7.2 Scan Your System for Open Ports

Each open network port on your computer is a potential security vulnerability. Fortunately, there's a way to scan your computer for open ports so you know which holes to patch. Start by opening a command prompt window ( cmd.exe ) and running utility by typing netstat /a /o . The Active Connections utility displays its information in these five columns :

Column	Description
Proto	This will be either TCP or UDP, representing the protocol being used.
Local Address	This column has two components : the computer name and either a port number or the name of a service.
Foreign Address	For active connections, you'll see the name or IP address of the remote machine, followed by the port number. For inactive connections (showing only the open ports), you'll typically see only :.
State	This shows the state of the connection (TCP ports only). For server processes, you'll usually see LISTENING here, signifying that the process has opened the port and is waiting for an incoming connection. For connections originating from your computer, such as a web browser downloading a page or an active Telnet session, you'll see ESTABLISHED here.
PID	This is the Process Identifier of the application or service that is responsible for opening the port; see the rest of this section for help with matching up the PID with an application or process.

Don't be alarmed if you see a lot of open ports. Just make sure you thoroughly track down each one, making sure it doesn't pose a security threat.

7.2.1 Matching a PID with a Program

Netstat shows the PID of running programs that have opened ports, but not the application names . To find out more, open Task Manager (launch taskmgr.exe or right-click an empty area of your taskbar and select Task Manager), and choose the Processes tab. If you don't see a column labelled PID, go to View Select Columns, turn on the PID (Process Identifier) option, and click OK. Finally, turn on the Show processes from all users option at the bottom of the Windows Task Manager window. You can then sort the listing by PID by clicking the PID column header. The program filename is shown in the Image Name column.

NOTE

You may see svchost .exe listed in the Windows Task Manager, and reported by the Active Connections utility as being responsible for one or more open ports. This program is merely used to start the services listed in the Services window ( Services.msc ).

7.2.2 Common TCP/IP Ports

When your web browser or email program connects to another computer on the Internet, it does so through a TCP/IP port. If you have a web server or FTP server running on your computer, it opens a port to which other computers can connect. Port numbers are used to distinguish one network service from another.

A firewall uses ports (listed in the following table) to form its rules about which types of network traffic to allow, and which to prohibit. And the Active Connections utility, described previously, allows you to uncover vulnerabilities in your system using ports.

NOTE

Some firewalls make a distinction between TCP (Transmission Control Protocol) and UDP ( User Datagram Protocol) ports, which is typically unecessary. In most cases, programs that use the more common TCP protocol will use the same port numbers as their counterparts that use the less-reliable UDP protocol.

Port	Description
21	FTP (File Transfer Protocol)
22	SSH (Secure Shell)
23	Telnet
25	SMTP (Simple Mail Transfer Protocol), used for sending email
43	WhoIs
53	DNS (Domain Name Server), used for looking up domain names
79	Finger
80	HTTP (Hyper Text Transfer Protocol), used by web browsers to download standard web pages
110	POP3 (Post Office Protocol, Version 3), used for retreiving email
119	NNTP (Network News Transfer Protocol), used for newsgroups
123	NTP (Network Time Protocol), used for XP's Internet Time feature
143	IMAP4 (Internet Mail Access Protocol Version 4)
220	IMAP3 (Internet Mail Access Protocol Version 3)
443	HTTPS (HTTP over TLS/SSL), used by web browsers to download secure web pages
445	File sharing for Microsoft Windows networks
563	NNTPS (Network News Transfer Protocol over SSL), used for secure newsgroups
1701	VPN (Virtual Private Networking) over L2TP
1723	VPN (Virtual Private Networking) over PPTP
3389	Remote Desktop Sharing (Microsoft Terminal Services)
580x 590x	VNC (Virtual Network Computing)
6699	Peer-to-peer file sharing, used by Napster-like programs