How to disable Ports 135, 137-139, 445 (Windows XP)

EDIT: for more comprehensive methods of disabling Ports 135, 137-139 (by using Seconfig XP and WWDC methods), please read here:
http://ssj100.fullsubject.com/windows-hardening-f5/how-to-disable-ports-135-137-139-445-windows-xp-t181-15.htm#1301

The following applies to Windows XP, but may also apply to Windows 2000, Vista, and 7 (I haven’t done the necessary research to confirm this). Also, please back-up your registry etc (or keep careful record of the BEFORE and AFTER) before attempting any of the below – if something stops working or goes wrong, you can simply reverse the changes. Keep in mind that I personally have no use for these ports to be enabled, but other systems may (including yours). Also keep in mind that I like doing these things manually (and therefore avoid the use of potentially problematic third party software/programs that can do it more automatically).

I’m only going to give a brief preamble about why these ports should be disabled. Further reading can be done via Google haha.

Essentially, all these ports have been exploited by worms in the past (and are often open by default), so that’s arguably enough reason to disable them. Keep in mind that you can configure hardware and/or software firewalls to “stealth” these ports (or block all traffic across these ports), but this isn’t as secure as disabling them completely - Firewalls can be bypassed, particularly in targeted attacks. Another reason to disable these ports (particularly port 445) is to close a potential Sandboxie bypass as described here:
http://www.wilderssecurity.com/showpost.php?p=1709792&postcount=39
http://www.sandboxie.com/phpbb/viewtopic.php?p=55014#55014

In saying that, simply having a NAT Router and/or Windows Firewall will “stealth” all these ports anyway against inbound connections. However, why keep them potentially open when you have no use for them (I certainly don’t). Also, it appears the Sandboxie bypass is (also) related to outbound connections, so it's best to just disable the port(s) from even functioning in the first place.

Before proceeding, you may want to confirm that these ports are opened on your system (being listened to). To do this, type netstat -an in a command prompt window.

To disable Port 135 (step 4 is not necessary):
http://www.pimp-my-rig.com/2008/10/faq-disable-port-135-disable-dcom.html

[1] Start by launching the registry editor.
Start » Run » regedit.

[2] Navigate over to key: HKEY_LOCAL_MACHINE\Software\Microsoft\OLE

At the right column, locate the value "EnableDCOM" and modify the value to "N"

[3] Navigate to this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC

Right click on & Modify the value named "DCOM Protocols" Under the key "Value Data", you will see values. These values keep port 135 open. Highlight everything listed and delete all existing data. Doing so gives "DCOM Protocols" blank data which will in turn close down port 135.

To disable Ports 137, 138, 139:
http://www.pimp-my-rig.com/2008/12/disable-port-137-138-139.html

[1] Right-click "My Network Places" and select "Properties" from the ensuing menu that opens.

[2] Executing the previous step opens a window showing the available network connections in the machine. Right-click on "Local Area Connection" and select "Properties".

[3] Scroll down to "Internet Protocol (TCP/IP)". Select it (to highlight it) and click "Properties".

[4] From the "Internet Protocol (TCP/IP) Properties" Window, click on "Advanced.." (toward the lower right). Then go to the "WINS" tab.

[5] Under "NetBIOS setting", tick "Disable NetBIOS over TCP/IP" and click OK to accept the change. Click OK to the other windows previously opened prior to this properties window.

To disable Port 445:

Add the following registry key:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Name: SMBDeviceEnabled
Type: DWORD (REG_DWORD)
Data: 0

Don’t forget to restart your computer after disabling the above ports for effect. Also, to check that those ports are disabled, you can open a command prompt and type netstat -an to confirm that your computer is no longer listening to those ports.

Thanks ssj1000! That was painless enough.
I made a "before" ERUNT back up,and checked netstat -an.
145 and 445 were found listening.

ports 137-139 were not to seen. Perhaps this could be because
of services I have disabled.

Performed the tweak to disable 145 445,rebooted,re-checked netstat -an, they were no longer visible.
made an "after" ERUNT back-up,and all seems well.

noor

You mean 135, not 145 right?

yes,135.
Too much squinting at regedit.

I get a bit nervous in regedit.


noor

ssj100 as I said the port range 137-139 is not active on my machine,
however,when i checked my network places,I found the
NetBios setting is default, "use NetBIOS setting from DHCP server."

Do you thank I should still tick "disable NetBios over TCP/IP"?

