How to disable Ports 135, 137-139, 445 (Windows XP)

SSJ did you end up using MD to see what registry keys they change?

with regards to Seconfig XP and WWDC using different methods and how experts can't work out why they use different methods. the answer to this is Simple. the fact is that with the registry there is different possible methods to achieve the same goal, and the makers of Seconfig XP and WWDC have just simply chosen what method they should use.

arran wrote:SSJ did you end up using MD to see what registry keys they change?

with regards to Seconfig XP and WWDC using different methods and how experts can't work out why they use different methods. the answer to this is Simple. the fact is that with the registry there is different possible methods to achieve the same goal, and the makers of Seconfig XP and WWDC have just simply chosen what method they should use.

arran, please read my previous post - it pretty much has all the answers there. And yes, I did use MD to see what registry keys change.

And no, Seconfig XP and WWDC use different methods (in some ways completely differently) - read the conclusion above. Parts of their methods over-lap, but not all. What does this mean? Well, I suppose you could argue that the "experts" had differing opinions on whether to disable the related Services and Settings (for each Port) more comprehensively or not. Because of this, it is justifiable to use both Seconfig XP and WWDC on the same machine.

I think the best thing to do IS HAVE ALL YOUR PORTS BLOCKED!

I have all mine set to STEALTH and my firewall has 'SMART FILTERING' meaning nothing is allowed in UNLESS I INITIATE IT.. (All unsolicited inbound traffic is blocked (Cant get any better than that i dont think ))

Dude111 wrote:I think the best thing to do IS HAVE ALL YOUR PORTS BLOCKED!

I have all mine set to STEALTH and my firewall has 'SMART FILTERING' meaning nothing is allowed in UNLESS I INITIATE IT.. (All unsolicited inbound traffic is blocked (Cant get any better than that i dont think ))

Actually, yes you can get better than that - completely disabling the Ports is safer than hiding them. And this is what this thread is about - how to disable the Ports, rather than how to hide (stealth) them. Most people have these Ports stealthed anyway, since they are behind a NAT Router and/or a software Firewall (even Windows XP's Firewall is enough).

Of course, disabling all your Ports means you can't do anything internet related. That's why you can just disable the "high risk" Ports, while keeping all others stealthed.

Also, disabling Ports is more secure because even if your Firewall gets bypassed by malware, those Ports still can't be used to hack/infect your system (since they are disabled).

Sorry for the misunderstanding my friend

What misunderstanding mate. We're all learning.

ssj100 wrote:

Dude111 wrote:I think the best thing to do IS HAVE ALL YOUR PORTS BLOCKED!

I have all mine set to STEALTH and my firewall has 'SMART FILTERING' meaning nothing is allowed in UNLESS I INITIATE IT.. (All unsolicited inbound traffic is blocked (Cant get any better than that i dont think ))

Actually, yes you can get better than that - completely disabling the Ports is safer than hiding them. And this is what this thread is about - how to disable the Ports, rather than how to hide (stealth) them. Most people have these Ports stealthed anyway, since they are behind a NAT Router and/or a software Firewall (even Windows XP's Firewall is enough).

Of course, disabling all your Ports means you can't do anything internet related. That's why you can just disable the "high risk" Ports, while keeping all others stealthed.

Also, disabling Ports is more secure because even if your Firewall gets bypassed by malware, those Ports still can't be used to hack/infect your system (since they are disabled).

Actually SSj I'm not to sure on this one yet I think with the tools and registry changes we have talked about here only disable and prevent the services from opening the ports, the ports are only closed not actually permanently disabled meaning that another program can open them.

with regards to the sandboxie problem with malware being able to bypass sandboxie and connect out thru port 445 my question is can malware open the port 445 as well as connect out or does the port already need to be open for the malware to connect out, Personally I don't believe so I think the port would have to be already open for the malware to by pass sandboxie and connect out.

arran wrote:Actually SSj I'm not to sure on this one yet I think with the tools and registry changes we have talked about here only disable and prevent the services from opening the ports, the ports are only closed not actually permanently disabled meaning that another program can open them.

Yes, I'm not certain on this either actually. Might have to do some further research on it.

arran wrote:with regards to the sandboxie problem with malware being able to bypass sandboxie and connect out thru port 445 my question is can malware open the port 445 as well as connect out or does the port already need to be open for the malware to connect out, Personally I don't believe so I think the port would have to be already open for the malware to by pass sandboxie and connect out.

For the Sandboxie bypass, I'm fairly sure it requires the use of a specific process called Sever Message Block (SMB):
http://en.wikipedia.org/wiki/Server_Message_Block

By default, SMB listens on Port 445. This is how Sandboxie can presumably be bypassed. It's not so much closing Port 445 (or making sure nothing can open it), but it's more about disabling SMB. Seconfig XP and WWDC (both) disable SMB nicely.

arran wrote:Actually SSj I'm not to sure on this one yet I think with the tools and registry changes we have talked about here only disable and prevent the services from opening the ports, the ports are only closed not actually permanently disabled meaning that another program can open them.

