Checking port 139 on a domain controller #29
Comments
|
I'm more than happy to get a PR from you and other people. In this case, the test responsible for that is here: Testimo/Private/SourcesDomainControllers/Ports.ps1 Lines 1 to 45 in cb38a77 Not sure how confident you feel on Testimo ground so far so let me try and explain how one would fix this so maybe in future you could help out with some of the stuff. With the proposed approach, one needs to leave the source as is since we do want to test for 139 still but we need to introduce testing per each port separately since we expect different value per port. In this case, we will need to introduce $Ports = [ordered] @{
Enable = $true
Source = [ordered] @{
Name = 'TCP Ports are open/closed as required' # UDP Testing is unreliable for now
Data = {
# Port 389, 636, 3268, 3269 are tested as LDAP Ports with proper LDAP
$TcpPorts = @(53, 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 9389)
# $TcpPorts = @(25, 53, 88, 464, 5722, 9389)
Test-ComputerPort -ComputerName $DomainController -PortTCP $TcpPorts -WarningAction SilentlyContinue
<#
ComputerName Port Protocol Status Summary Response
------------ ---- -------- ------ ------- --------
AD1 53 TCP True TCP 53 Successful
AD1 3389 TCP True TCP 3389 Successful
AD7 53 TCP False TCP 53 Failed
AD7 3389 TCP False TCP 3389 Failed
#>
# UDP Testing is unreliable
<# Potential ports to test
'WinRm' = @{ 'TCP' = 5985 }
'Smb' = @{ 'TCP' = 445; 'UDP' = 445 }
'Dns' = @{ 'TCP' = 53; 'UDP' = 53 }
'ActiveDirectoryGeneral' = @{ 'TCP' = 25, 88, 389, 464, 636, 5722, 9389; 'UDP' = 88, 123, 389, 464 }
'ActiveDirectoryGlobalCatalog' = @{ 'TCP' = 3268, 3269 }
'NetBios' = @{ 'TCP' = 135, 137, 138, 139; 'UDP' = 137, 138, 139 }
Test-ComputerPort -ComputerName $DomainController -PortTCP 25, 88, 389, 464, 636, 5722, 9389 -PortUDP 88, 123, 389, 464
#>
}
}
Tests = [ordered] @{
Port53 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '53' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port88 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '88' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port135 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '135' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port139 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '139' }
Property = 'Status'
ExpectedValue = $false
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port445 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '445' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port464 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '464' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port636 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '636' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port3268 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '3268' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port3269 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '3269' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
Port9389 = [ordered] @{
Enable = $true
Name = 'Port is OPEN'
Parameters = @{
WhereObject = { $_.Port -eq '9389' }
Property = 'Status'
ExpectedValue = $true
OperationType = 'eq'
PropertyExtendedValue = 'Summary'
}
}
}
}As you can see I had to create each test separatly and use WhereObject to filter it out.
I'm thinking now that each Source should have additional section: Details = [ordered] @{
Area = ''
Explanation = ''
Recommendation = ''
RiskLevel = 10
RecommendedLinks = @(
)
}And each Test should have: Details = @{
Explanation = ''
Recommendation = ''
RecommendedLinks = ''
}and then for each test it would show up in HTML output. What do you think? Would you be able to provide explanations/resources for some tests with information how one would fix this? |
|
Also, do you think there should be another test to check whether it's disabled in the registry: https://www.reddit.com/r/sysadmin/comments/bc1ial/best_practice_to_totally_disable_netbios_over/ |
|
Ok, I've actually added another test for this. It now checks that NetbiosOverTCPIP setting is disabled and requires Port to be closed.
|
|
Closing as solved. If you feel fixes didn't address it let me know, please. |
Per the documentation, one of the tests is checking port 139 on a domain controller. That's NetBIOS session port. NetBIOS over TCP/IP is severely outdated and presence of the open port indicates likely misconfiguration.
Proposing to remove check for this port from a positive test. Consider converting to negative/misconfiguration indicator. I can prepare PR if needed.
The text was updated successfully, but these errors were encountered: