exe                  680 Console                    0      2 732 K
svchost.exe                  728 Console                    0      3 748 K
svchost.exe                  912 Console                    0      3 792 K
svchost.exe                  964 Console                    0      1 868 K
svchost.exe                  992 Console                    0     17 352 K
spoolsv.exe                 1220 Console                    0      4 876 K
msdtc.exe                   1248 Console                    0      3 944 K
svchost.exe                 1340 Console                    0      1 748 K
svchost.exe                 1372 Console                    0      1 304 K
dfssvc.exe                  1568 Console                    0      3 116 K
wmiprvse.exe                1932 Console                    0      4 564 K
explorer.exe                1816 Console                    0     17 012 K
ctfmon.exe                   560 Console                    0      2 304 K
msiexec.exe                  204 Console                    0      3 168 K
wpabaln.exe                 1004 Console                    0      2 460 K
cmd.exe                      280 Console                    0      1 468 K
wmiprvse.exe                 276 Console                    0      4 744 K
tasklist.exe                1268 Console                    0      3 244 K



4. TCP and UDP ports used by Windows Server 2003 default network services 

4.1 IPSEC Services (PolicyAgent)

The IPSEC Services service opens two UDP sockets:

 - one UDP socket bound to UDP port 500 (ISAKMP support)
 - one UDP socket bound to UDP port 4500 (NAT-T support)

These two UDP ports appear in netstat's output:

  UDP    0.0.0.0:500            *:*                                    508
  UDP    0.0.0.0:4500           *:*                                    508
                                                                       ^^^

508 corresponds to the PID of lsass.exe (the PolicyAgent service runs inside
the LSA process): 

C:\>tasklist /svc /fi "pid eq 508"

Image Name                   PID Services                                     
========================= ====== =============================================
lsass.exe                    508 PolicyAgent, ProtectedStorage, SamSs                      

Stopping the PolicyAgent service immediately closes the two UDP sockets:

C:\>net stop policyagent
The IPSEC Services service is stopping.
The IPSEC Services service was stopped successfully.


To set the startup mode of the PolicyAgent service to manual instead of
automatic (default configuration), use the following command:

C:\>sc config policyagent start= demand
[SC] ChangeServiceConfig SUCCESS


4.2 Windows Time service (w32time)


The Windows Time service opens one UDP socket bound to UDP port 123 for each
network adapter present on the system, plus the loopback IPv4 address
(127.0.0.1):

  UDP    127.0.0.1:123          *:*                                    992
  UDP    192.70.106.144:123     *:*                                    992
                                                                       ^^^

svchost.exe                  992 Console                    0     17 352 K
^^^^^^^^^^^                  ^^^

992 corresponds to the svchost.exe instance that hosts the w32time service.

Stopping the w32time immediately closes all sockets bound to UDP port 123:

C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopping successfully.

To set the startup mode of the w32time service to manual instead of
automatic (default configuration), use the following command:

C:\>sc config w32time start= demand
[SC] ChangeServiceConfig SUCCESS


4.3 NetBIOS over TCP/IP driver (NetBT support)

By design, the NetBIOS over TCP/IP driver binds 3 sockets on the IP address of
each network adapter.

These 3 sockets correspond to the 3 NetBIOS over TCP/IP services:
 - 137/UDP : NetBIOS name resolution service
 - 138/UDP : NetBIOS datagram service
 - 139/TCP : NetBIOS session service

In our example, 3 sockets are bound to the network adapter:

  TCP    192.70.106.144:139     0.0.0.0:0              LISTENING       4
  UDP    192.70.106.144:137     *:*                                    4
  UDP    192.70.106.144:138     *:*                                    4
                                                                       ^

4 corresponds to the System process and confirms that these sockets are bound by
the NetBIOS over TCP/IP driver (netbt.sys), running in kernel-mode.

NetBIOS over TCP/IP is not needed if all systems of the environment are running
Windows 2000 or later.

Disabling NetBIOS over TCP/IP support on all network adapters (choose
Disable NetBIOS over TCP/IP in the WINS tab of the network adapter's Advanced
TCP/IP Settings window) closes sockets bound to 137/udp, 138/udp and
139/tcp.


4.4 NetBIOS over TCP/IP driver (raw SMB support)

Starting with Windows 2000, the SMB protocol (Windows protocol behind Windows
resource sharing and remote administration capabilities) can be carried directly
into TCP, using TCP port 445.

Thus, the netbt.sys driver of recent Windows systems (including Windows Server
2003) binds two sockets, one on TCP port 445 and one on UDP port 445.

The purpose of the UDP socket is, to the best of our knowledge, not documented.

These two sockets are bound to all network adapters (0.0.0.0):

  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  UDP    0.0.0.0:445            *:*                                    4


To close these two sockets, it is possible to either:
 - stop the NetBT driver
 - set the SmbDeviceEnabled registry value to 0

The NetBT driver can be stopped with the following command:

C:\>net stop /y srv 

The following services are dependent on the Server service.
Stopping the Server service will also stop these services.

