TCP port 135

**WayuU** · March 7th, 2004, 01:09 PM

Posted: Sun Mar 07, 2004 12:21 pm
Post subject: TCP port 135

I wonder if anyone here can tell me what else I need to do to close TCP
port 135 on XP Pro.

Task Scheduler is disabled (which closes 1025 completely).
DCOM ha been shut down to through Dcomcnfg.exe. Even checked in registry key
"EnableDCOM" and it's set to "N" now. So it's off.
Now, I've read that all that is left is to shut down is MSDTC. A bit
confused on how. Disabled it through Dcomcnfg.exe and the "Distributed
Transaction Service" is shut down (Can just as well be shut down through
Services MMC straight off, same thing). Reboot, and TCP port 135 is STILL
open when I scan for it with nmap from another computer.

I was on my way on renaming msdtc.exe file in both system32 and dllcache but
I'm a bit afraid to do that and test. Just might not get system running
again though it should be no problem.

Anyone knows what I'm missing to get TCP port 135 closed?

MsMittens has posted this link to closing the port:
http://www.security-forums.com/forum...pic.php?t=3300

But is there no other way, as aked in my above question?
(Don't like the idea of hexediting the dll)

***Relyt*** · March 7th, 2004, 01:40 PM

Good Day,

Did a quick search on www.google.com and there's tons of info about securing your 135. Here's a little program from grc.com that's only 29kb, that should do the trick.

"Microsoft's DCOM security patch leaves
DCOM running, open, and waiting for
the next malicious exploit."

"Our 29 kbyte "DCOMbobulator" allows any Windows user
to quickly check their system's DCOM vulnerability, then
simply shut down the unnecessary DCOM security risk. "

http://grc.com/dcom/

edit: Interesting for sure, I'll look some more. In the mean time a good packet dropping firewall should keep people from exploiting it. Seems you have been working on this for awhile: http://www.webservertalk.com/message103786-2.html ....

**WayuU** · March 7th, 2004, 01:57 PM

Thx for trying to help.

But no, there is actually no info at all by searching Google on the net. I've been searching all over for around 10 hours.
Bobulator does not close TCP port 135. Bobulator does exactly what I wrote I've done manually, that is just disable DCOM. Steve Gibson states himself that disabling DCOM, TaskScheduler and MSDTC will close down TCP port 135, which is what I've been trying, but when I close down all three my TCP port 135 stil remains open. Most info on the net is just 100 times copy of DCOM disabling info.

Thx tho

PS. No apps to fix system configurations. Hands on manual step by step procedure is what I need. Don't trust apps. Tho Steve's little Bobulator actually doesn't modify system or reg, unless you run the patcher.

***Relyt*** · March 7th, 2004, 02:53 PM

Here ya go Mate,

A step by step provided by a chap named Rodney from another forum:

http://www.security-forums.com/forum...8005&view=next

well i tried many ways to close it and last i got it.

1) run regedit.exe

2) goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
save ImagePath data.

3) restart the computer. it may take longer time to start, and it may give you some errors, & also it may change windows xp taskbar but this will return to normal after returning the ImagePath data (click the file you have exported) or you can pasting the data you saved.

4) you need hex editor to open this file
c:\windows\system32\rpcss.dll in hex,binary
find this number 1.3.5 in hex 31 00 33 00 35 in the file(this is the port number)

5) change this to 0.0.0 in hex 30 00 30 00 30 (port 0 does not exist)

6)run regedit.exe and goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs and
returning the ImagePath data (you can just click the file you have exported) or you can pasting the data you saved.

7)restart the computer

8)run netstat -a in cmd to check the port

RODNEY

**WayuU** · March 7th, 2004, 03:04 PM

hehe Relyt.
Read my last 4 lines in my main post

but thx again tho

***Relyt*** · March 7th, 2004, 04:09 PM

Krud guess I better learn to read. But since you don't what to use a hexedit procedure, I don't know if there is anyother way.

Edit: Keyword by HTR is "completely" , rats I didn't consider that...lol

***HTRegz*** · March 7th, 2004, 10:00 PM

Hey Hey,

So you want to do it without hexeditting eh... How about a lot of registry editting?

Source: DSLReports.com

Re: How do I..
Basically you can close the port but if you do
you are shutting a lot of functionality off...

Its also not an easy task to do....
I wrote up a breakdown on how to harden your system in kerio security forum once...

But only I just mentioned this since its a difficult process...I will include a similar breakdown here:

A secure system is one that doesn't advertise shares using netbios and closes ports 135-139 and port 445.
However you can skip Section 1, to try and avoid losing some functionality.

Section 1: Turning off Netbios

(Warning this will disable your ability to share anything.)
(If you truly need to share files,
consider running a ftp server such as raiden.)

Summary: Basically Disable all netbios drivers,
reboot, your ports should be closed.

How to do it:

1. First go into your services and turn off netbios helper. 2. Then go to my computer\hardware\Device Manager,
click on view, show hidden devices,
look for non-plug and play drivers,
then look for netbios, disable it..
3. Reboot, if no errors occurs..your set.
4. Go to a dos prompt, and double check,
to see if port 135 is closed.
Type: netstat -an.
5. If not go to Section 2.

(You should see ports 135-139 are missing and port 445,
is closed as well.)

Section 2: The hard way of closing port 135, you

1. Open regedt32
2. Export below keys into a backup reg file.
3. Change items below in registry.

Basically find:
HKLM\Software\Microsoft\OLE
Look for: EnableDCOM
Look for: EnableRemoteConnect
Change value from: Y to N
(If not present then add it.)
(Reg_SZ)

Then go to:
HKLM\Software\Microsoft\RPC\ClientProtocols
Look for: ncacn_ip_tcp
Look for: ncagd_ip_udp
Remove Them.
(Reg_SZ)

HKLM\Software\Microsoft\RPC\DCom Protocols
Look for: ncacn_ip_tcp
Remove It.
(Reg_Multi_SZ)

Section 3: Closing Port 445.

HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Look for: SMBDeviceEnabled
Change it to: 00000000
(If not present then add it.)

(To simplify some of it, copy below to a text file name it Dcom-Smboff.reg. Double click on file and it should make changes automatically remember this will not remove any of the ncacn reg entries those have to be done by hand.)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="N"
"EnableRemoteConnect"="N"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"SMBDeviceEnabled"=dword:00000000

If you perform all these steps this should turn off port 135 and 445, and stop remote users from running any programs.

Reply to this message if you have questions.

Hardened.

I haven't tried this, but the logic seems sound. You really do lose a LOT of functionality though. Say goodbye to file/print sharing. Good luck with your efforts.

Peace,
HT

PS: That took less than 3 minutes of searching on google using this search. It's the second result.

**WayuU** · March 7th, 2004, 10:21 PM

HTRegz:

Thx. Just great. Gonna test it and return with result tomorrow.

That "Completely" in your search was a word I never used. Closed is closed. Whats the diff between a closed door and completely closed door? ;P

Half of that editing I already did, so wasn't that far from the total

Thread: TCP port 135

Thread Tools

Display

TCP port 135

Posting Permissions