Closing Internet Ports - Windows 2000 PRO

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)
Anti-Virus Main Menu
Main Menu     The Basics     Anti-Virus References     Removal Tools     Latest Updates

By: Arthur R. Kopp    Revision 1.0   6 - 25 - 2005

Disabling unnecessary or unwanted services .... a process sometimes called "hardening" ..... is highly desirable for security purposes. Some users may wish to harden their system in order to avoid the need for a firewall. In other cases, a user may wish to perform a temporary hardening in order to safely access the internet for the first time after installing Windows. Updates, patches, and security software can then be downloaded. This article describes a hardening method which doesn't require downloading anything from the internet.

The ports I found on a new install that required closing include the NetBios (file and printer sharing) group ... ports 137, 138 and 139 ... with the associated (on this system) port 445. Also, DCOM port 135 must be closed.

The instructions here are aimed at power users who aren't afraid to alter the registry, and who know enough to back it up before making changes.  The changes made are reversable, of course.  If at a later time you wish to enable file and printer sharing with other computers on your local network, there is a free utility named wwdc.exe available which will do much of the reversal automatically:
http://www.firewallleaktester.com/wwdc.htm

The NetBios group of ports
------------------------------------
From the desktop, select Start - Settings - Network and Dialup connections. Depending on how many internet adapters you have installed, there may be several Local Area Connection items. Start with your primary hardware adapter. In my case it's a Ethernet adapter as shown below:

port 139
 
Double click on this item and select Properties. Uninstall everything except Internet Protocol (TCP/IP).

port 139-2    

Select the Sharing tab and uncheck "Enable Internet connection sharing for this connection".  Click "OK".

Right click on the Local Area Connection item again and select "Properties". Select "Properties" again.
Then select "Advanced". Click on the WINS tab. Select "Disable NetBIOS over TCP/IP". 

port 139-3

Click "OK". There is no need to reboot at this point. Just hit Cancel if prompted.
Check your other adapters (Local Area Connections) to make sure their settings are identical to the new settings of this first adapter.  

Port 445
-----------
From the desktop select Start - Run and type regedit
Find the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBt\Parameters
Double click on the item TransportBindName
Remove the string of characters in Value Data leaving it blank.
Make a note of the Data string value for possible future reversal purposes.

port 445

Exit the registy editor.

Port 135
-----------
From the desktop, select Start - Run
Type:  c:\winnt\System32\Dcomcnfg.exe
Select "Default Properties"
Uncheck "Enable Distributed Com on this computer"
Select "Default Protocols"
Remove any listed, leaving a blank.

port 135-1
 
Start the registry editor again and find the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
With Rpc highlighted, click on Edit at the upper left of the screen. Click on New and then select Key.
You will see a key added under Rpc. Rename the key Internet (See screenshot below).
With that new key highlighted (as below) select Edit again. Click on New and then string. Enter the Name UseInternetPorts. Then double-click on the newly created item UseInternetPorts and enter N for the Data value. It should appear as in this screen shot:

port 135-2

Note that reversal can be done simply by deleting the Internet key you added.
You are done. Exit the registry editor and reboot.

To check your work, open a DOS window (CMD.EXE) and type netstat -an immediately after booting up. I've found that when working with a new install of Windows (no updates or patches),  the result is empty. No ports  appear at all. After updating to IE 6 I find a tcp port numbered just over 1024 Listening. Sometimes udp port 68 will appear as well. These ports are not open.  Immediately after hardening, it is ok to go ahead and install Sp 4 and all the critical security patches.

You can verify that all ports are closed by going on the internet, and using web sites which offer port scanning services.  Here are a few links:

http://scan.sygatetech.com/
http://www.pcflank.com/
https://www.grc.com/x/ne.dll?bh0bkyd2

Don't be concerned with the firewall promotional propaganda you'll find. As long as all ports test as closed, you are ok. I've been connected to the internet for typically twelve hours per day via DSL service for years with no firewall or router and never experienced any problems.

Warning!
Prevention of viruses and other malicious code involves far more than just hardening internet ports. Be aware that if you allow malicious code to run on your computer, it can do practically anything, including modifying the registry and settings. In addition to backing up all your data, it's wise to do periodic checks. In the context of this article, one simple check is the netstat -an test to make sure nothing you've installed has modified the work you have done here. Make sure to do this check after a Windows Update, or after installing any new Windows services. Please see the Appendix for an example of closing port 3372 if necessary. And avoid installing IIS. The second Reference url below, an article by Marchand, will give you clues on disabling other services and closing other ports.

References:
http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm
http://www.hsc.fr./ressources/breves/min_srv_res_win.en.html
http://www.nacs.uci.edu/windows/DefaultPortsforWindows2000.html
Appendix:
The procedure below, a particular example of closing port 3372, also serves to illustrate how to disable unwanted services in general.

Let's say that the netstat -an result shows tcp port 3372 LISTENING. This more than likely indicates that, for whatever reason, the Microsoft Distributed Transaction Coordinator (MSDTC) has been activated and msdtc.exe is running. To close the port, do the following:

Start - Settings - Control Panel -Administrative Tools
Select Services
Find Distributed Transaction Coordinator and right click on it. Select Properties
Under the General tab find Startup Type
Set to Disabled. Click OK and reboot.

It's a good idea to disable services you're not using in order to further harden the OS and lighten the load on available resources. For example, if you don't use Fax, disable it. Similarly, Telnet can be disabled. Wideband users can safely disable Telephony. If your computer has no printer installed, the Print Spooler can be disabled. If you prefer to do Windows updates periodically when you do maintenance and backups, there's no reason to have Automatic Updates enabled. I don't use Task Scheduler, and I disable it as well.

There are several other items that I've disabled, such as TCP/IP NetBIOS Helper Services, Net Meeting Remote Desktop Sharing, Remote Access Auto Connection Manager, Remote Access Connection Manager, and Remote Registry Service.

Windows ME and XP have a convenient startup axis control program called MSCONFIG. I recommend downloading the XP version: http://www.perfectdrivers.com/howto/msconfig.html

It works fine on Win 2K, and it makes the disabling of unwanted startup items very convenient. Use its Selective Startup mode. The program can be placed in any folder.
Note: Revision 1 consists of the addition of  the last three paragraphs in the Appendix


© Claymania Creations 2001 - 2008. All rights reserved.

Updated: June 27, 2005