   Distributed File System
   Computer Browser

The Distributed File System service was stopped successfully.

The Computer Browser service is stopping.
The Computer Browser service was stopped successfully.

The Server service is stopping.
The Server service was stopped successfully.

C:\>net stop rdr

The Workstation service is stopping.
The Workstation service was stopped successfully.

The netbt driver can then be stopped with the following command:

C:\>net stop /y netbt

The following services are dependent on the NetBios over Tcpip service.
Stopping the NetBios over Tcpip service will also stop these services.

   TCP/IP NetBIOS Helper

The TCP/IP NetBIOS Helper service was stopped successfully.


The NetBios over Tcpip service was stopped successfully.


Because of services dependencies, if the NetBT driver is disabled, the startup
mode of the following services must be set to manual or disabled:
 - Computer Browser service (Browser)
 - Distributed File System service (Dfs)
 - Server service (lanmanserver)
 - Workstation service (lanmanworkstation)
 - TCP/IP NetBIOS Helper (lmhosts)

To prevent the netbt.sys to be started at the next system startup, its startup
mode must be set to manual:

C:\>sc config netbt start= demand
[SC] ChangeServiceConfig SUCCESS


Startup modes of all services that depend on it must also be modified:

C:\>sc config lmhosts start= demand
[SC] ChangeServiceConfig SUCCESS

C:\>sc config dfs start= demand
[SC] ChangeServiceConfig SUCCESS

C:\>sc config browser start= demand
[SC] ChangeServiceConfig SUCCESS

C:\>sc config lanmanserver start= demand
[SC] ChangeServiceConfig SUCCESS

C:\>sc config lanmanworkstation start= demand
[SC] ChangeServiceConfig SUCCESS

In addition, the Remote Registry service (RemoteRegistry) can be disabled
because it is not possible to remotely access the registry when the server
service is not started:

C:\>sc config remoteregistry start= demand
[SC] ChangeServiceConfig SUCCESS


4.5 DNS Client service (Dnscache)

The Windows Server 2003 DNS Client service is a caching DNS resolver used by
applications that need a DNS resolution service.

When started, the Dnscache service binds a UDP socket to communicate with DNS
servers on UDP port 53.

The UDP socket used by the Dnscache service appears in netstat's output:

  UDP    0.0.0.0:1029           *:*                                    912
                                                                       ^^^

912 corresponds to the svchost.exe instance that hosts the Dnscache service:

C:\>tasklist /svc /fi "pid eq 912"

Image Name                   PID Services                                     
========================= ====== =============================================
svchost.exe                  912 Dhcp, Dnscache                               
                                       ^^^^^^^^

Stopping the Dnscache service closes the dynamic UDP port:

C:\>net stop dnscache
The DNS Client service is stopping.
The DNS Client service was stopped successfully.


4.6 RPC services listening on TCP

Windows Server 2003 LSA runs several RPC services that can be reached via a
dynamic TCP port:

  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       508
                                                                       ^^^

As seen earlier, 508 corresponds to the LSA process (lsass.exe):

C:\>tasklist /svc /fi "pid eq 508"

Image Name                   PID Services                                     
========================= ====== =============================================
lsass.exe                    508 ProtectedStorage, SamSs                      


The Task Scheduler service runs several RPC services and also opens a dynamic TCP
port:

  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING       992

Finally, the MSRPC portmapper and COM SCM, started by the RpcSs service both use
TCP port 135:

  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       680

680 corresponds to the svchost.exe instance that hosts the RpcSs service:

C:\>tasklist /svc /fi "pid eq 680"

Image Name                   PID Services                                     
========================= ====== =============================================
svchost.exe                  680 RpcSs                                        
                                 ^^^^^


In Windows Server 2003, the netsh rpc context can be used to specify that RPC
services listening on TCP ports (ncacn_ip_tcp protocol sequence) should only
bind to a specific network adress.

Using netsh, it is possible to restrict these three RPC services so that they
only bind to the loopback IPv4 address (127.0.0.1):


C:\>netsh -c rpc

netsh rpc>show interfaces

Subnet          Interface       Status    Description

127.0.0.0       127.0.0.1       Enabled   MS TCP Loopback interface

192.70.106.128  192.70.106.144  Disabled  AMD PCNET Family PCI Ethernet Adapter

netsh rpc>show settings
Default

netsh rpc>add 127.0.0.0

netsh rpc>show settings 
Add List
127.0.0.0


After a reboot, the three RPC services only bind to 127.0.0.1, as shown below:

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:135          0.0.0.0:0              LISTENING       740
  TCP    127.0.0.1:1025         0.0.0.0:0              LISTENING       788
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING       516


4.7 Setting a port range for dynamic ports used by RPC services 

By default, dynamic (TCP or UDP) ports opened by RPC servers are allocated in
the Windows default range of dynamic ports: 1025-5000.

