How can I lockdown my ports?

Discussion in 'other firewalls' started by vei9, Mar 10, 2013.

Thread Status:
Not open for further replies.
  1. vei9

    vei9 Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    22
    Location:
    usa
    Hi all, first post, great forum you have here... I'm sure I will enjoy it.

    I want to lock down my ports via firewall. I have Windows firewall and it has a bunch of pre-set rules that make me go :eek: when I look through them all.

    There are SO MANY port designations, that when I try to look through all these rules, I get confused because of all the protocols I am not familiar with. And so I'm not sure whether I should allow or disallow some of the connections that are inbound and outbound.

    I don't really use that many services on this PC so I'm tempted to block more than allow. My question is, where, if at all, can I find an easy way to lock down the open ports and also understand what the heck I am doing?

    I occasionally run netstat -a in CMD to see all the open connections, perhaps this is the best way to start? What do you guys do to secure your ports? Have you run into problems when you did it on your own and accidentally blocked stuff you didn't want blocked?

    Thanks all.....:D
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I assume you mean you want to close them at the OS level, so that even if say your router/FW failed for some reason, the ports would already be closed? I approach it the same way.

    First off disable any services you don't absolutely need, to stop them from hanging open or listening in on any ports associated with them. A Web Scanning component on a real-time AV will listen in on ports too, which is why I'm not a fan of them. "netstat -an" is a great command to check for open ports indeed. On XP, ports 135 & 445 are two that are tricky to close completely, but you can with registry tweaks. You should be able to find out how via your trusty search engine. On newer OS's, your mission will be much harder and perhaps unobtainable. But on XP Pro SP3 I've managed to close all of mine while retaining perfect internet connectivity. When I do that netstat -an command I have a blank list staring back at me when my box is in idle. This is perhaps the best indicator of keeping a tiny attack surface. With no open ports and no apps/processes (potentially vulnerable or otherwise) listening in to piggy-back onto, a would-be exploit can't do a whole lot. Especially with your internet facing apps sandboxed as well, and hardware DEP (and perhaps more) backing it.

    I believe in locking down your OS as much as possible before throwing on the security software. Make their jobs easier, even render them moot in some cases. It saves overhead and just makes me sleep better.
     
  4. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  5. vei9

    vei9 Registered Member

    Joined:
    Mar 10, 2013
    Posts:
    22
    Location:
    usa
    Wow, thanks!!! You have given me a lot to think about! :thumb: However, I do get hung up on the services I don't need. I just worry I could disable something without really knowing what it is and then losing functionality and feeling like o_O and then o_O and then :mad: . Heh, it's not good, I get too frustrated at times. But you have some great advice.
     
  6. anniew

    anniew Registered Member

    Joined:
    Mar 15, 2013
    Posts:
    92
    Not sure if you found this already, but in case others have the same, for convenience, here is a link to a site often mentioned on WSF...

    http://www.blackviper.com/
     
  7. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    The simplest solution, though not the cheapest, is to get a router. With a hardware firewall you do not really need a software firewall for inbound. And malware can not touch it, mostly. An other alternative is to get "a better" firewall like free Private Firewall, since Win firewall, like all Microsoft apps, likes to auto allow (make choices) for a user.
    Not very suitable for Windows 7/8 (bad detection), only for XP, it can cause problems, like disabling DCOM (port 135) will disable Task Scheduler service.
     
  8. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    I understand that 99% feel that a router and Windows Vista/7/8 Firewall is enough on a desktop. What about for wifi on a laptop? Enable outbound protection or go with a 3rd party firewall?
     
  9. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
  10. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    253
    Location:
    router
Loading...
Thread Status:
Not open for further replies.