Tech Tip: This is how You Disable Dcom & close Down Port 135

M

Marbles

Is port 135 flapping in the wind ?

Possibly being a security risk if your firewall is not blocking this port.
Even if your firewall is blocking this port. Just the thought of this port
being left open by the Microsoft operating system annoys you and you would
like that port 135 closed once and for all

Check to see what ports are currently open. This is best done when you first
boot in to windows and have not connected to the net

1)open command prompt - start > run > cmd

2)type in the following command:

netstat -an

-a this switch lists all listening ports
-n lists all addresses & ports in numerical order

You will see port 135 listening

Note: Before making any registry changes or continuing with this procedure.

- Create a system restore point, Backup your computer & export each registry
path before modifying any Registry entries.


....This is how you disable Dcom & Close Port 135

Disable Dcom

1) Start Registry Editor - start > run > regedt32

2) Navigate to the following registry Key

- HKEY_LOCAL_MACHINE \ Software \ Microsoft \ OLE

3) Located at the right side. Select the item named EnableDCOM and modify
the value to N


This next step Will Close Port 135

4) Open registry editor & navigate to this registry key

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Rpc

5) Right click on & Modify the value named DCOM Protocols

6) Under the Value Data, you will see values like
DCOM Protocols

Value Data:

ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_nb_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncacn_ip_udp REG_SZ rpcrt4.dll
ncacn_http REG_SZ rpcrt4.dll

Any value attached to DCOM Protocols is what keeps the Port 135 / epmap
(endpoint mapper)

7) Under Value Data highligt Everything listed and DELETE All by using your
Delete key or your Backspace key.

DCOM Protocols

Value Data:



Click ok

All there should be is DCOM Protocols with no values

8) Done with registry editor ..exit or close registry editor

9) Open Control Panel > Administrative Tools > double click Services

Disable the following services since DCOM has also disabled


- COM+ Event System
- COM+ System Application
- System Event Notification

10) Finally Restart the computer...

For verification when your computer has restarted open the command prompt.

Type netstat -an and for certain you will see port 135 closed.

Then you can celebrate... yippee!, dance around the room,scream out your
window.. and say bye bye port 135!

Hope this has Helped you in finally closing the Pesky Port 135.

Have a Good One
 
A

Allan

Marbles said:
Is port 135 flapping in the wind ?

Possibly being a security risk if your firewall is not blocking this port.
Even if your firewall is blocking this port. Just the thought of this port
being left open by the Microsoft operating system annoys you and you would
like that port 135 closed once and for all

Check to see what ports are currently open. This is best done when you
first
boot in to windows and have not connected to the net

1)open command prompt - start > run > cmd

2)type in the following command:

netstat -an

-a this switch lists all listening ports
-n lists all addresses & ports in numerical order

You will see port 135 listening

Note: Before making any registry changes or continuing with this
procedure.

- Create a system restore point, Backup your computer & export each
registry
path before modifying any Registry entries.


...This is how you disable Dcom & Close Port 135

Disable Dcom

1) Start Registry Editor - start > run > regedt32

2) Navigate to the following registry Key

- HKEY_LOCAL_MACHINE \ Software \ Microsoft \ OLE

3) Located at the right side. Select the item named EnableDCOM and modify
the value to N


This next step Will Close Port 135

4) Open registry editor & navigate to this registry key

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Rpc

5) Right click on & Modify the value named DCOM Protocols

6) Under the Value Data, you will see values like
DCOM Protocols

Value Data:

ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_nb_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncacn_ip_udp REG_SZ rpcrt4.dll
ncacn_http REG_SZ rpcrt4.dll

Any value attached to DCOM Protocols is what keeps the Port 135 / epmap
(endpoint mapper)

7) Under Value Data highligt Everything listed and DELETE All by using
your
Delete key or your Backspace key.

DCOM Protocols

Value Data:



Click ok

All there should be is DCOM Protocols with no values

8) Done with registry editor ..exit or close registry editor

9) Open Control Panel > Administrative Tools > double click Services

Disable the following services since DCOM has also disabled


- COM+ Event System
- COM+ System Application
- System Event Notification

10) Finally Restart the computer...