It is possible to use a dedicated port range for these RPC services, so that it
is is easier to identify running RPC services.

The rpccfg tool, part of Windows Server 2003 Resource Kit tools, can be used to
setup a port range (5050-5070 in the following example): 

C:\>rpccfg /pe 5050-5070
The following ports/port range will be used for Internet ports
        5050-5070

Default port allocation is from Intranet ports 

C:\>rpccfg /d 0
The following ports/port range will be used for Internet ports
        5050-5070

Default port allocation is from Internet ports 


Finally, the complete configuration of the RPC runtime can be displayed with the
/q option of rpccfg:


C:\>rpccfg /q
Admit List
      Subnet             Description
1    127.0.0.0       1  MS TCP Loopback interface


The following ports/port ranges will be used for Internet ports
        5050-5070

Default port allocation is from Internet ports


After a reboot, the three remaining RPC services only bind to 127.0.0.1 and the
two RPC services that previously used dynamic ports from the default range
(1025-5000) now use the first two ports from the range for Internet ports (5050
and 5051):

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:135          0.0.0.0:0              LISTENING       752
  TCP    127.0.0.1:5050         0.0.0.0:0              LISTENING       844
  TCP    127.0.0.1:5051         0.0.0.0:0              LISTENING       516


5. Windows Server 2003 SP1

In Windows Server 2003 SP1, a new netstat option, -b, can be used to directly
display the Windows service or process that open sockets.

The output of the netstat -anb command on a default Windows Server 2003 SP1
system is shown below:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1244
  RpcSs
  [svchost.exe]

  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  [System]

  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       856
  [lsass.exe]

  TCP    192.70.106.144:139     0.0.0.0:0              LISTENING       4
  [System]

  UDP    0.0.0.0:4500           *:*                                    856
  [lsass.exe]

  UDP    0.0.0.0:500            *:*                                    856
  [lsass.exe]

  UDP    0.0.0.0:445            *:*                                    4
  [System]

  UDP    0.0.0.0:1026           *:*                                    1296
  Dnscache
  [svchost.exe]

  UDP    127.0.0.1:123          *:*                                    1344
  W32Time
  [svchost.exe]

  UDP    192.70.106.144:137     *:*                                    4
  [System]

  UDP    192.70.106.144:123     *:*                                    1344
  W32Time
  [svchost.exe]

  UDP    192.70.106.144:138     *:*                                    4
  [System]


It seems that in Windows Server 2003 SP1, the Task Scheduler service no longer
opens a TCP port for its RPC services. 

Thus, compared to a default Windows Server 2003 system, there is one less
listening TCP socket on a default Windows Server 2003 SP1 system.

Otherwise, opened sockets are the same as the one found on a default Windows
Server 2003 system and the same methodology can be used.

6. Conclusion

Depending on the role and the environment, only a subset or all Windows Server
2003 network services will be minimized.

An isolated Windows Server 2003 system can be configured so that no listening
TCP port appear when scanned remotely with a network scanner.

However, when dealing with network services minimization, the most important
thing is not necessarily to close all ports but instead to determine which
network communications are needed, analyze the risks associated to the network
services and decide which network services are needed, must be hardened,
filtered or disabled.


7. List of TCP and UDP ports used by Windows Server 2003 network services

TCP:
 135/tcp: Remote Procedure Call (RPC) service (RpcSs)
 139/tcp: NetBIOS over TCP/IP driver (netbt.sys)
 445/tcp: NetBIOS over TCP/IP driver (netbt.sys)
 One dynamic TCP port (LSA RPC services): lsass.exe
 One dynamic TCP port (RPC services): Task Scheduler service (schedule)
  -> not in Windows Server 2003 SP1
 
UDP:
 123/udp: Windows Time service (w32time)
 137/udp, 138/udp: NetBIOS over TCP/IP driver (netbt.sys)
 445/udp: NetBIOS over TCP/IP driver (netbt.sys)
 500/udp, 4500/udp: IPSEC Services service (PolicyAgent)
 One dynamic UDP port: DNS Client service (Dnscache)


For further information, see the list of network ports used by Windows systems
found in the #832017 Microsoft knowledge base article:

http://support.microsoft.com/?id=832017

Because the RpcSs service can not be disabled nor the lsass.exe process stopped,
a Windows Server 2003 system will, at a minimum, always have two listening TCP
sockets, that can be bound only to 127.0.0.1 if the rpc subsystem has been
configured explictly with netsh, as shown earlier:

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:135          0.0.0.0:0              LISTENING       740
  TCP    127.0.0.1:5050         0.0.0.0:0              LISTENING       788

$Id: min_w2k3_net_srv.tip,v 1.10 2005/04/07 08:16:18 marchand Exp $



Last modified on 7 April 2005 at 11:40:49 CET - webmaster@hsc.fr
Mentions légales - Information on this server - © 1989-2013 Hervé Schauer Consultants