Click here to get back home

Windows 2003 Domain Controller (Open Port 593)
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Windows 2003 Domain Controller (Open Port 593) netmon 12-18-2006
Posted by netmon on December 18, 2006, 4:48 pm
Please log in for more thread options
 I have just set up a new Windows 2003 domain controller and after
setting up the DC I ran a quick nmap scan of the box and have two open
ports which concern me. They are ports 593 and 1026. I did a quick
Google and port 593 (opened by svchost.exe) is related to
http-rpc-epmap and port 1026 (opened by lsass.exe) is related to
lsa-or-nterm. I do not have RPC over http proxy enabled and just to
make sure I have doubled checked this by going to add/remove windows
components/networking services and RPC over HTTP Proxy is not enabled.
My question is how can I remove these or are they necessary services
needed by the OS. I do not have an Exchange environment and IIS is not
installed.


Posted by Roger Abell [MVP] on December 19, 2006, 2:17 am
Please log in for more thread options
 I think you may have misinterpreted the KB
http://support.microsoft.com/kb/826382
tcp 593 exists not due to use of rpc/http proxy and KB says how
to plug up rpc/http proxy (if it exists on a box) so that it cannot
get to dcom via tcp 593
Yes, this is admittedly confusing, but check the following
http://support.microsoft.com/kb/832017
that really does clarify this port is part of RcpSs implementation

I would suggest, if this were not a DC, that you try disabling
DCom on the box, but it is a DC. (start/run dcomcnfg and then
dig into the default properties page of ComponentSvcs\My Comp,
right-click properties on My Computer in Component Services)
On the other hand, the second KB ref given does list RPC locator,
but not RPC Https locator, as requirement for DCs.

Seeing a dynamic port (ex 1026) coming and going in association
with LsaSs is not unusual.

Did you do such as tasklist /svc to see what is in the svchost
instance you are associating with the tcp 593 binding ?


>I have just set up a new Windows 2003 domain controller and after
> setting up the DC I ran a quick nmap scan of the box and have two open
> ports which concern me. They are ports 593 and 1026. I did a quick
> Google and port 593 (opened by svchost.exe) is related to
> http-rpc-epmap and port 1026 (opened by lsass.exe) is related to
> lsa-or-nterm. I do not have RPC over http proxy enabled and just to
> make sure I have doubled checked this by going to add/remove windows
> components/networking services and RPC over HTTP Proxy is not enabled.
> My question is how can I remove these or are they necessary services
> needed by the OS. I do not have an Exchange environment and IIS is not
> installed.
>



Posted by netmon on December 19, 2006, 1:30 pm
Please log in for more thread options
You are correct with the assumption that i had misinterpreted
http://support.microsoft.com/kb/826382.
After reviewing http://support.microsoft.com/kb/832017 it looks like
there is nothing I can do about the port opening as it is needed by
the OS. I should have included in my first post that the svchost.exe
was using the RpcSs services. Thank you for the quick response and
article 832017.

netmon wrote:
> I have just set up a new Windows 2003 domain controller and after
> setting up the DC I ran a quick nmap scan of the box and have two open
> ports which concern me. They are ports 593 and 1026. I did a quick
> Google and port 593 (opened by svchost.exe) is related to
> http-rpc-epmap and port 1026 (opened by lsass.exe) is related to
> lsa-or-nterm. I do not have RPC over http proxy enabled and just to
> make sure I have doubled checked this by going to add/remove windows
> components/networking services and RPC over HTTP Proxy is not enabled.
> My question is how can I remove these or are they necessary services
> needed by the OS. I do not have an Exchange environment and IIS is not
> installed.


Posted by netmon on December 19, 2006, 1:49 pm
Please log in for more thread options
edit: should have included in my first post that the svchost.exe is
using the RpcSs services on port 593 and lsass.exe is using port 1026.

netmon wrote:
> You are correct with the assumption that i had misinterpreted
> http://support.microsoft.com/kb/826382.
> After reviewing http://support.microsoft.com/kb/832017 it looks like
> there is nothing I can do about the port opening as it is needed by
> the OS. I should have included in my first post that the svchost.exe
> was using the RpcSs services. Thank you for the quick response and
> article 832017.
>
> netmon wrote:
> > I have just set up a new Windows 2003 domain controller and after
> > setting up the DC I ran a quick nmap scan of the box and have two open
> > ports which concern me. They are ports 593 and 1026. I did a quick
> > Google and port 593 (opened by svchost.exe) is related to
> > http-rpc-epmap and port 1026 (opened by lsass.exe) is related to
> > lsa-or-nterm. I do not have RPC over http proxy enabled and just to
> > make sure I have doubled checked this by going to add/remove windows
> > components/networking services and RPC over HTTP Proxy is not enabled.
> > My question is how can I remove these or are they necessary services
> > needed by the OS. I do not have an Exchange environment and IIS is not
> > installed.


Posted by Roger Abell [MVP] on December 19, 2006, 7:24 pm
Please log in for more thread options
Yep, that is a fairly good KB
It is difficult to shield DCs in too much detail
(but there is another KB on it, DCs and firewalls).

Cheers,
--
ra

> You are correct with the assumption that i had misinterpreted
> http://support.microsoft.com/kb/826382.
> After reviewing http://support.microsoft.com/kb/832017 it looks like
> there is nothing I can do about the port opening as it is needed by
> the OS. I should have included in my first post that the svchost.exe
> was using the RpcSs services. Thank you for the quick response and
> article 832017.
>
> netmon wrote:
>> I have just set up a new Windows 2003 domain controller and after
>> setting up the DC I ran a quick nmap scan of the box and have two open
>> ports which concern me. They are ports 593 and 1026. I did a quick
>> Google and port 593 (opened by svchost.exe) is related to
>> http-rpc-epmap and port 1026 (opened by lsass.exe) is related to
>> lsa-or-nterm. I do not have RPC over http proxy enabled and just to
>> make sure I have doubled checked this by going to add/remove windows
>> components/networking services and RPC over HTTP Proxy is not enabled.
>> My question is how can I remove these or are they necessary services
>> needed by the OS. I do not have an Exchange environment and IIS is not
>> installed.
>



Similar ThreadsPosted
Ports Open On Windows 2003 Server March 8, 2007, 3:18 pm
2003 Domain Controller not requesting certificate May 31, 2006, 2:53 pm
Which port to open on firewall? November 1, 2005, 1:44 pm
2003 Domain Controller event id when an account is locked ? January 3, 2007, 4:16 am
does mstask.exe normally open and listen on a tcp port? March 14, 2008, 3:04 pm
Windows 2003 - Child domain cannot request certificate from root domain January 11, 2008, 11:41 am
Windows 2000 Domain, Windows 2003 Enterprise CA July 15, 2005, 2:07 pm
How To Get Username and Domain Name in Windows 2003? June 10, 2005, 5:03 pm
Windows 2003 Domain Security July 14, 2005, 11:06 am
Domain Controller That Service a DMZ October 29, 2005, 9:58 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap