Jetico with NTWrapper: is it secure during boot/close down??

Okay SamSpade, just ignore my advice

Unfortunately, each computer is configured differently so disabling certain services can be detrimental to your setup. For example, disable everything doing with NetBios will make you be unable to share files and printers. However, it also drastically will increase your security if your firewall ever goes down, since these are some of the most exploited ports (137,138,139,445, etc.)

So, in order to see what ports are open on your computer and give you some advice in shutting them down to ensure maximum protection for yourself during startup, shutdown, and in the case your firewall ever is disabled, follow these steps:

1) Get TCPView from Here

2) Extract the zip file, then navigate to the folder

3) Run Tcpview.exe

4) Maximize the window and take a screen shot of it (like the one I attached)

5) Post the screen shot here in this thread then we can take a look at it and see what processes can be disabled safely on your computer without hampering your internet connection and needs


From the screenshot, If you look on the rows that have "LISTENING" next to them, that means that they are waiting to receive incoming TCP connections. This is what causes a port to be "Open". The two processes I have listening are sshd.exe(OpenSSH which I use to remotely access my pc, transfer files securely, etc.) and named.exe (my personal DNS server which is TreeWalk DNS, very fast and updates very quickly) I have managed to disable all of the other processes, so if I were to uninstall these softwares, nothing would listen at all. That is the goal for you, to have no uneeded things up and running. If they are needed, then limit the access to the ports using a firewall and specific rules.

Hope that helps

Cheers.

Alphalutra1

 

Kerio 2.1.5 does protect my system when I have not logged in or my PC is somehow rebooted to that login state without my actions needed.
It does not protect while the firewall service is not loaded, so there is a really short time while booting or shutdown, but i am not really worrying about that.

Below is a screen capture of a time period after reboot and before login in. Some system block rules shown, as well as Cyberhawk "calling" homebase, lol.

 

Sorry I missed your nudge, Alpha; I wasn't sure what I'm looking for -- well, now I have a better idea from your post today.

OK, had some trouble trying to use the "image" function as opposed to using the "attachment" function (hey, it only took me a *little* while to figure it out....)

Anyway, you now see what I'm running in a typical situation. How can I tailor down these processes to what I only need to be running?

I see only a few processes who are listening -- the Skypes don't bother me; should they ?? -- the Dkservice.exe doesn't bother me (Diskeeper, no problem [?]), alg.exe is a normal MS function, right? That leaves us only only the last two "System 4" functions, neither of which is checkable via TCPView; blocked for some reason.




//

 

Just so you can help someone else do this and understand what I am asking you to do, I will try to explain it in detail.

*****WARNING****** Some of these steps could break your internet connection, so go through them one by one in order to see what the problem is then undo what you last did
***END OF WARNING**********

First note, in order to disable services, click Start->then run
Type in "services.msc" without the quotes, then double click on the name of the service you want to configure, then set its startup type.


1) If you look at the first item in the image, you see alg.exe This is the Application Layer Gateway service (you could figure that out by googling alg.exe) It is needed for windows firewall and windows internet connection sharing. If you don't use these, then you can most likely disable the service.

2) The next one is Dkservice.exe which is from DiskKeeper and is in charge of keeping schedules and other things relating to it. I am not sure whether or not it is required, so if you want to mess around, you can try disabling it and seeing whether anything detrimental occurs.

3) The next two are lsass.exe listening on port 500(isakmp) and 4500 which can be disabled by disabling IPSEC (I have IPsec on manual, so you can put it on that to be on the safe side)

4) Next is svchost.exe listening on epmap (port 135). This is a tricky one to disable. First, get DCOMbobulator, run it and disable DCOM. Then, disable Districuted Transaction Coordinator, and Task Scheduler.

5) Disable Windows Time in order to get rid of svchost.exe listening on port ntp (123)

6) Now let's disable NetBIOS which can be done by following ALL of the instructions Here.

7) Now, reboot your computer

8 ) Run tcpview.exe again, take another screenshot, and let's see what else we can do to help you.

Cheers,

Alphalutra1

 

OK, here's what's left after doing *some* of your suggestions. I'm leaving Diskeeper as I don't see any harm in it. So that only leaves one "System 4" TCP entry that I'm not sure what it is, but ... well, it won't close even if I try.

