Check your Windows port associations

One vulnerable aspect of "Windows out of the box" is the UDP and TCP ports it uses to support file and print sharing, directory services and name resolution. Using these ports on any local area network for these purposes is tolerable. But for any link to the Internet, they definitely are not. One of my favorite security tools makes a compelling case for why you should never utilize either one. (See the screen text capture below, picked up verbatim from my Windows 2000 Professional laptop on my home network).

FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process      Port  Proto Path
412   svchost  ->  135   TCP   C:WINNTsystem32svchost.exe
8     System   ->  139   TCP
8     System   ->  445   TCP
608   ccPxySvc ->  1025  TCP   C:Program FilesNorton Internet SecurityccPxySvc.exe
832   MSTask   ->  1026  TCP   C:WINNTsystem32MSTask.exe
8     System   ->  1027  TCP
1136  ccApp    ->  1031  TCP   C:Program FilesCommon FilesSymantec SharedccApp.exe
8     System   ->  137   UDP
8     System   ->  138   UDP
8     System   ->  445   UDP
232   lsass    ->  500   UDP   C:WINNTsystem32lsass.exe
1032  OUTLOOK  ->  1360  UDP   C:Program FilesMicrosoft OfficeOfficeOUTLOOK.EXE
532   IEXPLORE ->  3549  UDP   C:Program FilesInternet ExplorerIEXPLORE.EXE
1144  IEXPLORE ->  3600  UDP   C:Program FilesInternet ExplorerIEXPLORE.EXE
232   lsass    ->  4500  UDP   C:WINNTsystem32lsass.exe

The tool in the illustration here is FPort. It's from a company named Foundstone. It's a company that includes as principals two of the folks behind the wildly successful (and entirely useful) Hacking Exposed books—namely George Kurtz and Stuart McClure. It also includes long-time PC Magazine programming editor, book author, and Windows guru Chris Prosise.

FPort lists all open TCP and UDP ports it discovers, along with the associated process ID (Pid) and process name (Process). The tool is free, easy to download, and a snap to use; in the directory where Fport.exe resides, open a command window and type Fport at the command line.

Why is this tool valuable? Because it shows all TCP and UDP ports open on the machine where it runs. This defines the set of ports you should inspect and block at the interface (or firewall) that connects your machine or network to the Internet. For the screen display shown above, you'd want to close all ports shown below 1,024 and be pretty picky about which applications (namely, the Task Scheduler, MSTask.exe; various elements of Norton Internet Security, Internet Explorer and so forth) are allowed Internet access.

By combining judicious external scans of your system(s) or network (readily available at Gibson Research or Symantec (to name just two of many such tools) with the "inside view" that FPort provides, you can easily learn what ports to check and block, as needed.

Thomas Alexander Lancaster IV is a consultant and author with over 10 years experience in the networking industry, focused on Internet infrastructure.