Security, Security, Security
Ports are a good way in, and often remain unchecked.
- By Don Jones
- April 09, 2004
Are you tired of hearing about security, yet? It seems every new week
brings a new e-mail virus, security patch, or Windows hack—if not
all three! This week I've been helping a customer clean up their environment.
We discovered that the MyDoom virus—remember that one?—was still
up and running on a number of their machines. Fortunately, they had antivirus
software that could remove the thing. Pity, the software hadn't been updated
to prevent MyDoom in the first place, but oh, well. I mention it because
many of the MyDoom variants open backdoors on computers, allowing the
virus' author to access the computers remotely. This is done by opening
a TCP port, and it's that port that led us to discover MyDoom on those
computers in the first place.
Check Yer Ports
Ports, as you know, are the key to TCP/IP communications. All Windows
computers open a number of ports for both connectionless User Datagram
Protocol (UDP) traffic and for connection-oriented Transport Control Protocol
(TCP) traffic. IIS, for example, usually listens on TCP port 80 for incoming
HTTP traffic. It's a great idea to occasionally check your computers—especially
servers—to see what ports they're listening on. That way, you can
spot any unexpected ports and lock them down, if necessary. And the good
news is that checking ports won't cost you a dime: Just run netstat
-a from a command-line window.
Expect to see a number of ports open on the typical Windows Server 2003
or Windows XP computer. TCP port 3389 is for Remote Desktop traffic, 80
is for Web servers and 20 and 21 are for FTP servers, and so forth. Watch
primarily for ports listed as "LISTENING," since those are the
ports on which new traffic can be accepted by the computer. Expect to
see a lot of "ESTABLISHED" connections on odd-numbered ports:
Those are generally RPC traffic, which selects a port somewhat at random
to work with.
You should also expect to see a lot of port numbers, as opposed to names.
Windows knows a few number-to-name translations and will list them in
the netstat -a output, but for the most part you just get numbers. You
can translate those numbers into protocol names by using the chart at
This helpful list, maintained by the Internet Assigned Numbers Authority,
is updated very frequently. It doesn't seek to be authoritative, but rather
comprehensive. In other words, you may see multiple protocols listed for
a single port number, meaning two different application manufacturers
happened to pick that port for their product. That doesn't happen often,
since manufacturers use this list to look for port conflicts before selecting
ports for their products to use.
Tired of typing "cd" to change directories
at the command line? Install Microsoft's "Command
Window Here" power toy. You'll be able to right-click
folders in Explorer and open a command-line window in
the right folder to start with.
Ever wonder why Windows Update and Software Update
Services can't also process updates for things like
Microsoft Office? Wonder no more, because Windows
Update 5 and Software Update Services 2.0 are coming
very soon, and they'll handle a much broader range of
updates. [Also see "Software
Update Services Overhauled," at ENTmag.com.—Editor.]
Use a port scanner, such as the free one from www.insecure.org/nmap,
to remotely check the computers on your network for open ports.
for information on viruses, like MyDoom, which may open ports on your
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.