Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.





Goto Port 1001
Probe Port 1002
Enter Port: 0-65535
Goto Port 1005



Port Authority Database

Port 1002

Name: 
ms-ils

Purpose: 
Microsoft Internet Locator Service

Description: 
Internet Locator Service (ILS) directory servers open and listen on port 1002 for incoming client queries. ILS is a Microsoft NetMeeting service that is now preferred (by Microsoft) over the Internet standard LDAP service which operates through port 389.

Related Ports: 
389, 1720




Background and Additional Information:

Despite the fact that ILS is a Microsoft NetMeeting teleconferencing directory service, this port appears to be open (for unknown reasons) whenever Microsoft's Internet Connection Sharing (ICS) system is in use. And despite the service's definition, it does not appear to be directly related to the operation or activity of Microsoft's NetMeeting.

Additionally, unlike all other known open ports in Windows, this port does not appear in "netstat" command listings. It's hidden. For this to be true, Windows sockets, and the standard Windows TCP/IP protocol stack, are not being used to open and receive connections through this port. We wonder why, and what's going on.

This port's apparent association with Microsoft's ICS (Internet connection sharing) was discovered empirically by noticing that only people who were using ICS had this port open, and that everyone who was using ICS (and necessarily NetMeeting), without any additional external protection, had this port open and exposed to the Internet. Subsequent research uncovered several references to this port:

  http://www.securityfocus.com/infocus/1620

  http://www.freesoft.org/software/NetMeeting/netmeetserver.html

We anticipate (and hope) that the attention which will probably be brought to this port by its wide exposure in our 1056-port "All Service Ports" scan, may help to shed some light on Microsoft's silent use of this open port. As more is learned, this page will be updated with any news.

In the meantime, it might be expedient to see whether you can coax your personal firewall into blocking this port from outside contact. We don't know what it's for, or from whom it might be silently accepting outside connections. (Users behind a NAT router will probably not be using ICS, but if so the router's NAT will automatically protect any non-DMZ machines.) On the other hand, users who are using ICS, and will consequently discover that this port is open, are probably not hidden safely behind a NAT router.

Given Microsoft's long history and continuing practice of producing insecure and remotely exploitable Internet services, there's no way this port is safe to leave open and unattended. Get it closed!

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page