Menu
homeInstructions

Network ports basics. How to close Windows ports Port 135 what is it used for

Network ports can provide vital information about the applications that access computers over the network. By knowing the applications that use the network and the corresponding network ports, you can create precise firewall rules and configure host computers to allow only useful traffic. By building a network profile and deploying tools to recognize network traffic, you can more effectively detect intruders - sometimes simply by analyzing the network traffic they generate. We began to consider this topic in the first part of the article published in the previous issue of the magazine. It provided basic information about TCP/IP ports as the foundation of network security. Part 2 will describe some network and host methods that can be used to identify applications listening on a network. Later in the article we will talk about how to evaluate the traffic passing through the network.

Blocking network applications

Network attack surface is a common term to describe network vulnerability. Many network attacks take place through vulnerable applications, and the attack surface can be significantly reduced by reducing the number of active applications on the network. In other words, you should disable unused services, install a firewall on the dedicated system to check the legitimacy of traffic, and create a comprehensive access control list (ACL) for the firewall at the network perimeter.

Each open network port represents an application listening on the network. The attack surface of each server connected to the network can be reduced by disabling all non-essential network services and applications. Windows Server 2003 is superior to previous versions of the operating system because it enables fewer network services by default. However, auditing is still necessary to detect newly installed applications and configuration changes that open unnecessary network ports.

Every open port is a potential backdoor for attackers to exploit spaces in the host application or surreptitiously access the application with another user's name and password (or use another legitimate authentication method). Either way, an important first step to protecting your network is to simply disable unused network applications.

Port scanning

Port scanning is the process of detecting listening applications by actively polling the network ports of a computer or other network device. Being able to read scan results and compare network reports with host port polling results allows you to get a clear picture of the traffic flowing through your network. Knowledge of network topology is important in preparing a strategic plan for scanning specific areas. For example, by scanning a range of external IP addresses, you can gather valuable data about an Internet attacker. Therefore, you should scan your network more often and close all unnecessary network ports.

External firewall port scanning can detect all responding services (such as the Web or email) hosted on internal servers. These servers should also be protected. Configure a familiar port scanner (for example, Network Mapper - Nmap) to scan the desired group of UDP or TCP ports. Typically, TCP port scanning is more reliable than UDP scanning due to deeper feedback from TCP's connection-oriented protocols. There are versions of Nmap for both Windows and Unix. Starting a basic scan is easy, although the program offers much more advanced features. To find open ports on the test computer, I ran the command

Nmap 192.168.0.161

Screen 1 shows the results of a scan session - in this case, a Windows 2003 computer in a standard configuration. The data collected from the port scan shows that there are six open TCP ports.

Screen 1: Basic Nmap scan session
  • Port 135 is used by the RPC endpoint mapping feature found in many Windows technologies, such as COM/DCOM applications, DFS, event logging, file replication, message queuing, and Microsoft Outlook. This port should be blocked by the network perimeter firewall, but it is difficult to block it and still maintain Windows functionality.
  • Port 139 is used by the NetBIOS session service, which enables the Find Other Computers Browser, File Sharing Services, Net Logon, and the Server service. It is difficult to close, just like port 135.
  • Port 445 is used by Windows for file sharing. To close this port, you must block File and Printer Sharing for Microsoft Networks. Closing this port does not prevent the computer from connecting to other remote resources; however, other computers will not be able to connect to this system.
  • Ports 1025 and 1026 are opened dynamically and are used by other Windows system processes, in particular various services.
  • Port 3389 is used by Remote Desktop, which is not enabled by default, but is active on my test computer. To close the port, go to the Remote tab in the System Properties dialog box and clear the Allow users to connect remotely to this computer check box.

Be sure to search for open UDP ports and close unnecessary ones. The scanning program shows the open ports of the computer that are visible from the network. Similar results can be obtained using tools located on the host system.

Host scan

In addition to using a network port scanner, open ports on the host system can be detected using the following command (run on the host system):

Netstat -an

This command works on both Windows and UNIX. Netstat provides a list of active ports on a computer. On Windows 2003 Windows XP, you must add the -o option to get the corresponding program identifier (PID). Figure 2 shows the Netstat output for the same computer that was previously port scanned. Please note that several ports that were previously active are closed.

Firewall Log Audit

Another useful way to detect network applications that are sending or receiving data over the network is to collect and analyze more data in the firewall log. Deny entries that provide information from the firewall's front end are unlikely to be useful due to the "noise traffic" (eg, from worms, scanners, ping testing) that clogs the Internet. But if you log allowed packets from the internal interface, you can see all incoming and outgoing network traffic.

To see the raw traffic data on your network, you can install a network analyzer that connects to the network and records all detected network packets. The most widely used free network analyzer is Tcpdump for UNIX (the Windows version is called Windump), which is easy to install on your computer. After installing the program, you should configure it to work in the mode of receiving all network packets in order to log all traffic, and then connect it to a port monitor on the network switch and monitor all traffic passing through the network. Setting up a port monitor will be discussed below. Tcpdump is an extremely flexible program that can be used to view network traffic using specialized filters and show only information about IP addresses and ports or all packets. It is difficult to view network dumps on large networks without the help of appropriate filters, but care must be taken not to lose important data.