For verification when your computer has restarted open the command prompt.

Type netstat -an and for certain you will see port 135 closed.

Then you can celebrate... yippee!, dance around the room,scream out your
window.. and say bye bye port 135!

Hope this has Helped you in finally closing the Pesky Port 135.

Have a Good One
Thank you, but I thought Windows XP SP2 firewall is already blocking
incoming connections; have you tried any security tests before making this
change? In other words what does it buy you in terms of security? Have you
run "tcpdump" or another sniffer program to see what it was doing prior to
making this change?
 
D

David H. Lipman

From: "Marbles" <[email protected]>

| Is port 135 flapping in the wind ?
|
| Possibly being a security risk if your firewall is not blocking this port.
| Even if your firewall is blocking this port. Just the thought of this port
| being left open by the Microsoft operating system annoys you and you would
| like that port 135 closed once and for all
|
| Check to see what ports are currently open. This is best done when you first
| boot in to windows and have not connected to the net
|

< snip >

I use a Linksys BEFSR81 Cable/DSL Router which uses NAT Translation and I specifically block
TCP/UDP ports 135 ~ 139 and 445 on the Router. Most, if not all, Cable/DSL Routers have
simplistic FireWall constructs. Therefore I have no problems and I need no modifications on
my LAN side nodes. :)
 
M

Marbles

Thank You for your replies. This post was meant for people who are interested
in closing that port. On Numerous posting sites people have asked how to
close this port.

Just in case some one spots the post and is interested in doing so.The
solution is described.

Yes I use a hardware based firewall and it blocks ports. To tighten
security further I choose to close this port completely.

Router is a good first measure for security. Yes in theory, a router if
configured correctly could be almost invulernable. The key word is ALMOST.

So the question comes down to..

Do you rely and hope that your router or firewall will be 100% reliable,
100% of the time ?

Pesonally I think going the extra step for the long term is a proactive one.
In the manner of preventing it before it does or possibly happen.

There has been some programs that will silently disable some parts of a
firewall. If a firewall is vulnerable same goes for a router.

Here's an article on port 135 - http://www.grc.com/port_135.htm - while your
there test your first 1056 ports by using Shields Up.

Thanks for your 2 nano bytes of feed back

Cheers
 
D

David H. Lipman

From: "Marbles" <[email protected]>

| Thank You for your replies. This post was meant for people who are interested
| in closing that port. On Numerous posting sites people have asked how to
| close this port.
|
| Just in case some one spots the post and is interested in doing so.The
| solution is described.
|
| Yes I use a hardware based firewall and it blocks ports. To tighten
| security further I choose to close this port completely.
|
| Router is a good first measure for security. Yes in theory, a router if
| configured correctly could be almost invulernable. The key word is ALMOST.
|
| So the question comes down to..
|
| Do you rely and hope that your router or firewall will be 100% reliable,
| 100% of the time ?
|
| Pesonally I think going the extra step for the long term is a proactive one.
| In the manner of preventing it before it does or possibly happen.
|
| There has been some programs that will silently disable some parts of a
| firewall. If a firewall is vulnerable same goes for a router.
|
| Here's an article on port 135 - http://www.grc.com/port_135.htm - while your
| there test your first 1056 ports by using Shields Up.
|
| Thanks for your 2 nano bytes of feed back
|
| Cheers

My last feedback -- don't rely on information on GRC, the scare monger.
Gibson made his money selling a program to change the interleave of MFM/RLL drives when
there were free alternatives.
Gibson is not an authorative source for INFOSEC related information.

And yes, my BEFSRxx, with ports specifically being blocked, is 100% reliable.
 
A

Allan

My last feedback -- don't rely on information on GRC, the scare monger.
Gibson made his money selling a program to change the interleave of
MFM/RLL drives when
there were free alternatives.
Gibson is not an authorative source for INFOSEC related information.

