Building Your Own Privacy Package

Discussion in 'privacy technology' started by Reality, Aug 5, 2014.

  1. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    @noone_particular
    All these ports you mentioned can be closed with registry tweaks and setting the appropriate Windows services
    to manual or disable. No need to add additional software to accomplish this.
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    True, assuming that the user is comfortable with that and knows what services to disable. The utilities make it simpler for the average user. There's also some advantages to the utilities. They all provide an easy way to check the status of those services. The UNPNP utility also communicates with the next device, instructing it to close any ports opened by UPnP. The WWDC utility also provides a quick way to view which ports are open.
     
  3. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thankyou for a most informative post noone. Ditto for for post #405.
    Guides like these are really helpful.

    @KeyPer, if you have another way of doing it, well and good, but it would be helpful to put a guide in such as noone has done, for the benefit of all and the likes of people like me. :)

    Well, here's a rant. With every passing day I get more wary of cellphones. Ive been trawling through Services lately because I was in a position where I needed to to get some files off of a very basic Samsung cell phone which is a work one. I just plugged in its USB connection, and as I thought, nope. You have to jump through the hoops and install their STUPID software which took up a whopping 200mbs or so just to pull the files off, never mind all the other excess baggage. o_O

    I did a system backup first. After install, the amount of stuff that wanted to call home and tried to by DEFAULT was absolutely ridiculous. Just as well I was physically offline. I can't navigate to any files unless their Service is running, so I have to do the enable disable routine. Thankfully this will only be a temporary situation but whats wrong with these people?

    I have another device I can just hook up to my computer through the USB port, NO SOFTWARE NEEDED, and I can just navigate to any files I want and drag them over to my computer. Very simple. Apparently this used to be the case with cell phones, or some at least.
     
  4. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    I will post this here as well, because I am not sure if XP Device Manager has this feature too.
    http://hardenwindows7forsecurity.com/Harden Windows 7 Home Premium 64bit - Standalone.html
    About a 1/4 of the way down, you will see a heading "Disable unused tcpip6 Devices and NETBT".
    It has some settings for shutting off NETBT that weren't mentioned above, so not sure if they apply or were overlooked.

    Also have a look at Disabling Listening Ports, might be repeating what you said though...
     
    Last edited: Apr 24, 2015
  5. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    These are registry tweaks that I've used for certain ports. After applying and disabling Windows Services
    which noone mentioned earlier one should get good results with those 3 tools.

    You can use command prompt also for info.

    Type: netstat ab | more <enter>
    Displays protocol statistics and current TCP/IP network connections.

    There was mention of another app that was recommended over at RyanVM.net (Windows XPSP4)
    discussion board called " Seconfig XP " that looks interesting and may be useful if one doesn't like
    editing the registry.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    Key: EnableDCOM
    REG_SZ
    Value data: N (disable DCOM)

    // the DCOMbobulator utility will set value data to Y (enable DCOM)
    or N (disable DCOM) in registry.

    Close Port 135:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc
    Key: DCOM Protocols
    Value Data: delete ncacn_ip_tcp only!

    // DCOMbobulator Remote Port 135 test
    Result: Port 135 status should show Stealth at GRC site.

    SMB over TCP/IP
    Disable direct hosting of SMB over TCP/IP (closing port 445)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    Key created: SMBDeviceEnabled
    REG_DWORD
    Value data: 0

    The UNPNP.exe (UnPlug n' Pray) utility starts Windows SSDP Discovery Service. Don't know about reg entries.
    UPDATE: Some registry key changes from UnPlug n' Pray utility.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV
    Key Name: Start
    Value data: 3 // Enables SSDP Discovery Service
    // Value data: 4 = disable the service
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost
    Key Name: Start
    Valu data: 3 // enables the Universal Plug and Play Device Host
    // Value data: 4 = disable the service
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent
    Value data: 6
    // default Value data is 5
    Adds another registry subkey under HKEY_USERS
    // Set SSDP and UPnP services to disable.

    The WWDC.exe (Windows Worms Doors Cleaner) utility should give you all green checks.
    (safely disabled) // open ports window - blank
    DCOM RPC Port 135
    RPC Locator Port 445
    NetBIOS Ports 137-139
    UPNP Port 5000
    Messenger (NetBIOS/RPC ports)

    untitled.JPG
    Forgot to mention wwdc.exe utility will show Kerio Personal Firewall connections in open ports
    as screenshot indicates.


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
    Key: Start
    REG_DWORD
    Value data: 4
    // stops NetBIOS service (ports 137-139) from starting.