Combining Components

So far, we have looked at various methods and tools that can be used to detect applications using the network. It's time to combine them and show how to identify open network ports. It's amazing how chatty computers are on the network! First, it is recommended that you read the Microsoft document “Service overview and network port requirements for the Windows Server system” ( http://support.microsoft.com/default.aspx?scid=kb;en-us;832017), which lists the protocols (TCP and UDP) and port numbers used by applications and most core Windows Server services. The document describes these services and the associated network ports they use. We recommend that you download and print this helpful reference guide for Windows network administrators.

Setting up a network analyzer

It was previously noted that one way to determine the ports used by applications is to monitor traffic between computers using a network analyzer. To see all traffic, you need to connect a network analyzer to a hub or port monitor on the switch. Each port on a hub sees all the traffic from every computer connected to that hub, but hubs are an outdated technology and most companies are replacing them with switches, which provide good performance but are cumbersome to analyze: each switch port only accepts traffic destined for one computer connected to the hub. to this port. To analyze the entire network, you need to monitor the traffic sent to each switch port.

This requires setting up a port monitor (different vendors call it span port or mirrored port) on the switch. Installing a port monitor on a Cisco Catalyst switch from Cisco Systems is easy. You need to register on the switch and activate Enable mode, then go to configure terminal mode and enter the interface number of the switch port to which all monitored traffic should be sent. Finally, you must specify all monitored ports. For example, the following commands monitor three Fast Ethernet ports and forward a copy of the traffic to port 24.

Interface FastEthernet0/24 port monitor FastEthernet0/1 port monitor FastEthernet0/2 port monitor FastEthernet0/3 end

In this example, a network analyzer connected to port 24 will view all outgoing and incoming traffic from computers connected to the first three ports of the switch. To view the created configuration, enter the command

Write memory

Initial analysis

Let's look at an example of analyzing data passing through a network. If you are using a Linux computer for network analysis, you can get a comprehensive understanding of the type and frequency of packets on the network using a program such as IPTraf in Statistical mode. Traffic details can be found using the Tcpdump program.

Yesterday, unknown people staged another massive attack using an encryption virus. Experts said that dozens of large companies in Ukraine and Russia were affected. The ransomware virus is called Petya.A (probably the virus is named after Petro Poroshenko). They write that if you create a perfc file (without extension) and place it at C:\Windows\, the virus will bypass you. If your computer reboots and starts “disk check”, you need to turn it off immediately. Booting from a LiveCD or USB drive will give you access to the files. Another method of protection: close ports 1024–1035, 135 and 445. We will now look at how to do this using Windows 10 as an example.

Step 1
Let's go to Windows Firewall(it’s better to choose enhanced security mode), select the “ Extra options».
Select the tab " Rules for incoming connections", then the action " Create a rule"(in the right column).

Step 2
Select the type of rule - “ for Port" In the next window, select “ TCP protocol", indicate the ports you want to close. In our case it is " 135, 445, 1024-1035 "(without quotes).

Step 3
Select the item “ Block connection", in the next window we mark all profiles: Domain, Private, Public.

Step 4
All that remains is to come up with a name for the rule (so that it will be easy to find in the future). You can specify a description of the rule.

If some programs stop working or work incorrectly, you may have blocked the port they are using. You will need to add an exception for them in the firewall.

135 TCP port used by remote services (DHCP, DNS, WINS, etc.) and in Microsoft client-server applications (for example, Exchange).

445 TCP port used in Microsoft Windows 2000 and later for direct TCP/IP access without using NetBIOS (for example, in Active Directory).

Publication

Blood, the fact that your firewall shows that svchost.exe is listening on a given port does not mean that it is open for connection from outside.

It seems like your rules are written down and should work.

Have you tried checking with port scanners? - TsOB (Security Center) (clause 2.7)

And don’t forget that you will also need to check IPv6, because... it is enabled on your system, but scanners usually only check IPv4 (I’m talking about centralized services).

If you don’t need this protocol at all, then you can disable it:

To disable IP version 6 components in Windows Vista, follow these steps:

1. Click Start, type regedit in the Start Search box, and then select regedit.exe in the Programs list.

2. In the User Account Control dialog box, click Continue.

3. Find and select the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

4. Double-click DisabledComponents to change the DisabledComponents setting.

Note. If the DisabledComponents parameter is not available, it must be created. To do this, follow the steps below.

1. From the Edit menu, select New and then DWORD Value (32-bit).

2. Type DisabledComponents and press ENTER.

3. Double-click DisabledComponents.

5. Enter any of the following values ​​to configure IP Version 6, and then click OK.

1. Enter 0 to enable all IP version 6 components.

Note. The value "0" is the default.

