@noone_particular All these ports you mentioned can be closed with registry tweaks and setting the appropriate Windows services to manual or disable. No need to add additional software to accomplish this.
True, assuming that the user is comfortable with that and knows what services to disable. The utilities make it simpler for the average user. There's also some advantages to the utilities. They all provide an easy way to check the status of those services. The UNPNP utility also communicates with the next device, instructing it to close any ports opened by UPnP. The WWDC utility also provides a quick way to view which ports are open.
Thankyou for a most informative post noone. Ditto for for post #405. Guides like these are really helpful. @KeyPer, if you have another way of doing it, well and good, but it would be helpful to put a guide in such as noone has done, for the benefit of all and the likes of people like me. Well, here's a rant. With every passing day I get more wary of cellphones. Ive been trawling through Services lately because I was in a position where I needed to to get some files off of a very basic Samsung cell phone which is a work one. I just plugged in its USB connection, and as I thought, nope. You have to jump through the hoops and install their STUPID software which took up a whopping 200mbs or so just to pull the files off, never mind all the other excess baggage. I did a system backup first. After install, the amount of stuff that wanted to call home and tried to by DEFAULT was absolutely ridiculous. Just as well I was physically offline. I can't navigate to any files unless their Service is running, so I have to do the enable disable routine. Thankfully this will only be a temporary situation but whats wrong with these people? I have another device I can just hook up to my computer through the USB port, NO SOFTWARE NEEDED, and I can just navigate to any files I want and drag them over to my computer. Very simple. Apparently this used to be the case with cell phones, or some at least.
I will post this here as well, because I am not sure if XP Device Manager has this feature too. http://hardenwindows7forsecurity.com/Harden Windows 7 Home Premium 64bit - Standalone.html About a 1/4 of the way down, you will see a heading "Disable unused tcpip6 Devices and NETBT". It has some settings for shutting off NETBT that weren't mentioned above, so not sure if they apply or were overlooked. Also have a look at Disabling Listening Ports, might be repeating what you said though...
These are registry tweaks that I've used for certain ports. After applying and disabling Windows Services which noone mentioned earlier one should get good results with those 3 tools. You can use command prompt also for info. Type: netstat ab | more <enter> Displays protocol statistics and current TCP/IP network connections. There was mention of another app that was recommended over at RyanVM.net (Windows XPSP4) discussion board called " Seconfig XP " that looks interesting and may be useful if one doesn't like editing the registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Key: EnableDCOM REG_SZ Value data: N (disable DCOM) // the DCOMbobulator utility will set value data to Y (enable DCOM) or N (disable DCOM) in registry. Close Port 135: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Key: DCOM Protocols Value Data: delete ncacn_ip_tcp only! // DCOMbobulator Remote Port 135 test Result: Port 135 status should show Stealth at GRC site. SMB over TCP/IP Disable direct hosting of SMB over TCP/IP (closing port 445) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters Key created: SMBDeviceEnabled REG_DWORD Value data: 0 The UNPNP.exe (UnPlug n' Pray) utility starts Windows SSDP Discovery Service. Don't know about reg entries. UPDATE: Some registry key changes from UnPlug n' Pray utility. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV Key Name: Start Value data: 3 // Enables SSDP Discovery Service // Value data: 4 = disable the service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost Key Name: Start Valu data: 3 // enables the Universal Plug and Play Device Host // Value data: 4 = disable the service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent Value data: 6 // default Value data is 5 Adds another registry subkey under HKEY_USERS // Set SSDP and UPnP services to disable. The WWDC.exe (Windows Worms Doors Cleaner) utility should give you all green checks. (safely disabled) // open ports window - blank DCOM RPC Port 135 RPC Locator Port 445 NetBIOS Ports 137-139 UPNP Port 5000 Messenger (NetBIOS/RPC ports) Forgot to mention wwdc.exe utility will show Kerio Personal Firewall connections in open ports as screenshot indicates. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT Key: Start REG_DWORD Value data: 4 // stops NetBIOS service (ports 137-139) from starting.
