Microsoft Windows XP Home Edition - Zenk - Security - Repository
Microsoft Windows XP Home Edition - Zenk - Security - Repository
Microsoft Windows XP Home Edition - Zenk - Security - Repository
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Microsoft</strong> <strong>Windows</strong> <strong>XP</strong> <strong>Home</strong> <strong>Edition</strong><br />
<strong>Security</strong> Implementation<br />
Version 1.4b Option 1<br />
You need to periodically check your active ports. You can use multiple tools to<br />
investigate ports. First tool you want to use is the Task Manger. You can open<br />
this tool by pressing CTRL+SHIFT+ESC. You should click on the Processes<br />
Tab. You want to make sure that the Show Processes from all users box is<br />
selected. You have the option to sort this window by any column that you wish.<br />
You need to click on the column header of the column that you want to sort by.<br />
In <strong>XP</strong> you need to add the PID column. The PID is the Process ID of the process<br />
that is running. From the View option in the Menu Bar use the Select Columns<br />
option. This will open another window that you can select which columns you<br />
want to add. Select PID and click OK. If you find a process that you don’t<br />
recognize you can run the Tasklist command at the command line. Once you are<br />
Key<br />
at a<br />
fingerprint<br />
command<br />
=<br />
prompt<br />
AF19 FA27<br />
type<br />
2F94<br />
tasklist<br />
998D<br />
/svc.<br />
FDB5<br />
This<br />
DE3D<br />
will<br />
F8B5<br />
list the<br />
06E4<br />
names<br />
A169<br />
of<br />
4E46<br />
all the<br />
windows services that are running along with the PID and image listing of the<br />
service. Another command that you can use to help investigate is the netstat<br />
command. From the command line, type netstat -an. This will list display the<br />
current protocol statistics and current connections. There are five columns in this<br />
output. The first column is the Protocol (TCP or UDP), then Local Address,<br />
Foreign Address, State, and PID. Your computer has three different local<br />
addresses (0.0.0.0, 127.0.0.1, and 10.0.0.3). After each IP address is the port<br />
number that the address is connected to or listening on. A Local Address output<br />
sample is 0.0.0.0:135. The IP address is 0.0.0.0 and the Port number is 135.<br />
Below is a sample line from the netstat command.<br />
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 944<br />
TCP is the protocol for this output. The Local Address is 0.0.0.0 (your IP) and<br />
the port number is 135. The Foreign Address is 0.0.0.0 (your IP) and the port<br />
number is 0. This service is currently in a LISTENING state. This means that<br />
the port is open and waiting for another computer to connect to it. Another state<br />
that a port can be in is ESTABLISHED, meaning that the port is currently talking<br />
to another computer. The PID of this service is 944.<br />
Now that we have most of the information necessary to investigate the service,<br />
we need to check with the IANA port list to see what service or application uses<br />
port number 135. Next you want to check the Task Manager to see what service<br />
has the PID of 944. If the service is listed as svchost.exe you can use the<br />
tasklist command next to get a name of the service. You now can determine<br />
whether you should leave this port open or close it.<br />
© SANS Institute 2003, Author retains full rights<br />
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46<br />
Page 44 of 53<br />
© SANS Institute 2003, As part of the Information <strong>Security</strong> Reading Room. Author retains full rights.