W2K and Port135

Hello guys; hope everyone is doing fine... Best wishes to all - may 2003 bring peace and (at least)some happiness to all this board's admins, members and visitors...

A friend of mine has just bought a computer running on Windows 2000. W2K looks great, and I decided to take a tour on pcflank's testing site to see if the Norton PF on the machine was performing well.

I ran the quick test which showed port135 to be open. I then checked the pcflank's ports database to get some details, and this port seems to be used by 'DCE Locator / Sun RPC Portmapper".

I don't have any idea what it may be, perhaps some W2K feature which can be deactivated - if so how should I go about it ? Or is it a defect in the Norton firewall's defence system ? I know NPF may not be as excellent as KPF or LnS or Outpost or Sygate, but I don't have the heart to leave my pal's Registry messed up after deinstallation if I can somehow solve this Port135 problem in some other way...

Can anyone help ?

Rgds, Crockett

 

I have never been able to kill port 135 on Win2k and keep my computer alive.
I make it a standard practice to block local ports 135-139, TCP and UDP in and out period.
You can search for DCOM, and port 135, on google and M$ and get all kinds of information, that has never helped me a bit.

 

Hi Root, thanks

Well, I guess I'll have to switch firewalls on the machine after all, since I ain't even sure blocking specific ports can be manually done on Norton PF... Stopped using it a long time ago.

See you later, and hope everything's fine with you.

Take care,

Crockett

 

Hi Crockett

Blocking specific ports/services can be done quite easily with NPF and port 135 inbound is usually blocked by default. Make sure your friend has security set to high. Then go in to the system wide portion of the rule set and check for a rule that will block inbound traffic to service/port 135. If there is not one there, you can easily create it. If you need spefic help with this feel free to ask and let me know which version of NIS/NPF your friend is running.

Regards,
CrazyM

 

Hello CrazyM; sorry for being late...

Thanks for the tip. I'll try to do as you suggested. Can't remember what the exact version is, I think it's NIS 2002 but I'll have to check it out.

I remember ATGuard's rules could be accessed and updated manually - I guess it still can be done on the Norton/Symantec versions and that it may be what you're referring to...

I'll come back and report on this as soon as I can.

Rgds, Crockett

 

Hello again

CrazyM, I installed on my own pc a 2001 version of Norton Internet Security Family Edition to see how I could add/create firewall rules individually... I couldn't find the place to start...

How should I go about it ?

Thanks,

Crockett

 

Hi Crockett

With NIS2001, which I believe is v2.x, you should find your rules under advanced settings - firewall tab (unlike later versions which have the rules split into different sections). That is where you can manually add and/or customize existing rules.

For some suggestions/ideas on customizing rules to get you started...

Customizing Rules

System Wide
Global Permit/Block
Application
Final Block

For specific help I would suggest posting in the Other Firewalls Forum and we can take it from there.

Regards,
CrazyM

 

Hi CrazyM;

I finally managed to edit and create new firewall rules on NIS which, I must say, seems to run pretty well on my pal's win2k-equipped pc.

Thanks for your precious help...

Rgds, Crockett

 

Hi Crockett

Glad to hear all is going well with NIS. Here are some very useful utilities you might want to look at.

AtGuardNISrules

Log Viewer

Regards,
CrazyM

 

I managed to kill port 135 on win2k. But it broke my computer badly (broke copy and paste functions in IE for example), took me awhile to recover even with various emergency boot disks.

Altough it is cool to do a netstat -an and see no listening ports, I woudnt recommend it..

 

Hi JayK

What do you mean by 'killing port 135' ? Which operation did you submit the OS to ?

Do you mean you firewall-blocked the port just as Root suggested ? I hallucinate you probably didn't use a firewall since your signature-quotation suggests you don't use any ?! ("I need no stinking firewalls")

Regards, Crockett

 

Basically on WIn2k if you can close the RPC service, you will find that Win2k will not be listening on TCP 135. See

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html.fr
.if you want to try, but it was far too advanced for me (which isnt saying much since I'm a beginner). I managed to do it, but with adverse effects as noted before.

Still it was good to close all the other ports like TCP 445 which is yet another Win2k speciality similar to the netbios port. Ironically, I found that I don't need TCP 445 for file sharing.

>Do you mean you firewall-blocked the port just as Root suggested ?

Nope. I managed to closed the port. Firewalls are well and good, but if the firewall fails for some reason, you are vulnerable. Much better to make sure no application is listening on the port...

Of course that doesnt nothing for spyware calling out, but you can't have anything.

>I hallucinate you probably didn't use a firewall since your signature-quotation suggests you don't use any ?! ("I need no stinking firewalls")

Actually I use a firewall on my own computer (which is inside a small LAN) and have a very complicated firewall rule set with about 400 filters, about 350+ are for outbound known spyware ips http://www.geocities.com/yosponge/ to go with it.

However, the computer running NAT is running with close to zero memory resident programs including NO firewalls,antivirus,anti-trojan,spyware guard etc mainly because other users would shut down whatever I ran because they felt it "slowed" then down. So I had to improvise.

Win2k's ipsec packet filtering function works almost (but not quite) as well as a normal personal firewall. And it's almost 100% transparent and many users generally have no clue that it is working or how to shut it down. Also serves as a nice second firewall [Defence in depth right?] that is only closed if windows is closed

http://www.analogx.com/contents/articles/ipsec.htm

Still it sucks that the most vulnerable computer on the network is the least protected....

 

Hi JayK;

Thanks for the specifics... Very interesting!

Rgds, Crockett

 

>Thanks for the specifics... Very interesting!

Actually I lied. No point telling the whole world, how secure (or not) you are right?