     
    Last edited: Apr 25, 2015
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @marzametal
    Interesting guide for Win 7. It does require the user to install a lot more than I'd like such as Net Framework 4. From what I see there, they can't close all of the ports on Win 7. Interesting that the event log opens an unclosable port. I can't think of any reason for it beyond remote monitoring/administration, but not being able to shut it off is crazy. I'm not sure that I'd trust the Windows firewall to completely deny access to them. This clearly isn't for the users benefit. I checked the hidden devices on the XP test unit for the items you mentioned. Those entries are not present.

    You said that you disabled 95 services on Win 7? I don't know if I should congratulate you or offer condolences for having to do that. That quantity is insane. I have to ask, how many ports are still open? What an amazing difference. On my primary unit, closing the open ports takes less than a minute.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @Reality
    Cellphones seem to want to install their own USB drivers, and a whole lot more. It would be so easy to compromise a PC with one just by plugging it in. Considering how easily they're compromised, they're an ideal malware delivery mechanism.
    A few possibilities come to mind, none of which are in the users interest. Possibilities include everything from DRM to weaponizing the cellphone.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @KeyPer4Life
    On the XP test unit, I used Inctrl5 to log all of the changes each step and utility made to the system. It will be interesting to compare your list to the changes on my system. I'll try to get those compiled into a post as soon as I have time. IMO, the method used isn't that important. It's the results that matter.

    It would also be useful to start compiling a list of services that are unneeded, especially if we include those needed for laptops and wireless usage. I was thinking about the Privazer and Last Activity View threads and the stored data they access and reveal. It could be useful to find all of the mechanisms Windows uses to create and store this data, then determine the best ways to eliminate the problem at its source.
     
  9. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    I didn't most likely capture all the changes, but will see if I can come up with more info when setting up for testing.
    The Windows Services (not including 3rd party apps that run as a service) needed to run currently on my system
    is below a dozen, but probably could be reduced more if needed.
     
  10. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    From DCOMbobulator it mentions TCP port 135 if open could be from having Windows Task Scheduler and
    Distributed Transaction Coordinator services running.
    Both are not running on my system. Still have copy of " LastActivityView " and tried unsucessfully
    to write a SRP to the specific shell bag keys which Windows writes to. Shows up in
    LastActivityView as " view folder in explorer " . Can clean out pretty much everything , but comes right back
    since I'm not getting to the source. Don't want to remove some entries though either. Any ideas?

    ShellBag AnalyZer app?
     
    Last edited: Apr 25, 2015
  11. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    @marzametal - thanks for the link. I've only had time to skim through, but lots of interesting reading there for those who want to go to/stay on 7, for better or worse.
    @KeyPer4Life - thanks.

    It would be brilliant if we could have such a breakdown on this. For Services, most of us would be familiar with Blackvipers tutorials, but I don't know whether he had/has privacy/security in mind so much as just making for a leaner system. I don't recall him specifically dealing with how Services use ports, though he does mention a bit about dependencies, which are a rabbit warren for sure. Before I knew of Privazer and Last Activity View, I didn't even know about shellbags. It really makes you wonder how many secret/hidden layers there are going on under the hood. Finding and dealing with all the mechanisms sure would be useful, but it would be a mammoth task no?

    As for wireless, for a number of reasons I don't like it. I wouldn't be averse to snuffing out anything I could disable/uninstall/physically rip out of my desktop computer. That said, inside a year ago I bought a wireless mouse. What was I thinking? :( Thankfully the thing looks like its about to die so I've replaced it with a wired one.
     
  12. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    According to the GRC scan, whilst connected to my ISP... all ports are stealth. After connection is made to VPN, some ports are opened up. I brought this lil' tidbit up with the VPN tech staff. They told me not to worry about it since the ports are open on their side, not mine. Their data center would have to be compromised for anything to happen. (...and they don't track customer details, so it'll be a needle in a haystack to figure out which one is me since one VPN outlet can have many users connected).

    In regards to the disabled services, I have a system backup ready prior to disabling of services (just in case). I must admit, no dramas have been encountered so far. Prior to the latest news about SMB flaw, I had all green on the checkerboard (all stealth).

