Comcast blocking ports 135, 137, 138, 139 and 445

[Robert F. O'Connor]

My broadband access provider, Comcast, is blocking ports
135, 137, 138, 139 and 445 for all users. There has been
no official announcement of this policy, but callers to
Comcast support are being told that these ports will be
blocked indefinitely and they claim that this was based
on Microsoft's specific recommendation. They seem to be
referring to Microsoft's call for all users to block
unused ports with personal firewall software.

The problem raised is that this interferes with normul
use of Microsoft server-based domain networking. In
particular accessing shared files from MS-based servers
and direct Outlook access to Exchange servers is now
impossible.

Ideally, Comcast will change their policy when they get a
call from Bill G., but in the meantime, are there
workarounds for this? My particular need is to get at
files on machines in my company's server domain, but I
know that there are Exchange users who do not want to
have to use web-based access to get their e-mail.

-Robert F. O'Connor

 

[Chuck]

My broadband access provider, Comcast, is blocking ports
135, 137, 138, 139 and 445 for all users. There has been
no official announcement of this policy, but callers to
Comcast support are being told that these ports will be
blocked indefinitely and they claim that this was based
on Microsoft's specific recommendation. They seem to be
referring to Microsoft's call for all users to block
unused ports with personal firewall software.

The problem raised is that this interferes with normul
use of Microsoft server-based domain networking. In
particular accessing shared files from MS-based servers
and direct Outlook access to Exchange servers is now
impossible.

Ideally, Comcast will change their policy when they get a
call from Bill G., but in the meantime, are there
workarounds for this? My particular need is to get at
files on machines in my company's server domain, but I
know that there are Exchange users who do not want to
have to use web-based access to get their e-mail.

-Robert F. O'Connor

VPN. If your company is allowing file sharing or Exchange access thru
the internet, then they're a disaster waiting to happen. Better ask
them to put a VPN in stat.


Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Robert F. O'Connor]

Getting a Win2000 VPN working is another question we are
pursuing. Since these shares are not visible to anyone
without a valid domain account and then only two accounts
have permission to access those shares, we're not
inordinately worried about unauthorized access. Either
Windows 2000 domains are secure or they are not.

In the interim what I am looking for (I suppose) is a way
to modify file sharing to use a non-standard port (both
on the Win2000 servers and the WinXPPro clients). Is this
possible (registry?) or is a VPN the only answer?

And when the heck is Bill G. going to give Comcast a call
and read them the riot act? Eventually Comcast will
provide no port access and then charge us all extra for
their special security service: no access, no viruses!

-Robert F. O'Connor

 

[Chuck]

Getting a Win2000 VPN working is another question we are
pursuing. Since these shares are not visible to anyone
without a valid domain account and then only two accounts
have permission to access those shares, we're not
inordinately worried about unauthorized access. Either
Windows 2000 domains are secure or they are not.

I hope for your sake that your VPN is working soon. The shares may
not be visible (to a normal Windoze browser**), but I'd bet that your
firewall or servers respond to port connect queries. ("Port Closed"
is a response - and a red flag to hackers).

Win2K domains are secure - if not connected to the internet. If you
(with valid domain permissions) can access those shares thru the
internet, then they're being advertised to somebody on the internet.

If your corporate firewall is set to Ignore (GRC "stealth" response)
requests against those ports (NOT Deny aka "Port Closed") that don't
pass an ip address filter, you might be safe. But if the firewall
returns a "Port Closed", or if the firewall doesn't filter at all by
ip, those shares are out there for all to see. Domain authentication
or not.

In the interim what I am looking for (I suppose) is a way
to modify file sharing to use a non-standard port (both
on the Win2000 servers and the WinXPPro clients). Is this
possible (registry?) or is a VPN the only answer?

Possible? Yes. If you modify your server and client programs to use
different ports. Practical? Not unless you can modify all your
servers and clients, reliably and simultaneously. Best concentrate on
VPN.

That is a "security by obscurity" solution anyway. SBO works only
temporarily.

And when the heck is Bill G. going to give Comcast a call
and read them the riot act? Eventually Comcast will
provide no port access and then charge us all extra for
their special security service: no access, no viruses!

You'd best find a new ISP first. Voting with your $$$ is the only way
to make Comcrap listen. BG doesn't care.

NOTE:
** "browser" NOT referring to the internet http thing, but to the
Windoze system component which detects and displays advertised file
shares.

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Michael Johnston [MSFT]]

Blocking these ports is absolutely the right thing to do! You should not expose your network in such a manner. Use a VPN
instead!

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.

 

[Speeder]

Blocking these ports is absolutely the right thing to do! You should not expose your network in such a manner. Use a VPN
instead!

Thank you,
Mike Johnston
Microsoft Network Support

Agreed that blocking these ports is the right thing to do. But the
responsibility for blocking these ports should rest with the user, not with
Comcast. It smacks of Big Brother watching out for us. There may be valid
reasons for having these ports open for testing etc.

An anology would be that we all know that not speeding is not the right
thing to do. But it is up to the driver not to speed. Using Comcast's
logic, it would be alright for the Government to physically restrict your
speed. I think you would not be happy to let the Government restrict your
driving experience.

 

[Jeff Cochran]

Agreed that blocking these ports is the right thing to do. But the
responsibility for blocking these ports should rest with the user, not with
Comcast. It smacks of Big Brother watching out for us. There may be valid
reasons for having these ports open for testing etc.

An anology would be that we all know that not speeding is not the right
thing to do. But it is up to the driver not to speed. Using Comcast's
logic, it would be alright for the Government to physically restrict your
speed. I think you would not be happy to let the Government restrict your
driving experience.

Nope. There are several worms that propagate when these ports are
open. You may be responsible enough to close the ports, but others
aren't. Comcast has blocked those ports to slow or prevent attacks
originating from compromised systems. And those attacks can degrade
or block your network access, so you should be happy they're being
blocked.

If you need those ports open, then switch to a provider or a service
plan that allows you to control all the ports. And by the way, the
government does restrict your right to speed. It's called a law.

Jeff

 

[Chuck]

Agreed that blocking these ports is the right thing to do. But the
responsibility for blocking these ports should rest with the user, not with
Comcast. It smacks of Big Brother watching out for us. There may be valid
reasons for having these ports open for testing etc.

There is one and only one way for our concern to be made to Comcrap in
a way that they will listen. Comcrap's customers must vote with their
$$$ and find another ISP. Realistically, though, I wouldn't expect
that to happen.



Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Guest]

Where might I find a good walkthrough for setting that
up? Website? Book? Or where in these groups should I ask--
ras_routing? My home machine is not in the domain (though
that is a possibility) and I only need the VPN to get to
the machines in our domain, not the Internet generally.
Among the questions I have are: do I need to set up
RADIUS? If I hand out IPs, do they have to be real IPs in
the range of the machines I want to reach or can they be
192.168 etc. IPs.

Thanks,

-Robert F. O'Connor

-----Original Message-----
Blocking these ports is absolutely the right thing to

do! You should not expose your network in such a
manner. Use a VPN

instead!

Thank you,
Mike Johnston
Microsoft Network Support

confers no rights. Use of included script samples are
subject to the

terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all

responses to this message are best directed to the
newsgroup/thread from