Okay, let's just say that you have a Cable connection, and I am scanning IPs behind the ISP's router. I see your IP address, but I am not particuarly interested in your machine, until I see that TCP/UDP ports 135-139 and 445 are open. That's bad juju.

Your firewall will not filter the traffic that I am about to send to your computer, because (unless you have custom rules to block/filter traffic on these ports) it assumes the traffic is legit. I send a few packets to the computer to make sure it responds (called NetBIOS enumeration) from which I can get the computer's NetBIOS hostname.

Now depending on which patches you have installed (Which brings up another point...Make sure you turn on Automatic Updates), I can make a null connection to your computer. Now at this point, my access is extremely limited, and it is read only, but I AM IN YOUR COMPUTER! To make matters worse, I have a command prompt. Now I can attempt to spawn processes through application vulnerabilities (like the one that gave a user run as system rights back a few Norton Antivirus revisions ago), and get admin rights. Now, when I disconnect, I will have to do this all over again to regain root...but I'm not done yet.

Now I can use a program like User2Sid to get the SID and hash of the user "Administrator", so I can crack the password using LC4 or lophtcrack. If you rename the Administrator accout, that's OK, because I will run Sid2User just to make sure the user name and hash I crack are for SID 500, which is ALWAYS the SID for the admin account on a Windows box.

Now that I have that information, I copy your SAM datadase and disconnect, crack it, and reconnect using the admin account and password. Then I create my own hidden account, possibly installing a root kit or other trojan to use your computer as a zombie for DDOS attacks and the like.

Can you smell the bread burning?

Hell, nowdays a 13 year old script kiddie can just run a script to do almost all that in a fraction of the time it takes a real hacker. (Real hackers don't run scripts...THEY WRITE THEM!)

Basically, having those ports open on any connection that is directly connected to the internet is a BAD idea. In a corporate LAN, you should set the Firewall on the internet to explicitly deny those ports, bot inbount and outbound.

I'm working on a "Best Practice" firewall ruleset tutorial, and should have it published on AO in the next few days, if anyone is interested.