Even with the ports not active?


noor

noorismail wrote:ssj100 as I said the port range 137-139 is not active on my machine,
however,when i checked my network places,I found the
NetBios setting is default, "use NetBIOS setting from DHCP server."

Do you thank I should still tick "disable NetBios over TCP/IP"?

Even with the ports not active?


noor

If the ports aren't active and you know you will never activate them, then I don't think you would need to disable them. However, the question is whether you will ever (voluntarily or involuntarily) activate them. I'm not sure if a malware process could activate them spontaneously - therefore, it's clearly safer to disable them by default.

That makes sense to me.
I will go through the protocol to disable them.


noor

noorismail wrote:That makes sense to me.
I will go through the protocol to disable them.


noor

Sounds sensible. Disabling Ports 137-139 is very simple - as you can see, no registry tweak is needed. Therefore it's not hard to re-enable them.

By the way, I forgot to mention that you need administrator rights to do any of the above. Therefore, malware that tries to re-enable these Ports (not sure if that's possible anyway) will fail miserably if you're running as a system-wide limited user.

Just a note that on Windows XP, disabling Port 445 as described above will give rise to an Event Viewer error (4311):
"Initialization failed because the driver device could not be created."

To avoid this error, an alternative method of disabling Port 445 is by adding the following registry key:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Name: SMBDeviceEnabled
Type: DWORD (REG_DWORD)
Data: 0

noorismail wrote:
Do you thank I should still tick "disable NetBios over TCP/IP"?

If you aren't file sharing, then yes. I've always, checked that setting without side effects.

Instead of wasting time going thru the registry just download and run these hardening tools to close the ports, makes the job much easier,

Seconfig XP
Windows Worms Door Cleaner

They don't add any clutter to your PC because they are not actually installed as such, you just run them.

Yes, but it's nice to know exactly what they do. This way, you can learn a bit as you go. However, thanks for the tip arran! Please give us links?

sorry I not have the links.

Google is your best friend

What exactly is the difference between Seconfig XP and Windows Worms Door Cleaner?

Just thought you'd like to give us links since you gave the idea mate. Anyway, here are some links:

http://www.softpedia.com/get/Security/Security-Related/Seconfig-XP.shtml
http://www.softpedia.com/get/Security/Firewall/Windows-Worms-Doors-Cleaner.shtml

By the way, does anyone here disable the "alg.exe" service to prevent their system spontaneously listening to Port 1025 (or other)? I've done so without any problem. Here's the key information about it that led me to think it's okay to disable it.
http://wiki.blackviper.com/wiki/Application_Layer_Gateway_Service#Windows_XP

Before the installation of Service Pack 2 or 3, this service was required for use with the Windows Firewall/Internet Connection Sharing (ICS) service. After the installation of Service Pack 2 or 3, it no longer is required.

Just an update - I've edited the original post of this thread to reflect the best method of disabling Port 445. It's incredible how many sites (via Google) give instruction on the method I originally posted. The method that is now updated is much better/cleaner and, as already mentioned, avoids a system error.

Also those 2 tools mentioned by arran seem to do similar things with regards to closing Ports 135, 137-139 and 445. However, they both appear to do them slightly differently. For example, if you close the Ports with Seconfig XP, you'll find that Windows Worms Doors Cleaner (WWDC) will show the Ports aren't completely closed. And if you close the Ports with WWDC, you'll find that Seconfig XP will show inconsistent configuration. I suppose this is why arran uses both? If so, isn't this a little bit contradictory? One "expert" releases a program to close down Ports 135, 137-139, 445. Another "expert" releases a program to do the same thing...but they (apparently) don't really do the same thing? Sounds a bit strange to me - it almost sounds like they (or at least one of them) aren't really "experts" at all or are missing something significant respectively.

I'll leave it up to the reader as to which method(s) they want to use. Unfortunately with these third party programs, they don't tell you exactly which registry settings are being changed (I've tried searching around the web with no success). However, if you do trust these third party programs (blindly), they both have the ability (apparently) to revert their changes. Again, I must emphasise that without knowing exactly which registry settings they change, there is no way to know if the changes will accurately revert. This is why I don't like using third party programs to mess with the registry "automatically".

If someone would like to analyse these programs and post exactly which registry settings are being changed, I'd be most grateful (I may try to do this myself some time).

For now, I'm sticking with the manual method as described in the original post.