And yes, my BEFSRxx, with ports specifically being blocked, is 100%
reliable.
Dave, I don't know if you are aware of the tweak to disable NetBios without
editing the Registry :
http://security.symantec.com/sscv6/...ie&venid=sym&plfid=23&pkj=VRZCCSCEFRQBCBZLSRZ
I checked my services and I already had COM+ Sys App service disabled; I
believe most users with standalone PC's can safely disable this service.
(That is, even without disabling DCOM as per the OP's instructions).
Even after you disable NetBios as per the instructions on the Symantec
website, you cannot disable the NetBios service; it is still needed for
connectivity for some reason. You would still need to block ports 135-138 in
your router after making this tweak.
 
M

Marbles

Hello Fellas

GRC is a beginning source of security. Yes there are many sources of info on
the net that can give you detailed info on security. Starting at Microsoft
web site.Lots of resources on and making adjustments to you OS.

Does you router have the ability to detect programs that access the net and
also prevent programs access as well ?

....If not or If so

A simplified scenario for your Router

In XP svchost by default accesses the net. DHCP service is just one service
that is launched through the svchost process. Firewalls recognize this to be
a legit process and no blocking is performed unless you specifically block
svchost.

What ever service that is using svhost as a launch point will all ready have
access. A legit process or a naughty program that incorporates its process to
part of the svchost.

Then if a nasty service some how got on your Operating System. Launching it
self through Svchost. Your router has just been compromised by this rogue
svhost service.

Router 99.98% ..why you ask?? 100% perfection to infinity is where we all
fall short including technology.

Allan has the correct approach in how to contructively learn and make
adjustments to propel his learning process further.


An interesting discussion have a good weekend fellas !
 
B

Bruce Chambers

Marbles said:
Hello Fellas

GRC is a beginning source of security. .....Snipped


Actually, Gibson is considered by many to be a very poor source for
computer security advice. Gibson has been fooling a lot of people for
several years, now, so don't feel too bad about having believed him. He
mixes just enough facts in with his hysteria and hyperbole to be
plausible. Despicably, Gibson is assuming a presumably morally superior
pose as a White Knight out to rescue the poor, defenseless computer
user, all the while offering solutions that do no good whatsoever.


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
D

David H. Lipman

From: "Marbles" <[email protected]>

| Hello Fellas
|
| GRC is a beginning source of security. Yes there are many sources of info on
| the net that can give you detailed info on security. Starting at Microsoft
| web site.Lots of resources on and making adjustments to you OS.
|
| Does you router have the ability to detect programs that access the net and
| also prevent programs access as well ?
|
| ...If not or If so
|
| A simplified scenario for your Router
|
| In XP svchost by default accesses the net. DHCP service is just one service
| that is launched through the svchost process. Firewalls recognize this to be
| a legit process and no blocking is performed unless you specifically block
| svchost.
|
| What ever service that is using svhost as a launch point will all ready have
| access. A legit process or a naughty program that incorporates its process to
| part of the svchost.
|
| Then if a nasty service some how got on your Operating System. Launching it
| self through Svchost. Your router has just been compromised by this rogue
| svhost service.
|
| Router 99.98% ..why you ask?? 100% perfection to infinity is where we all
| fall short including technology.
|
| Allan has the correct approach in how to contructively learn and make
| adjustments to propel his learning process further.
|
| An interesting discussion have a good weekend fellas !
|

The problem with that scenerio, you are already infected. I am more interested in keeping
hackers and I-worms (and some exploitation Trojans) from getting in.

Safe Hex is the *best* protection backed up by anti virus software.

The Router can't be "compramised". It can not be accessed from the WAN side and it runs
from ROM.

I don't believe in "tweaking" the OS. I believe in border protection and won't use software
based FireWall applications.

Tweaking the OS can have negative side effects as in breaking various OS communication
constructs.

Yes... This is a good discussion. :)
 
M

Marbles

Not necessarly that a computer has to be infected. All it takes is an
exploitation of the svchost process.

Routers are vulnerable. Proof that Cisco, one the largest networking
suppliers had a router comprimised. If Cisco had an exploitation of a
router.Then certainly Linksys ,Dlink or any other router are vulnerable..its
a thing called time & exploitation. Or a matter of time before some brainiac
discovers another exploitation of a router

*******************************************************
The following link is presented for the purpose of evidence that Routers can
be comprimised. This information intent is for evidence and not the purpose
to lead others to do such acts of a malicious nature**

********************************************************
Cisco Router Exploitation

********** http://antionline.com/showthread.php?t=197482 **********

*********************************************************

Yes I concur on your findings of shutting down services can negate the
function of the OS. Just be very careful on what you turn off. Never turn off
Remote Procedure Call (RPC) service. It's the backbone for all the services.

