Security, Security, Security

Ports are a good way in, and often remain unchecked.

• By Don Jones
• April 09, 2004

Are you tired of hearing about security, yet? It seems every new week brings a new e-mail virus, security patch, or Windows hack—if not all three! This week I've been helping a customer clean up their environment. We discovered that the MyDoom virus—remember that one?—was still up and running on a number of their machines. Fortunately, they had antivirus software that could remove the thing. Pity, the software hadn't been updated to prevent MyDoom in the first place, but oh, well. I mention it because many of the MyDoom variants open backdoors on computers, allowing the virus' author to access the computers remotely. This is done by opening a TCP port, and it's that port that led us to discover MyDoom on those computers in the first place.

Check Yer Ports
Ports, as you know, are the key to TCP/IP communications. All Windows computers open a number of ports for both connectionless User Datagram Protocol (UDP) traffic and for connection-oriented Transport Control Protocol (TCP) traffic. IIS, for example, usually listens on TCP port 80 for incoming HTTP traffic. It's a great idea to occasionally check your computers—especially servers—to see what ports they're listening on. That way, you can spot any unexpected ports and lock them down, if necessary. And the good news is that checking ports won't cost you a dime: Just run netstat -a from a command-line window.

Expect to see a number of ports open on the typical Windows Server 2003 or Windows XP computer. TCP port 3389 is for Remote Desktop traffic, 80 is for Web servers and 20 and 21 are for FTP servers, and so forth. Watch primarily for ports listed as "LISTENING," since those are the ports on which new traffic can be accepted by the computer. Expect to see a lot of "ESTABLISHED" connections on odd-numbered ports: Those are generally RPC traffic, which selects a port somewhat at random to work with.

You should also expect to see a lot of port numbers, as opposed to names. Windows knows a few number-to-name translations and will list them in the netstat -a output, but for the most part you just get numbers. You can translate those numbers into protocol names by using the chart at www.iana.org/assignments/port-numbers. This helpful list, maintained by the Internet Assigned Numbers Authority, is updated very frequently. It doesn't seek to be authoritative, but rather comprehensive. In other words, you may see multiple protocols listed for a single port number, meaning two different application manufacturers happened to pick that port for their product. That doesn't happen often, since manufacturers use this list to look for port conflicts before selecting ports for their products to use.

Micro Tip Sheet Tired of typing "cd" to change directories at the command line? Install Microsoft's "Command Window Here" power toy. You'll be able to right-click folders in Explorer and open a command-line window in the right folder to start with. Ever wonder why Windows Update and Software Update Services can't also process updates for things like Microsoft Office? Wonder no more, because Windows Update 5 and Software Update Services 2.0 are coming very soon, and they'll handle a much broader range of updates. [Also see "Software Update Services Overhauled," at ENTmag.com.—Editor.]

More Resources
Use a port scanner, such as the free one from www.insecure.org/nmap, to remotely check the computers on your network for open ports.

Visit http://us.mcafee.com/virusInfo/default.asp for information on viruses, like MyDoom, which may open ports on your network.