I did disable disable Distributed Transaction Coordinator, and Task Scheduler.


//

 

Well, did you follow all of the instructions at this website for disabling port 445? That includes editing the registry, since it is the only way to disable it from binding on that port and listening on it. Try to do that again since it will get rid of svchost from listening on microsoft-ds

Also, disable the Universal Plug and Play Device Host because I think that is what is listening on port 1900

Disable windows time if you want to get rid of the ntp listening for udp packets

I also still have no clue why Dkservice needs to listen and accept incoming TCP connections, but be sure to block it receiving any incoming connections with whatever firewall you use.

Try to follow these things in order to lock your pc down some more, than take a screenshot and I can see if anything else is Listening that can be disabled or prevented from listening

edit--------------
I forgot to add to run shoot the messenger just in case to disable another udp listening socket.

Cheers,

Alphalutra1

 

I did follow those instructions for disabling port 445 (w/ regedit) -- but why is that so important ?

UP&Pray was already disabled, so I don't know what's happening on port 1900 with that svchost.exe running there; ditto for the other instances of svchost (4 more) which are running. Oh, wait, I see now that they are the Windows Time and something else... hey! Maybe I'm larnin' something here!

I need Windows Time for my clock (nothing like accuracy !).

Dkservice is sending feedback on my defrag ops, phoning home to the company, but I'm not sure why (for "statistical reasons", they say).

Here you go:

 

Looking better SamSpade

The reason the disabling 445 instructions were so important was that svchost.exe was still listening on that port in the post before the last one, but a reboot or something after following on the websites disabled it, so that's good.

Just a few more things to tweak and then you should be set.

Disable SSDP Discovery Service in order to stop svchost.exe from opening a udp socket on port 1900.

Don't really know what is creating the socket at 1030 Maybe someone else can chime in on this one.

If you want to post another screenshot, you can, but everything is looking good on your side. You now won't have anything listening except skype, Dkservice, and a few udp sockets created by svchost.exe

Hope that helps

Cheers,

Alphalutra1

 

I may be Watson and it may be elementary as dirt, but why is it so important to shut down SSDP Discovery Service?? What if it's needed in the future ?? For that matter, why close down port 445 ?? I mean, wasn't there a *good* reason for having it open to begin with ?? (Try not to roll your eyes or snicker too loudly. I confess my neoism to this realm. )

//

 

(I tried to have more rolling eyes, but I just found out that there is an 18 image limit, I originally had 100 )

Port 445 and the process that listens on it is one of the most commonly exploited things on a windows system. Many worm attacks target it and it is a really bad infection vector. It has been patched several times, but new exploits continually crop up. Just type "port 445" into google (or scroogle if you are like me) and look at some of the results that come up. Many of them deal with reporting exploits that occur on that port.

As for SSDP Discovery Service, here is a long post dealing with how it is unecessary while providing another attack vector and method of being infected/exploited. This also has more information on it.

By making no unecessary things listen, then you are essentially hardening your pc and making it almost impossible for someone to remotely enter your system since there is no way for them to gain access to it. For example, if you have no ports open whatsoever, then a firewall isn't really necessary since no malicious attempts will be acknowledged. Some people have actually done this here at wilders (I think Rmus has in addition to Kerodo) with no ill effects. However, I still believe a firewall is an essential part of security, but having no services listening means that if it fails, nothing horribly wrong can happen. Also, it means that you are protected on shutdown and power up

Cheers,

Alphalutra1

 

ROTFL the eyes, Alpha !!

Your concluding points make it clearer. But what's to prevent a bad vector from using *any* port, not just the ones you've mentioned above, which are only a very few. There are some 65000 ports available for intrusion, as I understand. Is it because 445 is particularly vulnerable due to it be left open by the makers of commonly used operating system software I mean, isn't this what Steve Gibson's crusade is all about: close down dangerously exploitable vulnerabilities ?!

Best,

Sam


//

 

Update: today port 1030 is *not* active, but a new port, 1170, is (was). (According to http://www.auditmypc.com/port/udp-port-1030.asp 1030 is a UDP port -- less of a vulnerability ??), but now port 1170 has opened for business (?) under our old friend, svchost.exe. auditmypc.com says generically this port *has* been exploited by malware (virus/trojan) in the past. Says also that the port is used for "streaming audio server".... Whoops !! Now 1170 is gone and instead port 1498 is open to svchost. Hm-m?

