06-19-2008 11:01 PM - edited 03-11-2019 06:02 AM
For a long time now I've been trying to get a handle on what is really required for MS hosts to talk to to other MS hosts but googled doco is scant.
The MS site does not seem to acknowledge the existence of UDP or TCP (surprised: Not me!)
Also in the predefined services of the ASA there is nothing for 135 (both tcp and UDP i believe) ... this is pretty weird as it is the MS end point mapper and therefore very common.
Any info or links to definitive stuff would be useful.
BTW: I am, of course not letting this MS chatter move over OUTSIDE interfaces .. we have many internal FW's and pvt links into customers where some of this dodgy MS stuff is required in order to support the customers.
Thanks in advance,
Mike
Solved! Go to Solution.
06-23-2008 12:55 AM
Yup we used this document to make security policies for our customers.
Don't focus too much on the pre-defined ports of the ASA/PIX, it seems this is an issue they don't focus much on.
Please rate helpful posts. Regards
Farrukh
06-20-2008 03:35 AM
Actually most organizations which are conscious about security don't even allow file sharing directly between hosts. A file-sharing server is setup for this (do a google search for Microsoft DFS). Users are given access to this (with personal folders for each). This makes access-control relatively easy. This also reduces the damage caused by worms and other malware
Regards
Farrukh
06-22-2008 04:47 PM
Thanks Farrukh,
I'm well aware of the dangers of the basic microsoft ports unfortunately there are a number of apps used by our organization that require some or all of NetBios gunk - the HP-OVO suite and Radia most specifically.
I'm just finding it really difficult, even with the help of everyone's friend Google, to determine whether these ports are UDP or TCP. Microsoft documentation seems to not realize there is a difference; and HP doco does not seem to provide any information at all.
Also I'm still looking for an index of of the predefined ports in the ASA OS. I can't understand why there would be several predefined netbios ports but 135 (seemingly UDP & TCP) - the vital MS end-point mapper - is not defined. Nor the newer SMB tcp&udp-445 port
So my query is not only about these 'common' (but ill-defined) MS ports, but what is in the list and why are there glaring omissions?
Regards,
Mike
06-22-2008 05:09 PM
Hi again,
Just had a look at DFS .. we already use it across our multiple sites but these are 'internal' and connected by pvt WAN.
Despite my last post and references to other apps using the annoying netbios stuff, there is still a need for file sharing across FW boundries - internal & various levels of DMZ (most of these not accessible to the 'outside' but rather cordoned off areas of server groups).
But even using DFS there is a need for prts opened on a FW - possibly both directions for DFS. Do you know what these are?
Mike
06-22-2008 10:16 PM
Please check the ports listed under DFS on this link:
http://support.microsoft.com/kb/832017#
Distributed File System
The Distributed File System (DFS) integrates disparate file shares that are located across a local area network (LAN) or wide area network (WAN) into a single logical namespace. The DFS service is required for Active Directory domain controllers to advertise the SYSVOL shared folder.
System service name: Dfs
Application protocol Protocol Ports
NetBIOS Datagram Service UDP 138
NetBIOS Session Service TCP 139
LDAP Server TCP 389
LDAP Server UDP 389
SMB TCP 445 ****
RPC TCP 135 ****
Randomly allocated high TCP ports TCP random port number between 1024 - 65535*
* For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section.
Regards
Farrukh
06-23-2008 12:16 AM
Thanks Farrukh, useful link.
See my attachment if you want a handy excel speadsheet of same (but without the useful tips your link provides)
Still got all the MS gunk though; looks like we'll never escape it.
And still no reason why Cisco have not predefined TCP-135, the most used MS port (they have Sun's version). Oh well, chalk it down as an oversight.
Also no listing/index of ASA predefined ports that I can find. I'll just have to hold my mouse cursor over each item and wait for the pop-up. Or hope they call the port the same thing as everyone else.
Regards,
Mike
06-23-2008 12:55 AM
Yup we used this document to make security policies for our customers.
Don't focus too much on the pre-defined ports of the ASA/PIX, it seems this is an issue they don't focus much on.
Please rate helpful posts. Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: