How can I lockdown my ports?

Hi all, first post, great forum you have here... I'm sure I will enjoy it.

I want to lock down my ports via firewall. I have Windows firewall and it has a bunch of pre-set rules that make me go when I look through them all.

There are SO MANY port designations, that when I try to look through all these rules, I get confused because of all the protocols I am not familiar with. And so I'm not sure whether I should allow or disallow some of the connections that are inbound and outbound.

I don't really use that many services on this PC so I'm tempted to block more than allow. My question is, where, if at all, can I find an easy way to lock down the open ports and also understand what the heck I am doing?

I occasionally run netstat -a in CMD to see all the open connections, perhaps this is the best way to start? What do you guys do to secure your ports? Have you run into problems when you did it on your own and accidentally blocked stuff you didn't want blocked?

Thanks all.....

 

Start from the beginning
https://www.wilderssecurity.com/showthread.php?t=142036

 

I assume you mean you want to close them at the OS level, so that even if say your router/FW failed for some reason, the ports would already be closed? I approach it the same way.

First off disable any services you don't absolutely need, to stop them from hanging open or listening in on any ports associated with them. A Web Scanning component on a real-time AV will listen in on ports too, which is why I'm not a fan of them. "netstat -an" is a great command to check for open ports indeed. On XP, ports 135 & 445 are two that are tricky to close completely, but you can with registry tweaks. You should be able to find out how via your trusty search engine. On newer OS's, your mission will be much harder and perhaps unobtainable. But on XP Pro SP3 I've managed to close all of mine while retaining perfect internet connectivity. When I do that netstat -an command I have a blank list staring back at me when my box is in idle. This is perhaps the best indicator of keeping a tiny attack surface. With no open ports and no apps/processes (potentially vulnerable or otherwise) listening in to piggy-back onto, a would-be exploit can't do a whole lot. Especially with your internet facing apps sandboxed as well, and hardware DEP (and perhaps more) backing it.

I believe in locking down your OS as much as possible before throwing on the security software. Make their jobs easier, even render them moot in some cases. It saves overhead and just makes me sleep better.

 

Windows Worms Doors Cleaner facilitates this simply:
http://www.softpedia.com/get/Security/Firewall/Windows-Worms-Doors-Cleaner.shtml

 

Wow, thanks!!! You have given me a lot to think about! However, I do get hung up on the services I don't need. I just worry I could disable something without really knowing what it is and then losing functionality and feeling like and then and then . Heh, it's not good, I get too frustrated at times. But you have some great advice.

 

Not sure if you found this already, but in case others have the same, for convenience, here is a link to a site often mentioned on WSF...

http://www.blackviper.com/

 

The simplest solution, though not the cheapest, is to get a router. With a hardware firewall you do not really need a software firewall for inbound. And malware can not touch it, mostly. An other alternative is to get "a better" firewall like free Private Firewall, since Win firewall, like all Microsoft apps, likes to auto allow (make choices) for a user.

Not very suitable for Windows 7/8 (bad detection), only for XP, it can cause problems, like disabling DCOM (port 135) will disable Task Scheduler service.

 

I understand that 99% feel that a router and Windows Vista/7/8 Firewall is enough on a desktop. What about for wifi on a laptop? Enable outbound protection or go with a 3rd party firewall?

 

If you have wifi, then you are behind a router, so you do not need anything else. You can use Windows Firewall Control, which will provide better control of outbound.

http://www.sphinx-soft.com/Vista/order.html or http://www.binisoft.org/wfc.php

 

i found NetDefender try that .seems easy to use and good

http://netdefender.codeplex.com/