Just spent about 10-15 minutes on Google, and I still can't find a solid and comprehensive clarification about this. I can't remember where I read it, but I'm fairly sure I read somewhere (from a reliable source) that "disabling" a Port is more secure than blocking traffic across it with a Firewall.

It does appear that by disabling eg. SMB, no traffic can cross Port 445. I don't think a random program can use Port 445 and call out through it (if SMB is disabled).

Here is one more ports closing program:
http://www.zebulon.fr/files/ZebProtect_en.exe

An explanation:
http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=fr&tl=en&u=http%3A%2F%2Fwww.zebulon.fr%2Fdossiers%2F40-zebprotect.html

PS: Nice forum , I really like it.

ssj100 wrote:Just spent about 10-15 minutes on Google, and I still can't find a solid and comprehensive clarification about this. I can't remember where I read it, but I'm fairly sure I read somewhere (from a reliable source) that "disabling" a Port is more secure than blocking traffic across it with a Firewall.

There is, of course, only one good way to block ports: removing the programs/services that keep them open. On the Internet there are many resources that instruct you to disable, but to my mind, removing is better, because anything that has been disabled can be enabled again if the circumstances are right. Additionally it is wise to have a firewall that blocks anything by default without giving the limited user the choice to take decisions. For this purpose, I use the in-built Vista firewall with Advanced security as described by Stem here. Pretty much blocks anything that hasn't been allowed. I was kind of surprised that I was able to pass all of Matousec's leaktests, although I had to resort to a little trick. For example: although I NEVER use it, IE is set as my default browser, but it can't get out because there are no rules. The in-built firewall just plainly blocks it without giving any alerts at all.

Paul

Yes, I'd have to agree that removing the programs/services that potentially opens the ports is the best way to close them for good.

However, when running as a Limited User, it's very unlikely that a program/service would be maliciously used to re-enable a port without some sort of zero-day privilege escalation and remote code execution exploit. And if you have good protection measures in place (eg. Sandboxie), even if you were unlucky enough to come across such a combination of exploits, you would still be safe.

This is a good thread, and is visible to non-members of this forum as it comes up on a search. However it lacks a vital step. I've just done a fresh install of XP Home and followed this. Works well - cports.exe shows no open ports till you connect to the internet, then svchost opens 137 -139 in despite!

Solution: in advanced network properties disable netbios over tcp/ip (and untick enable LMHOSTs lookup for good measure.)

Thanks guys.

Philipitous wrote:This is a good thread, and is visible to non-members of this forum as it comes up on a search. However it lacks a vital step. I've just done a fresh install of XP Home and followed this. Works well - cports.exe shows no open ports till you connect to the internet, then svchost opens 137 -139 in despite!

Solution: in advanced network properties disable netbios over tcp/ip (and untick enable LMHOSTs lookup for good measure.)

Thanks guys.

That's odd, all those ports don't appear open for me even with LMHOSTs enabled. Is your computer part of a network?

ssj100 wrote:That's odd, all those ports don't appear open for me even with LMHOSTs enabled.  Is your computer part of a network?

Not networked. Standalone with Speedtouch 330 usb modem.

I agree, LMHOSTs lookup enabled/disabled doesn't appear to make a difference.

But netbios over tcp/ip is ticked enabled by default.

Disabling netbios over tcp/ip is actually stated in the first post of this thread (under "To disable Ports 137, 138, 139"):
http://ssj100.fullsubject.com/t181-how-to-disable-ports-135-137-139-445-windows-xp#1210
Note that I quoted this site as my reference:
http://www.pimp-my-rig.com/2008/12/disable-port-137-138-139.html

I'm pretty sure Seconfig XP and/or WWDC also do that, as instructed in one of the posts in this thread (under "Ports 137-139"):
http://ssj100.fullsubject.com/t181p15-how-to-disable-ports-135-137-139-445-windows-xp#1301

Anyway, glad this thread was useful for you!

arran wrote:If you had running malware on your system its not just ports 135, 137-139
that malware can open, malware can open any port on your system so you would have to disable every single port.

The reason why we should close these ports is not to prevent outgoing connections but to prevent incoming malware like worms, a classic example is the old sasser worm coming in on port 445. And anyway if you are sitting behind a Router which denies all Unrequested packets from your pc then you are safe

So then why the emphasis on closing Ports 135, 137-139 and 445?
What makes them special or worrisome?

Because they have been exploited frequently in the past.

ssj100 wrote:Because they have been exploited frequently in the past.

arran wrote:... its not just ports 135, 137-139
that malware can open, malware can open any port on your system so you would have to disable every single port.

Are these ports, the bad guys favorite ports for a particular type
of malware?

Could be.

sanbox man wrote:
Are these ports, the bad guys favorite ports for a particular type
of malware?

The blaster worm of many years ago is a prime example of malware that exploited these ports on Win XP.

https://support.microsoft.com/en-ca/kb/826955