Let's say that I don't have a firewall, and I don't
want sasser to get me.

Is there any way to close port 445 in win xp?

--
+----------------> Jason Wade <----------------+
| (E-Mail Removed) |
| "Swen, Bagle, come, come, come." |
| "Destroying viruses, 'til there're none." |

On Wed, 05 May 2004 21:51:33 GMT, Jason Wade
<savon1414_050404+(E-Mail Removed)> wrote:

>Let's say that I don't have a firewall, and I don't
>want sasser to get me.
>
>Is there any way to close port 445 in win xp?

See the links on my network page. To make it easy, use the WWDC.EXE
utility:

http://perso.wanadoo.fr/jugesoftware...r/eng/wwdc.htm


Art
http://www.epix.net/~artnpeg

On Wed, 05 May 2004 18:12:21 -0500, null wrote:

> On Wed, 05 May 2004 21:51:33 GMT, Jason Wade
> <savon1414_050404+(E-Mail Removed)> wrote:
>
>>Let's say that I don't have a firewall, and I don't
>>want sasser to get me.
>>
>>Is there any way to close port 445 in win xp?
>
> See the links on my network page. To make it easy, use the WWDC.EXE
> utility:
>
> http://perso.wanadoo.fr/jugesoftware...r/eng/wwdc.htm
>
>
> Art
> http://www.epix.net/~artnpeg

I don't want to download any programs to close these ports.

According to that page, port 445 is used by the RPC Locator.
If I disable that service, then port 445 will close, right?

(I'm not on a winxp system right now, so I can't test it.)

--
+----------------> Jason Wade <----------------+
| (E-Mail Removed) |
| "Swen, Bagle, come, come, come." |
| "Destroying viruses, 'til there're none." |

On 05/05/2004 20:59, Jason Wade wrote:
> On Wed, 05 May 2004 18:12:21 -0500, null wrote:
>
>
>>On Wed, 05 May 2004 21:51:33 GMT, Jason Wade
>><savon1414_050404+(E-Mail Removed)> wrote:
>>
>>
>>>Let's say that I don't have a firewall, and I don't
>>>want sasser to get me.
>>>
>>>Is there any way to close port 445 in win xp?
>>
>>See the links on my network page. To make it easy, use the WWDC.EXE
>>utility:
>>
>>http://perso.wanadoo.fr/jugesoftware...r/eng/wwdc.htm
>>
>>
>>Art
>>http://www.epix.net/~artnpeg
>
>
> I don't want to download any programs to close these ports.
>
> According to that page, port 445 is used by the RPC Locator.
> If I disable that service, then port 445 will close, right?
>
> (I'm not on a winxp system right now, so I can't test it.)
>

Will PCs with WinXP (not patched with MS updates) and not firewalled but
behind a router running NAT be infected by SASSER or its varients?

Thank you for your info!!

--
**************************************************************************
Stephen Lo, Vancouver, BC., CA.

On Wed, 05 May 2004 22:59:40 -0500, Jason Wade wrote:

> [ snippedy ] port 445 is used by the RPC Locator. If I disable that
> service, then port 445 will close, right?
>
>
Google is my friend:

http://www.petri.co.il/what_is_port_445_in_w2kxp.htm

Tcp/445 is used by netbios over tcp/ip.

This is what the instructions say to disable that port:

<quote>
How to disable port 445?

You can easily disable port 445 on your computer. To do so follow these
instructions:

1.

Start Registry Editor (Regedit.exe).
2.

Locate the following key in the registry:

HKLM\System\CurrentControlSet\
Services\NetBT\Parameters

3.

In the right-hand side of the window find an option called
TransportBindName.
4.

Double click that value, and then delete the default value, thus
giving it a blank value.

4.

Close the registry editor.
5.

Reboot your computer.

After rebooting open a command prompt and in it type

netstat -an

See that your computer no longer listens to port 445.
</quote>

I'd like some winxp guru to tell me that this works and is
not harmful to the computer.

"losl(removethis)" <"losl(removethis)"@canada.com> wrote in
news:(E-Mail Removed):

> On 05/05/2004 20:59, Jason Wade wrote:
>> On Wed, 05 May 2004 18:12:21 -0500, null wrote:
>>
>>
>>>On Wed, 05 May 2004 21:51:33 GMT, Jason Wade
>>><savon1414_050404+(E-Mail Removed)> wrote:
>>>
>>>
>>>>Let's say that I don't have a firewall, and I don't
>>>>want sasser to get me.
>>>>
>>>>Is there any way to close port 445 in win xp?
>>>
>>>See the links on my network page. To make it easy, use the WWDC.EXE
>>>utility:
>>>
>>>http://perso.wanadoo.fr/jugesoftware...r/eng/wwdc.htm
>>>
>>>
>>>Art
>>>http://www.epix.net/~artnpeg
>>
>>
>> I don't want to download any programs to close these ports.
>>
>> According to that page, port 445 is used by the RPC Locator.
>> If I disable that service, then port 445 will close, right?
>>
>> (I'm not on a winxp system right now, so I can't test it.)
>>
>
> Will PCs with WinXP (not patched with MS updates) and not firewalled but
> behind a router running NAT be infected by SASSER or its varients?
>
> Thank you for your info!!
>

A machine setting behind a NAT router will have port 445 closed by default
to the public Internet. The router stops unsolicited inbound traffic to the
machines from the Internet. Port 445 is mainly used for file sharing
between NT based O/S(s) such as Win 2K, XP, and 2K3 on the LAN behind the
router.

