Click here to get back home

Windows 2003: Netstat results mention microsoft-ds
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Windows 2003: Netstat results mention microsoft-ds J.S. 12-04-2006
Posted by J.S. on December 4, 2006, 1:40 am
Please log in for more thread options
 Folks,

My netstat results show a connection from microsoft-ds to a port on my
server and another from that port to microsoft-ds. The microsoft site
doesn't seem to have much information about it.

Does this have any security implications?

Also, while looking for information on port 1383 I saw that the
description mentioned GW Hannaway Network License Manager. Is it ok to
have this port open on a windows 2003 server?

Thanks,
J.S.

Posted by Miha Pihler [MVP] on December 4, 2006, 4:14 am
Please log in for more thread options
 Hi,

What information are you looking for? Microsoft-DS TCP port is TCP port 445.
This port is also commonly referred to as SMB or CIFS.

About 1383 port. Since Windows will often dynamically assign ports to
different services it is hard to tell what actually runs behind this port
(which service). Once way to find out is to run following command...

netstat -nb | more

It will display something like this...

TCP 10.10.190.74:1956 10.10.2.46:3389 ESTABLISHED 2072
[mstsc.exe]

This means that mstsc program is connecting from IP address 10.10.190.74 to
10.10.2.46 on TCP port 3389...

After you know which service is running on this port, you can decide if you
need it or if it can be shut down and disabled.

--
Mike
Microsoft MVP - Windows Security

> Folks,
>
> My netstat results show a connection from microsoft-ds to a port on my
> server and another from that port to microsoft-ds. The microsoft site
> doesn't seem to have much information about it.
>
> Does this have any security implications?
>
> Also, while looking for information on port 1383 I saw that the
> description mentioned GW Hannaway Network License Manager. Is it ok to
> have this port open on a windows 2003 server?
>
> Thanks,
> J.S.



Posted by J.S. on December 4, 2006, 5:27 am
Please log in for more thread options
Hi Mike,

Thanks for your response. I was just trying to figure out whether
something I saw in the netstat results was a likely security concern.

When I use only netstat the first two lines shows this:

Proto        Local Address                Foreign Address                State
TCP        myserver:microsoft-ds        myserver:1383                Established
TCP        myserver:1383                myserver:microsoft-ds        Established


When I did netstat -nb | more, as you suggested I got this:
Proto        Local Address                Foreign Address        State                PID                
TCP 127.0.0.1:445 127.0.0.1:1383         ESTABLISHED         4
[System]

TCP 127.0.0.1:1383 127.0.0.1:445        ESTABLISHED         4
[System]


I am not sure why my localhost is connecting to itself. Could it be
because I am running a DNS server? (I know my questions must seem very
silly to those who actually know about this stuff).

Could you recommend any specific resources to learn more about Windows
2003 server security?

Thanks,
J.S.

Miha Pihler [MVP] wrote:
> Hi,
>
> What information are you looking for? Microsoft-DS TCP port is TCP port 445.
> This port is also commonly referred to as SMB or CIFS.
>
> About 1383 port. Since Windows will often dynamically assign ports to
> different services it is hard to tell what actually runs behind this port
> (which service). Once way to find out is to run following command...
>
> netstat -nb | more
>
> It will display something like this...
>
> TCP 10.10.190.74:1956 10.10.2.46:3389 ESTABLISHED 2072
> [mstsc.exe]
>
> This means that mstsc program is connecting from IP address 10.10.190.74 to
> 10.10.2.46 on TCP port 3389...
>
> After you know which service is running on this port, you can decide if you
> need it or if it can be shut down and disabled.
>

Posted by Miha Pihler [MVP] on December 4, 2006, 3:05 pm
Please log in for more thread options
Hi,

Here are some good articles and white papers on security...

http://www.microsoft.com/security/default.mspx

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017&Product=winsvr2003

Threats and Countermeasures
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspx

Windows Server 2003 Security Guide
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx

--
Mike
Microsoft MVP - Windows Security

> Hi Mike,
>
> Thanks for your response. I was just trying to figure out whether
> something I saw in the netstat results was a likely security concern.
>
> When I use only netstat the first two lines shows this:
>
> Proto Local Address Foreign Address State
> TCP myserver:microsoft-ds myserver:1383 Established
> TCP myserver:1383 myserver:microsoft-ds Established
>
>
> When I did netstat -nb | more, as you suggested I got this:
> Proto Local Address Foreign Address State PID TCP 127.0.0.1:445
> 127.0.0.1:1383 ESTABLISHED 4
> [System]
>
> TCP 127.0.0.1:1383 127.0.0.1:445 ESTABLISHED 4
> [System]
>
>
> I am not sure why my localhost is connecting to itself. Could it be
> because I am running a DNS server? (I know my questions must seem very
> silly to those who actually know about this stuff).
>
> Could you recommend any specific resources to learn more about Windows
> 2003 server security?
>
> Thanks,
> J.S.
>
> Miha Pihler [MVP] wrote:
>> Hi,
>>
>> What information are you looking for? Microsoft-DS TCP port is TCP port
>> 445. This port is also commonly referred to as SMB or CIFS.
>>
>> About 1383 port. Since Windows will often dynamically assign ports to
>> different services it is hard to tell what actually runs behind this port
>> (which service). Once way to find out is to run following command...
>>
>> netstat -nb | more
>>
>> It will display something like this...
>>
>> TCP 10.10.190.74:1956 10.10.2.46:3389 ESTABLISHED
>> 2072
>> [mstsc.exe]
>>
>> This means that mstsc program is connecting from IP address 10.10.190.74
>> to 10.10.2.46 on TCP port 3389...
>>
>> After you know which service is running on this port, you can decide if
>> you need it or if it can be shut down and disabled.
>>



Posted by J.S. on December 4, 2006, 3:13 pm
Please log in for more thread options
Thanks, Mike. I appreciate the links.

J.S.


Miha Pihler [MVP] wrote:
> Hi,
>
> Here are some good articles and white papers on security...
>
> http://www.microsoft.com/security/default.mspx
>
> Service overview and network port requirements for the Windows Server system
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017&Product=winsvr2003
>
> Threats and Countermeasures
>
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspx
>
> Windows Server 2003 Security Guide
>
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
>

Similar ThreadsPosted
W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql server !!! October 14, 2005, 1:20 pm
Windows 2000 Domain, Windows 2003 Enterprise CA July 15, 2005, 2:07 pm
Windows 2008 CA can't issue to Windows 2003 server June 25, 2008, 11:53 am
Windows server 2003 and Windows SBS Cost ? August 25, 2005, 11:19 pm
Applying Windows 2003 policies to Windows XP June 24, 2008, 2:34 pm
Is it possible to use the Windows 2003 user names instead of pre-Windows 2000 user names in Windows Authentication? September 5, 2006, 9:27 am
Windows 2003 PKI August 23, 2005, 9:51 am
WMI and Windows 2003 SP1 June 28, 2006, 10:14 am
Windows 2003 August 30, 2007, 6:41 pm
Windows 2003 SP1 Question. May 31, 2005, 9:44 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap