[NCSA-discuss] a shameful problem
Matt Pusateri
mpusateri at wickedtrails.com
Fri Jun 23 08:54:13 EDT 2006
Jason,
netstat -ab will show active processes and the programs/dll's
associated with that. It will also give you the PID as will the -o
switch. You can then look in Task Manager(you'll have to click on
view and add the column for the pid) You can then search(ctrl-f) the
registry for the dll or exe to find out what service is starting it
up. You'll probably get multiple entries, keep hitting F3 to find
next. You can look at the display name parameter and match that up to
what services are set to startup or are running. You probably end up
with a bunch of SVCHOST entries.
I normally open up services and sort by started and startup type. Then
you can go through each service and see if it's needed. I don't think
sysinternals.com has anything that will tell you PID to Service, but
again you can probably search the registry.
Matt P.
On Thu, June 22, 2006 11:50 pm, Jason Tower wrote:
> ok, i'm ashamed and embarassed to admit it, but i have one windows
> server
> that i have to administer. it's a citrix server running under vmware,
> and
> here's the catch: i need to run it with a public ip address - no
> external
> firewall, no nat.
>
> now, on a real server (read: *nix) i simply turn off all services that
> i
> don't want, verify with 'netstat -an' that only the ports i want
> listening
> are actually open, and away i go. on this godforsaken windows box
> running
> 'netstat -an' yields the following (note that it is currently behind a
> nat
> device, hence the 10.1.1.11 ip):
>
> Active Connections
>
> Proto Local Address Foreign Address State
> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1043 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:1494 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:2512 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:2513 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
> TCP 0.0.0.0:27000 0.0.0.0:0 LISTENING
> TCP 10.1.1.11:139 0.0.0.0:0 LISTENING
> TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING
> TCP 127.0.0.1:8009 0.0.0.0:0 LISTENING
> UDP 0.0.0.0:445 *:*
> UDP 0.0.0.0:500 *:*
> UDP 0.0.0.0:1037 *:*
> UDP 0.0.0.0:1041 *:*
> UDP 0.0.0.0:1276 *:*
> UDP 0.0.0.0:1434 *:*
> UDP 0.0.0.0:1604 *:*
> UDP 0.0.0.0:3701 *:*
> UDP 0.0.0.0:3771 *:*
> UDP 0.0.0.0:3820 *:*
> UDP 0.0.0.0:4057 *:*
> UDP 0.0.0.0:4094 *:*
> UDP 0.0.0.0:4309 *:*
> UDP 0.0.0.0:4500 *:*
> UDP 0.0.0.0:4561 *:*
> UDP 0.0.0.0:4615 *:*
> UDP 10.1.1.11:123 *:*
> UDP 10.1.1.11:137 *:*
> UDP 10.1.1.11:138 *:*
> UDP 127.0.0.1:123 *:*
> UDP 127.0.0.1:3768 *:*
> UDP 127.0.0.1:3817 *:*
> UDP 127.0.0.1:4054 *:*
> UDP 127.0.0.1:4091 *:*
> UDP 127.0.0.1:4186 *:*
> UDP 127.0.0.1:4306 *:*
> UDP 127.0.0.1:4487 *:*
> UDP 127.0.0.1:4558 *:*
> UDP 127.0.0.1:4612 *:*
> UDP 127.0.0.1:4651 *:*
>
> holy smegging crap, this is what redmond considers "secure"? the only
> external ports i want open are tcp 80/443 for the citrix web
> interface, and
> tcp 1494 for citrix itself. presumably i can ignore the ports bound
> to
> 127.0.0.1 but i don't have a clue about all the others, or how to
> disable
> them. if anyone can help me prepare this box for public ip duty lunch
> (including beer) is on me.
>
> jason
> _______________________________________________
> ncsa-discussion mailing list
> ncsa-discussion at ncsysadmin.org
> http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
>
More information about the ncsa-discussion
mailing list