I've been running NOD32, AVG-antispy, A-Squared free and SpySweeper full over the past several days with no signs of trouble.

Sam


//

 

It is probably some service that runs under the name of svchost.exe that is opening up the connections. If you get ProcessExplorer, then double click on a svchost.exe, then click on the TCP/IP tab, it might tell you which svchost.exe is doing the socket creation. After figuring out which svchost.exe is doing it, click the services tab and see what services are running under that svchost. One of those or more than one may be the source of the port problem, so research a little about each service, then try disabling the non-critical ones to see if you can stop it.

Cheers,

Alphalutra1

 

These are mainly listening for some things to do with my wireless connections, for "sound", whatever that means.

Btw, I notice you are using CHX-I as a firewall -- how does it compare with a standard firewall, like Jetico, for example. Now that I've had a taste of bare-bones firewalls, like Jetico, I don't really care for COMODO so much; feels so fluffy and vague; so I've switched back to Jetico v. 1, as v. 2 was just impossible to run on my machine, even with all my anti-spywares turned off.

How would CHX-I compare with Jetico ?? It looks very minute in detail, down to the last dot and hash.

Regards,

Sam


//

 

I have edited a number of posts. There is no need, when answering the last post made in a thread to "quote" that full post in reply, so I have removed such quotes.

From the point of concern of svchost, there are a number of services that will make svchost open and/or listen on port. Some are not so obvious as others, one being "Computer Browser (service name: Browser: svchost.exe -k netsvcs).
I will have time this weekend to compile and post a list of these services.

 

Good news, Stem. I look forward. Thanks.


Sam


//

 

Hi Sam,

"Alphalutra1" has given good example of services that are not really needed, and can give possible access to malware/attack (thank you Alphalutra1 for doing this).
I have been short of time over the last few months (due to personal reasons), but I will now be able to give more attention, and more time to helping here.

I will, as requested, show my services settings, to show how I can have all ports closed (with ref to possible problems due to this). I will compile this for the weekend.

 

Thanks Stem, looking forward to it.

Sam


//

 

Hi SamSpade,
These are the services I Personally disable within XP. Do be aware that these settings work perfectly well on my setup, but not all systems are the same. So use this info at your own risk.

First of all I disable "netBIOS over TCP/IP" in the advanced TCP/IP settings.

Disabled services on my setup.

Application Layer Gateway (ALG) alg.exe
[Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall]
If you are using Windows firewall or ICS (Internet connection Sharing), then you should leave this enabled.

Automatic Updates (wuauserv) svchost.exe -k netsvcs
[Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.]
If you use Automatic updates, then either leave this enabled, or as I do, enable when needed.

Background Intelligent Transfer Service (BITS) svchost.exe -k netsvcs
[Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.]
Used for file transfer for windows updates, I disable this, and then enable when needed for windows automatic updates

Computer Browser (Browser) svchost.exe -k netsvcs
[Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.]
If you are on a LAN you may want to leave this enable. Certainly not needed for a standalone system.

Distributed Transaction Coordinator (MSDTC) msdtc.exe
[Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. ]
I have not seen this used on an home PC system, and personally have this disabled. Maybe needed by some?

DNS Client (Dnscache) svchost.exe -k NetworkService
[Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.]

Indexing Service (CiSvc) cisvc.exe
[Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.]
This service will normally start while the system is idle, it will then start to index files, and due to this most AV`s will then start to check the files being accessed by this service, and for what appears to most users to be no reason at all, a lot of disk activity. I disable this service simply because it bugs me.

IPSEC Services (PolicyAgent) lsass.exe
[Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.]
operations for a host authentication device used with data transfer and encryption on a domain. But personally have not seen this service active. Although I have not seen a need for this service it may possibly be needed.

Messenger (Messenger) svchost.exe -k netsvcs
[Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.]

Network Location Awareness (Nla) svchost.exe -k netsvcs
[Collects and stores network configuration and location information, and notifies applications when this information changes.]
A part of the Internet Connection Sharing (ICS) component.