*** Yes... This is a good discussion. :)**** Bingo Thats the ticket !***
 
D

David H. Lipman

From: "Marbles" <[email protected]>

| Not necessarly that a computer has to be infected. All it takes is an
| exploitation of the svchost process.
|
| Routers are vulnerable. Proof that Cisco, one the largest networking
| suppliers had a router comprimised. If Cisco had an exploitation of a
| router.Then certainly Linksys ,Dlink or any other router are vulnerable..its
| a thing called time & exploitation. Or a matter of time before some brainiac
| discovers another exploitation of a router
|
| *******************************************************
| The following link is presented for the purpose of evidence that Routers can
| be comprimised. This information intent is for evidence and not the purpose
| to lead others to do such acts of a malicious nature**
|
| ********************************************************
| Cisco Router Exploitation
|
| ********** http://antionline.com/showthread.php?t=197482 **********
|
| *********************************************************
|
| Yes I concur on your findings of shutting down services can negate the
| function of the OS. Just be very careful on what you turn off. Never turn off
| Remote Procedure Call (RPC) service. It's the backbone for all the services.
|
| *** Yes... This is a good discussion. :)**** Bingo Thats the ticket !***
|

There are vulnerabilities in Routers.

Wireless Routers have the most propensity for vulnerability exploitation.
However, I steer away from wireless completely and only use/set wired Routers.

Here is a note on a BEFSR41 vulnerability that has long since been fixed.
http://seclists.org/isn/2002/Nov/0007.html

Note that this vulnerability stems from the LAN side, not the WAN side.

Which also proves that mitigation of vulnerability exploitation extends to hardware
appliances as well as the OS and all installed OS software and utilities.

As for true exploitation of a Router, it would have to come fro the WAN side. If the Router
is locked down (such as; disabling ICMP replies, disabling remote admin, disabling remote
update, etc) then there is no access point to the Router from the WAN side and it would not
be a target.
 
M

Marbles

"I steer away from wireless completely and only use/set wired Routers"
....nice approach to stay clear of wireless.

"vulnerability stems from the LAN side" .... Yes its a good thing there was
a fix excellent point about how hardware is vulnerable.

Yes good measure on configuring your routers firmware..icmp,admin..etc. By
doing so your router should be quite stealthy

Here's a Layered View of how a Security Filter configuration could Propogate
as.

First Layer of Security-- _Router
------------------------------------\
Second Layer of Security---------\_Firewall & Antivrus
---------------------------------------\
Third Layer of Security--------------\_Ipsec Configuration
-----------------------------------------\
Fourth Layer of Security---------------\_Group Policy Permissions
--------------------------------------------\
Fifth Layer of Security--------------------\ WinXP some Services that are
not crucial or needed can be turned off. Before doing so know what
dependencies are and what effect it has on the OS if turned off if any.
-------------------------------------------------\
Sixth Layer Of Security------------------------\ TCP Registry tweaks -
starting with ( http://support.microsoft.com/kb/314053/ )

Could be layered in many ways
 
A

Allan

Allan said:
Dave, I don't know if you are aware of the tweak to disable NetBios
without editing the Registry :
http://security.symantec.com/sscv6/...ie&venid=sym&plfid=23&pkj=VRZCCSCEFRQBCBZLSRZ
I checked my services and I already had COM+ Sys App service disabled; I
believe most users with standalone PC's can safely disable this service.
(That is, even without disabling DCOM as per the OP's instructions).
Even after you disable NetBios as per the instructions on the Symantec
website, you cannot disable the NetBios service; it is still needed for
connectivity for some reason. You would still need to block ports 135-138
in your router after making this tweak.
To be more precise, you cannot disable the "TCP/IP NetBios Helper" service.
 
M

Marbles

Allan

Good article you posted from Symantec desecribing the simple method of
disabling Netbios.