    Damnit! I STILL have my wireless mouse... I have been procrastinating, come on... get off my (_o_) and buy a wired one!
    In regards to services, I'd recommend setting up your system to complete status before tinkering... that way, everything you want is already installed and tweaked before you start reducing running services... the only goal I had in mind when playing around with the services and firewall rules was to minimise my outbound connection log to zero entries. (unless a rule is not matched)
     
    Last edited: Apr 25, 2015
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    On my test unit, the scheduler is running. MSDTC is set to manual, apparently its default setting. Neither appears to have any effect on port 135, at least on this unit. I haven't run any scheduled tasks through it to see if it affected the results. For the most part, I don't use a task scheduler. On the few units that I have, I use Splinterware's scheduler. Even their free version puts the Windows task scheduler to shame.
     
  14. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Windows Services - Remote Access Auto Connection Manager and Telephony. (manual or disabled?)

    RasAuto (RAACM)
    TapiSrv (Telephony)

    Telephony Service (default startup manual)
    Dependencies: Plug and play, RPC, Fax, Remote Access Connection Manager, Remote Access Auto Connection Manager

    Remote Access Auto Connection Manager (default startup manual)
    Dependencies: Remote Access Connection Manager, Telephony, Plug and Play, RPC
     
    Last edited: Apr 25, 2015
  15. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Disable both... well, most with the word Remote in it... such as Remote Registry etc...

    I might look into this.. always looking for nifty lil' apps that put Windows to shame...
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    In addition to scheduled tasks, it can do popup reminders. It can check for the presence or absense of specific windows or processes on specified intervals and perform actions based on the results. It can send keystrokes and mouseclicks as part of the command line for scheduled tasks. That ability alone opens up all kinds of possibilities, especially with applications whose interfaces were not designed to be navigated with a keyboard.
    Do not include Remote Procedure Call in that list. This can't be disabled.
     
  17. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Touche! Thanks for bringing this up...
     
  18. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Kerio doesn't turn off the built-in Windows firewall so I did that manually. Newer firewalls do that automatically.
    Heard mixed advice on Windows Firewall (ICS) service. Do I leave it running or turn it off? Currently it is running.
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Some very good advice & info & apps being given on how to better secure your comp. Interestingly a lot of this is what a number of us have been doing for years. But there is no harm on rehashing for the benefit of others.

    Amongst the apps i've been using for about 10 years on my XP are, DCOMbob.exe, UnPnP.exe, XPdite.exe, shootthemessenger.exe, wwdc.exe, BugOff.exe, dsostop2.exe, htastop.exe, sdefend.exe, SafeXP.exe, xp-AntiSpy.exe, and Seconfig XP

    seconfigXP.png

    stat.png

    See the Seconfig XP.txt for more info & explanations of All it can do

    Some of the options in the above apps do the same or similar things, but not all. It's worth trying to locate them & see what you can acheive !
     

    Attached Files:

    Last edited: Apr 25, 2015
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @KeyPer4Life
    On my last physical XP system, I had the firewall and ICS disabled. On the current virtual system, I haven't got that far.
     
    Last edited: Apr 26, 2015
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Haven't seen a few of those in a while. For HTAs, I use the old Script Sentry from Jasons Toolbox. It wasn't that long ago that HTAs were quite good for hijacking PCs. If I recall, HTAs used to be run as trusted by default, as was anything they downloaded. Script Sentry dealt with them by making itself the default handler for them. It would enable you to view them in Notepad before deciding if you wanted to run them. It's quite handy if you use the Windows Scripting Host but don't want it to run every script it sees. With Script Sentry, you could whitelist individual scripts. If I recall, Script Defender is quite similar.
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Another tweaking/configuring utility with a lot of options is X-Setup Pro. If I recall, version 6.6 is the last one that's free. Its only downside is that it's quite large for such a utility, over 10MB installed.
     
  23. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    When I set Windows Firewall (ICS) service to manual and reboot machine I get a popup message on
    the logon screen.
    Windows - Fatal Application Exit. Kerio Personal Firewall Driver: Unable to attach ' TCP '
    Checked Kerio firewall status and sure enough only PFWAMIN.EXE is listed. Started ICS service (automatic)
    and it solved the issue.
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There appears to be more involved here. On 2 different virtual test units, both XP-Pro-SP3, I've tried both the manual and disabled settings for the firewall/ICS service. One test unit uses a static IP. The other is DHCP assigned. So far, I can't recreate that error. Kerio is working properly on both units regardless of how that service is configured.
     
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I just finished another attempt on another virtual SP3 system. Except for a few display settings, this one is default settings throughout. We need to determine what is different between your test unit and mine. Do you have updates after SP3 installed? Any other optional features or components? Wireless? It's entirely possible that this difference is due to a post SP3 update that involves the firewall or security center.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.