One vulnerable aspect of "Windows out of the box" is the UDP and TCP ports it uses to support file and print sharing, directory services and name resolution. Using these ports on any local area network for these purposes is tolerable. But for any link to the Internet, they definitely are not. One of my favorite security tools makes a compelling case for why you should never utilize either one. (See the screen text capture below, picked up verbatim from my Windows 2000 Professional laptop on my home network).
FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com Pid Process Port Proto Path 412 svchost -> 135 TCP C:WINNTsystem32svchost.exe 8 System -> 139 TCP 8 System -> 445 TCP 608 ccPxySvc -> 1025 TCP C:Program FilesNorton Internet SecurityccPxySvc.exe 832 MSTask -> 1026 TCP C:WINNTsystem32MSTask.exe 8 System -> 1027 TCP 1136 ccApp -> 1031 TCP C:Program FilesCommon FilesSymantec SharedccApp.exe 8 System -> 137 UDP 8 System -> 138 UDP 8 System -> 445 UDP 232 lsass -> 500 UDP C:WINNTsystem32lsass.exe 1032 OUTLOOK -> 1360 UDP C:Program FilesMicrosoft OfficeOfficeOUTLOOK.EXE 532 IEXPLORE -> 3549 UDP C:Program FilesInternet ExplorerIEXPLORE.EXE 1144 IEXPLORE -> 3600 UDP C:Program FilesInternet ExplorerIEXPLORE.EXE 232 lsass -> 4500 UDP C:WINNTsystem32lsass.exe
The tool in the illustration here is FPort. It's from a company named Foundstone. It's a company that includes as principals two of the folks behind the wildly successful (and entirely useful) Hacking Exposed books—namely George Kurtz and Stuart McClure. It also includes long-time PC Magazine programming editor, book author, and Windows guru Chris Prosise.
FPort lists all open TCP and UDP ports it discovers, along with the associated process ID (Pid) and process name (Process). The tool is free, easy to download, and a snap to use; in the directory where Fport.exe resides, open a command window and type Fport at the command line.
Why is this tool valuable? Because it shows all TCP and UDP ports open on the machine where it runs. This defines the set of ports you should inspect and block at the interface (or firewall) that connects your machine or network to the Internet. For the screen display shown above, you'd want to close all ports shown below 1,024 and be pretty picky about which applications (namely, the Task Scheduler, MSTask.exe; various elements of Norton Internet Security, Internet Explorer and so forth) are allowed Internet access.
By combining judicious external scans of your system(s) or network (readily available at Gibson Research or Symantec (to name just two of many such tools) with the "inside view" that FPort provides, you can easily learn what ports to check and block, as needed.
Thomas Alexander Lancaster IV is a consultant and author with over 10 years experience in the networking industry, focused on Internet infrastructure.
This was first published in December 2003