"you cannot disable the NetBios service; it is still needed for connectivity
for some reason." - One reason for not entirely disabling Netbios is because
the DHCP service depends on Netbios to function. You would run in to probelms
renewing your ip address

If you had a static IP issued to you by your ISP. Then manually entering
IP,Subnet Netmask,Gateway,DNS Servers -Primary and Secondary into the TCP/IP
properties you could entirely disable NETbios...thats if your not file
sharing with other computers in your lan or using UNC/ named pipes to access
computers by there name.

IF you have a Static IP and no need for sharing... The method for entirely
disabling NEtbios would be as follows

*******Create A System Restore PointBefore Any configurations *********

Open you LAN Connection..click properties.. uninstall file and printer
sharing client

then click TCP/IP properties

1) Enter static IP, Subnet Netmask, Gateway, DNS Prim & Secondary in to the
TCP/IP property page from LAN connection.

2) Start > Control Panel > Double CLick System Icon ..this will open System
properties... then click the Hardware Tab and select Device Manager

3) In Device Manager ..Go to pull down View menu and select Show Hidden
Devices

4) Expand the Non Plug & Play Driver tree

5) Double Click Netbios over Tcpip

6) Click the Driver tab at the top of properties page

7) Change Startup Type from System to Disabled then click ok

8) Right click on Netbios over tcpip and select disable

9) Since you have entered a static IP and all other server info you can go
to services and disable the DHCP client Service

10 ) Restart computer

This method should close 137-139

If you use this method it does work. End result WILL Close & disable Netbios
ports. Thats if you are interested in total closure of those ports.
 
M

Marbles

Additional Port Strengthening

*********Instructions On How To Close Port 445 *************

SMB (Server Message Block) - http://en.wikipedia.org/wiki/Server_Message_Block

1) Open Registry Editor

2) Navigate to this key
HKEY_LOCAL_MACHINE \ SYSTEM\ CurrentControlSet \ Services \ NetBT \ Parameters

3) Select & modify the entry named TransportBindName

4) The default entry will be \Device\ ---- delete that entry so you are
left with only TransportBindName with no value

5) Restart computer

6) Verify,
- open command prompt
- netstat -an

You should see Port 445 is now closed

From the methods shown. By closing the ports at the Operating System level.
In theory you could leave those ports open on your firewall and there would
be no response from these ports that were disabled by tweaking services and
registry. because the mechanism that controls those ports have been turned
off/shut down / locked down and or disabled.

Tho to be on the safe side, keep those ports blocked at the firewall layer
as well. So now you have a dual layer of security protecting those ports. :)
 
A

Anteaus

Yes, there are a large number of potential exploit-vectors of this kind. Only
thing is, if you close them all, you end-up with a deaf, dumb and blind box
that does very little that's useful, apart from maybe play Solitaire.

It would really be preferable if the buffer-overrun exploits which are at
the root of the problem could be dealt with. But, I guess that ain't gonna
happen anytime soon, as it would require a change to a programming-language
with better inbuilt bounds-checking.

I think it's also a fair bet that Linux, mostly coded with the same
language, has the same issues; it's just that no-one has gone looking for
over-run exploits with the same level of effort.

I don't recall 95/98 having many of these issues, plus on that platform the
only open ports were -in general- those which were actually required by
server processes. Perhaps XP took the wrong roadmap, would it have been
easier to fix the stability bugs of 9x than to fix the security bugs of NT?
 
M

Marbles

Nicely worded Anteaus

I will have to disagree on what you wrote referring to the end result having
a useless box that will only be able to play cards...solitaire...LoL .

For example, my pc has only 1 listening service port running and that 1
service is not any of the default listening ports. Hhmm...

So...what functionality does mi computer have then? ....plenty..not only
play solitaire..surf the net...e-mail....play multiplayer games like
Fear..and all sorts of FPS games...hmm so far lots of functionality.

Importantly doing something like this in a workstation work environment
might not be desirable.

It is up to the individual home user to learn what the risks are, by leaving
services on the default setttings. Also learn how their OS functions.

Turning Off Services - http://engr.smu.edu/~kaytaz/xpservices.html


Time to play solatire...LoL...That's a Classic !
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top