@marzametal Interesting guide for Win 7. It does require the user to install a lot more than I'd like such as Net Framework 4. From what I see there, they can't close all of the ports on Win 7. Interesting that the event log opens an unclosable port. I can't think of any reason for it beyond remote monitoring/administration, but not being able to shut it off is crazy. I'm not sure that I'd trust the Windows firewall to completely deny access to them. This clearly isn't for the users benefit. I checked the hidden devices on the XP test unit for the items you mentioned. Those entries are not present. You said that you disabled 95 services on Win 7? I don't know if I should congratulate you or offer condolences for having to do that. That quantity is insane. I have to ask, how many ports are still open? What an amazing difference. On my primary unit, closing the open ports takes less than a minute.
@Reality Cellphones seem to want to install their own USB drivers, and a whole lot more. It would be so easy to compromise a PC with one just by plugging it in. Considering how easily they're compromised, they're an ideal malware delivery mechanism. A few possibilities come to mind, none of which are in the users interest. Possibilities include everything from DRM to weaponizing the cellphone.
@Compu KTed On the XP test unit, I used Inctrl5 to log all of the changes each step and utility made to the system. It will be interesting to compare your list to the changes on my system. I'll try to get those compiled into a post as soon as I have time. IMO, the method used isn't that important. It's the results that matter. It would also be useful to start compiling a list of services that are unneeded, especially if we include those needed for laptops and wireless usage. I was thinking about the Privazer and Last Activity View threads and the stored data they access and reveal. It could be useful to find all of the mechanisms Windows uses to create and store this data, then determine the best ways to eliminate the problem at its source.
I didn't most likely capture all the changes, but will see if I can come up with more info when setting up for testing. The Windows Services (not including 3rd party apps that run as a service) needed to run currently on my system is below a dozen, but probably could be reduced more if needed.
From DCOMbobulator it mentions TCP port 135 if open could be from having Windows Task Scheduler and Distributed Transaction Coordinator services running. Both are not running on my system. Still have copy of " LastActivityView " and tried unsucessfully to write a SRP to the specific shell bag keys which Windows writes to. Shows up in LastActivityView as " view folder in explorer " . Can clean out pretty much everything , but comes right back since I'm not getting to the source. Don't want to remove some entries though either. Any ideas? ShellBag AnalyZer app?
@marzametal - thanks for the link. I've only had time to skim through, but lots of interesting reading there for those who want to go to/stay on 7, for better or worse. @Compu KTed - thanks. It would be brilliant if we could have such a breakdown on this. For Services, most of us would be familiar with Blackvipers tutorials, but I don't know whether he had/has privacy/security in mind so much as just making for a leaner system. I don't recall him specifically dealing with how Services use ports, though he does mention a bit about dependencies, which are a rabbit warren for sure. Before I knew of Privazer and Last Activity View, I didn't even know about shellbags. It really makes you wonder how many secret/hidden layers there are going on under the hood. Finding and dealing with all the mechanisms sure would be useful, but it would be a mammoth task no? As for wireless, for a number of reasons I don't like it. I wouldn't be averse to snuffing out anything I could disable/uninstall/physically rip out of my desktop computer. That said, inside a year ago I bought a wireless mouse. What was I thinking? Thankfully the thing looks like its about to die so I've replaced it with a wired one.
According to the GRC scan, whilst connected to my ISP... all ports are stealth. After connection is made to VPN, some ports are opened up. I brought this lil' tidbit up with the VPN tech staff. They told me not to worry about it since the ports are open on their side, not mine. Their data center would have to be compromised for anything to happen. (...and they don't track customer details, so it'll be a needle in a haystack to figure out which one is me since one VPN outlet can have many users connected). In regards to the disabled services, I have a system backup ready prior to disabling of services (just in case). I must admit, no dramas have been encountered so far. Prior to the latest news about SMB flaw, I had all green on the checkerboard (all stealth). Damnit! I STILL have my wireless mouse... I have been procrastinating, come on... get off my (_o_) and buy a wired one! In regards to services, I'd recommend setting up your system to complete status before tinkering... that way, everything you want is already installed and tweaked before you start reducing running services... the only goal I had in mind when playing around with the services and firewall rules was to minimise my outbound connection log to zero entries. (unless a rule is not matched)
On my test unit, the scheduler is running. MSDTC is set to manual, apparently its default setting. Neither appears to have any effect on port 135, at least on this unit. I haven't run any scheduled tasks through it to see if it affected the results. For the most part, I don't use a task scheduler. On the few units that I have, I use Splinterware's scheduler. Even their free version puts the Windows task scheduler to shame.