Net Logon (Netlogon) lsass.exe
[Supports pass-through authentication of account logon events for computers in a domain.]
Domain Authentication, used when you log into the Domain. No domain? No Net Logon needed

NetMeeting Remote Desktop Sharing (mnmsrvc) mnmsrvc.exe
[Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.]
I do not use "netmeeting", and dont know anyone who does. Please let me know if you do.

Remote Desktop Help Session Manager (RDSessMgr) sessmgr.exe
[Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.]
If you're a Remote Desktop user, keep this enabled.

Remote Registry (RemoteRegistry) svchost.exe -k LocalService
[Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.]
I prefer not to allow someone to have the ability to edit my registy remotely

Secondary Logon (seclogon) svchost.exe -k netsvcs
[Enables starting processes under alternate credentials. If this service is stopped, this type of ]
When Microsoft says 'Alternate Credentials' they are talking about the [Run As...] command which appears on the context menu, allowing a Limited User to run an executable as a higher level user. (personal choice for me to disable this. Some may find this service very useful)

Server (lanmanserver) svchost.exe -k netsvcs
[Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.]
Provides basic file and print services on the LAN. Possibly needed by some.

Task Scheduler (Schedule) svchost.exe -k netsvcs
[Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.]
Now some may use this service for updates / setting times for defrags etc, So beware of the possible outcome of disabling this service. For me its just another windows service that listens on port.

SSDP Discovery Service (SSDPSRV) svchost.exe -k LocalService
[Enables discovery of UPnP devices on your home network.]
Do remember, a UPnP device is external (not inside the computer case) and a part of the local network. If you are connected directly to to internet you should disable this. If you are on a LAN, then only use this if you are sure you need it.

Telnet (TlntSvr) tlntsvr.exe
[Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.]
I know this service is set to "disabled" in SP2, but wanted to mention this for anyone using XP without SP2 (I know there are still a few), this remote login 'feature' can be a major security hole.

Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) svchost.exe -k netsvcs
[Provides network address translation, addressing, name resolution and/or intrusion prevention services ]
If you use windows firewall and/or ICS, then of course you will need this.

Windows Time (W32Time) svchost.exe -k netsvcs
[Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.]
I disable this just to stop svchost from continually sending/received datagrams.

To finish on my setup, I run WWDC to close ports (some services I do not disable, I simply close off the ports with WWDC).

But warnings for the use of this:

DCOM RPC (port 135). If you disable this then the "Schedular" will fail to start. (So please take note of my warning shown for disabling the "Task Schedular" service)
RPC Locator (port 445). This is a service I normally alway disable, but have been warned that this can, in some cases, cause loss of internet connection (as I have been informed that some ISP use this.)
NetBIOS (ports 137-139) Now I already have this disabled (as mentioned at the beginning of my post), but be aware, that if you disable this from within WWDC, it can (I have found) cut off DHCP, So I personally always leave this "as is", as I do (at times) use DHCP for some testing.
UPNP (port 5000) This should already show as closed (If you have disabled the SSDP service)
Messenger (NetBIOS/RPC ports) do you use the "Messenger service", if not then disable.

Do remember, that any settings you change with WWDC can be changed back by running the program again.

Just a pic to show WWDC with my settings:-

 

Stem: do you use Harden-It?

 

lucas1985,
No, my main setup is based on my last post.

 

Thanks
Why do you not use it?

 

The Gateway/filters/firewalls I use give the control I need on TCP/IP filtering.

 

So, is Harden-It useless with Jetico?
Which filters and gateways do you use? I´m starting to experiment with UTM Linux distros such as IPCop/Endian
Thanks again

 

Certainly not. The TCP/IP stack as always been a target for DOS attacks. I know a lot of users believe a DOS attack is always based on bandwidth being taken (I personally class these as flood attacks). A DOS attack can be simply a mal-formed packet or a series of defragmented packets that cannot be handled correctly. Such firewalls as Jetico do give more user control over the filtering of such packets (but not all users can create a ruleset to filter these correctly), but a lot of firewalls now include the filtering of such packets (these would be classed as "attack detection" (or similar))

There is a current advantage of using gateways or OS based on linux, as this is still yet not really been attacked, yes I know there are many users who say that linux (or like) cannot be compromised as such, but I would tend to disagree, as from my standpoint on this, it is simply a case that it is easier for malware/viri writers to keep sights on "windows".
I could put forward: if all users moved to linux, would this OS still be as secure in 3 months as it is now?