So if you have placed a machine into the DMZ of the router with file
sharing active on the machine and not firewalled or you have opened port
445 to the public Internet by doing port forwarding or triggering to map
port 445 to an IP/machine, then that's trouble. Otherwise, I think you're
pretty safe behind the router.

However, you should apply all MS Critical Security patches to the machine
ASAP.

Duane

On Thu, 06 May 2004 03:59:40 GMT, Jason Wade
<savon1414_050404+(E-Mail Removed)> wrote:

>On Wed, 05 May 2004 18:12:21 -0500, null wrote:
>
>> On Wed, 05 May 2004 21:51:33 GMT, Jason Wade
>> <savon1414_050404+(E-Mail Removed)> wrote:
>>
>>>Let's say that I don't have a firewall, and I don't
>>>want sasser to get me.
>>>
>>>Is there any way to close port 445 in win xp?
>>
>> See the links on my network page. To make it easy, use the WWDC.EXE
>> utility:

>I don't want to download any programs to close these ports.
>
>According to that page, port 445 is used by the RPC Locator.
>If I disable that service, then port 445 will close, right?

Yes. And Marchand details how to shut down many other services and
close other ports as well:

http://www.hsc.fr/ressources/breves/...win.en.html.en

Since I don't use 2K/XP I can't test any of this. I'm interested in
hearing how 2K/XP users make out using WWDC.EXE. Why not do it the
easy way if it works?


Art
http://www.epix.net/~artnpeg

On Thu, 06 May 2004 11:57:07 GMT, (E-Mail Removed) wrote:

>>According to that page, port 445 is used by the RPC Locator.
>>If I disable that service, then port 445 will close, right?
>
>Yes. And Marchand details how to shut down many other services and
>close other ports as well:
>
>http://www.hsc.fr/ressources/breves/...win.en.html.en
>
>Since I don't use 2K/XP I can't test any of this. I'm interested in
>hearing how 2K/XP users make out using WWDC.EXE. Why not do it the
>easy way if it works?

BTW, I just saw on alt.comp,freeware that some guy hosed his Win 2K
system using the WWDC.EXE utility. Seems most users of Win 2K/XP are
stuck with having to use a firewall. I've heard that manually shutting
down services can lead to deep doodoo as well if you're not an expert.


Art
http://www.epix.net/~artnpeg

On Thu, 06 May 2004 12:06:55 -0500, TJ Campana [MSFT] wrote:

> So basically you want to disable RPC on you PC? Why?

To protect against current and future rpc exploits.

> There are many
> items that use RPC, like Outlook when connecting to and Exchange Server,
> Netlogon, AD Replication and management, etc. In short, stopping RPC is
> a bad idea and you actually will not be able to do it on 2000 or XP from
> the Services Manager.
>
> RPC can use the End Point Mapper Port 135, or Named Pipes Ports 139 or
> 445 so if your intention is to block RPC then you will have to block all
> those ports.

But viruses are sometimes very specific. For example, sasser only
goes in through 445.

>
> I would suggest that you use other methods to secure your environment
> other than disabling important services that many applications rely on.
> Enable a firewall on the network to protect you from outside
> penetration.

done

> Patch all systems with the latest Critical Updates using
> Windows Update or Microsoft Software Update Service (both FREE),

done

> and if
> computer to computer security is important enable IPSec traffic
> filtering between you systems.
>
> How to Block Specific Network Protocols and Ports by Using IPSec
> http://support.microsoft.com/?id=813878
>
> T.J. Campana [MSFT]
> Microsoft EPS Security

Just in case I did the patch wrong, and the fw goes down
I want the system to be safe. Somebody here said, "paranoia comes
from experience and is not necessarily a bad thing."

I see that several services use port 445 in winxp: rpc locator,
netbios over tcp/ip, and others.

What if I disable the rpc locator in the services manager and
disable netbios over tcp/ip for the internet connection?

Port 445 would still be open, but maybe the exploit that
sasser uses would be closed.

IOW, I'm asking what subservice of port 445 does sasser exploit
that I can safely disable?

--
+----------------> Jason Wade <----------------+
| (E-Mail Removed) |
| "Swen, Bagle, come, come, come." |
| "Destroying viruses, 'til there're none." |

<snip>

> Just in case I did the patch wrong, and the fw goes down
> I want the system to be safe. Somebody here said, "paranoia comes
> from experience and is not necessarily a bad thing."
>
> I see that several services use port 445 in winxp: rpc locator,
> netbios over tcp/ip, and others.
>
> What if I disable the rpc locator in the services manager and
> disable netbios over tcp/ip for the internet connection?
>
> Port 445 would still be open, but maybe the exploit that
> sasser uses would be closed.
>
> IOW, I'm asking what subservice of port 445 does sasser exploit
> that I can safely disable?
>
> --
> +----------------> Jason Wade <----------------+
> | (E-Mail Removed) |
> | "Swen, Bagle, come, come, come." |
> | "Destroying viruses, 'til there're none." |
>

No don't disable that service I'm no expert but from what I've read the
serve us rather important.




http://www.blackviper.com/WinXP/service411.htm#Remote_Procedure_Call_(RPC)

http://www.blackviper.com/WIN2K/win2kservice411.htm#Remote_Procedure_Call_(RPC)