Windows Services - Remote Access Auto Connection Manager and Telephony. (manual or disabled?) RasAuto (RAACM) TapiSrv (Telephony) Telephony Service (default startup manual) Dependencies: Plug and play, RPC, Fax, Remote Access Connection Manager, Remote Access Auto Connection Manager Remote Access Auto Connection Manager (default startup manual) Dependencies: Remote Access Connection Manager, Telephony, Plug and Play, RPC
Disable both... well, most with the word Remote in it... such as Remote Registry etc... I might look into this.. always looking for nifty lil' apps that put Windows to shame...
In addition to scheduled tasks, it can do popup reminders. It can check for the presence or absense of specific windows or processes on specified intervals and perform actions based on the results. It can send keystrokes and mouseclicks as part of the command line for scheduled tasks. That ability alone opens up all kinds of possibilities, especially with applications whose interfaces were not designed to be navigated with a keyboard. Do not include Remote Procedure Call in that list. This can't be disabled.
Kerio doesn't turn off the built-in Windows firewall so I did that manually. Newer firewalls do that automatically. Heard mixed advice on Windows Firewall (ICS) service. Do I leave it running or turn it off? Currently it is running.
Some very good advice & info & apps being given on how to better secure your comp. Interestingly a lot of this is what a number of us have been doing for years. But there is no harm on rehashing for the benefit of others. Amongst the apps i've been using for about 10 years on my XP are, DCOMbob.exe, UnPnP.exe, XPdite.exe, shootthemessenger.exe, wwdc.exe, BugOff.exe, dsostop2.exe, htastop.exe, sdefend.exe, SafeXP.exe, xp-AntiSpy.exe, and Seconfig XP See the Seconfig XP.txt for more info & explanations of All it can do Some of the options in the above apps do the same or similar things, but not all. It's worth trying to locate them & see what you can acheive !
@Compu KTed On my last physical XP system, I had the firewall and ICS disabled. On the current virtual system, I haven't got that far.
Haven't seen a few of those in a while. For HTAs, I use the old Script Sentry from Jasons Toolbox. It wasn't that long ago that HTAs were quite good for hijacking PCs. If I recall, HTAs used to be run as trusted by default, as was anything they downloaded. Script Sentry dealt with them by making itself the default handler for them. It would enable you to view them in Notepad before deciding if you wanted to run them. It's quite handy if you use the Windows Scripting Host but don't want it to run every script it sees. With Script Sentry, you could whitelist individual scripts. If I recall, Script Defender is quite similar.
Another tweaking/configuring utility with a lot of options is X-Setup Pro. If I recall, version 6.6 is the last one that's free. Its only downside is that it's quite large for such a utility, over 10MB installed.
When I set Windows Firewall (ICS) service to manual and reboot machine I get a popup message on the logon screen. Windows - Fatal Application Exit. Kerio Personal Firewall Driver: Unable to attach ' TCP ' Checked Kerio firewall status and sure enough only PFWAMIN.EXE is listed. Started ICS service (automatic) and it solved the issue.
There appears to be more involved here. On 2 different virtual test units, both XP-Pro-SP3, I've tried both the manual and disabled settings for the firewall/ICS service. One test unit uses a static IP. The other is DHCP assigned. So far, I can't recreate that error. Kerio is working properly on both units regardless of how that service is configured.
I just finished another attempt on another virtual SP3 system. Except for a few display settings, this one is default settings throughout. We need to determine what is different between your test unit and mine. Do you have updates after SP3 installed? Any other optional features or components? Wireless? It's entirely possible that this difference is due to a post SP3 update that involves the firewall or security center.