I don't think it's so much of a problem of programs opening listen sockets as it is a problem of admins not properly controlling their networks and a certain software company pushing insecure features like printing over the internet that refuse to work from behind a firewall and have no direct proxy support.
This is the exact reason why any arguments to management to block NETBIOS have failed. The reasons it is rejected are always the same:
a) We're not responsible for our users getting infected through their own ignorance b) Some of our users refuse to use VPN or lack the knowledge to effectively use it and want to use NETBIOS services over the Internet
There are two different things that you are grouping together, when in fact they are separate. As an ISP, you have two networks. The first one of them is your internal network on which you may have MSSQL server or any other servers used by your company. The second network is the network to which you connect your customers. These two networks have two distinctly different security policies. I will venture as far as to say that you probably are filtering what comes in and what comes out of your internal network. On the other hand, you are proving IP transit to the customers. Filtering randon ports on the second network baffles me. Why would you do it? Dont you bill people for the traffic that they receive/get? Obviously, should your customer be attacked, you want to participate in coordination of the response, however, it is a job of your customer to decide if they want to filter some ports from their network or if they want to contract you to do that for them. Alex