2. Enter 0xffffffff to disable all IP version 6 components except the loopback interface. With this setting, Windows Vista will also use IP version 4 instead of IPv6 in prefix policies.

3. Enter 0x20 to use IP version 4 prefix policies instead of IP version 6.

4. Enter 0x10 to disable native IPv6 interfaces.

5. Enter 0x01 to disable all IP version 6 tunnel interfaces.

6. Enter 0x11 to disable all IP version 6 interfaces except the loopback interface.

Notes

* Using values ​​other than 0x0 or 0x20 may cause the Routing and Remote Access service to fail.

*For the changes to take effect, you must restart your computer.

The information in this article applies to the following products.

*Windows Vista Enterprise

*Windows Vista Enterprise 64-bit edition

* Windows Vista Home Basic 64-bit edition

*Windows Vista Home Premium 64-bit edition

*Windows Vista Ultimate 64-bit edition

*Windows Vista Business

* Windows Vista Business 64-bit edition

*Windows Vista Home Basic

*Windows Vista Home Premium

*Windows Vista Starter

*Windows Vista Ultimate

*Windows 7 Enterprise

*Windows 7 Home Basic

*Windows 7 Home Premium

*Windows 7 Professional

*Windows 7 Ultimate

* Windows Server 2008 R2 Datacenter

*Windows Server 2008 R2 Enterprise

*Windows Server 2008 R2 Standard

*Windows Server 2008 Datacenter

*Windows Server 2008 Enterprise

*Windows Server 2008 Standard

Source - http://support.microsoft.com/kb/929852

After disconnecting and rebooting, you have from the list received by the command ipconfig /all A bunch of extra lines will disappear and only the interfaces you know well will remain.

Re-enabling is performed by simply deleting the created key from the registry or replacing the value with “0” and then rebooting.

The WannaCry virus, also known as WannaCrypt or Wanna Decryptor, hit the virtual world in May 2017. The malware penetrated local networks, infecting one computer after another, encrypting files on disks and demanding that the user transfer $300 to $600 to the ransomware to unlock them. The Petya virus, which gained almost political fame in the summer of 2017, acted in a similar way.

Both network pests penetrated the operating system of the victim computer through the same door - network ports 445 or 139. Following the two large viruses, smaller types of computer infections began to be exploited. What kind of ports are these that are scanned by all and sundry?

What are ports 445 and 139 responsible for in Windows?

These ports are used in Windows to share files and printers. The first port is responsible for the Server Message Blocks (SMB) protocol, and the second port runs the Network Basic Input-Output System (NetBIOS) protocol. Both protocols allow computers running Windows to connect over the network to “shared” folders and printers over the basic TCP and UDP protocols.

Starting with Windows 2000, file and printer sharing over the network is carried out primarily through port 445 using the SMB application protocol. The NetBIOS protocol was used in earlier versions of the system, operating through ports 137, 138 and 139, and this feature was retained in later versions of the system as an atavism.

Why are open ports dangerous?

445 and 139 is a subtle but significant vulnerability in Windows. By leaving these ports unprotected, you open the door to your hard drive wide open to uninvited guests such as viruses, trojans, worms, and hacker attacks. And if your computer is connected to a local network, then all its users are at risk of infection with malicious software.

In effect, you are sharing your hard drive with anyone who can access these ports. If desired and skillful, attackers can view the contents of a hard drive, or even delete data, format the drive itself, or encrypt files. This is exactly what the WannaCry and Petya viruses did, the epidemic of which swept across the world this summer.

Thus, if you care about the security of your data, it would be a good idea to learn how to close ports 139 and 445 in Windows.

Finding out if the ports are open

In most cases, port 445 is open in Windows because printer and file sharing is automatically enabled when Windows is installed. You can easily check this on your machine. Press the keyboard shortcut Win+R to open the Quick Launch window. In it, enter cmd" to launch the command line. At the command line, type “ netstat -na" and press Enter. This command allows you to scan all active network ports and display data about their status and current incoming connections.

After a few seconds, a port statistics table will appear. At the very top of the table the IP address of port 445 will be indicated. If the last column of the table contains the status "LISTENING", this means that the port is open. Similarly, you can find port 139 in the table and find out its status.

How to close ports in Windows 10/8/7

There are three main methods to close port 445 in Windows 10, 7 or 8. They do not differ much depending on the system version and are quite simple. You can try any of them to choose from. You can also close port 139 using the same methods.

Closing ports through the firewall

The first method, which allows you to close port 445 in Windows, is the simplest and is accessible to almost any user.

  1. Go to Start > Control Panel > Windows Firewall and click on the link Extra options.
  2. Click Rules for Incoming Exceptions > New Rule. In the window that appears, select For Port > Next > TCP Protocol > Specific Local Ports, enter 445 in the field next to it and click Further.
  3. Next select Block connection and press again Further. Check three boxes again Further. Enter a name and, if desired, a description of the new rule and click Ready.

Now the possibility of incoming connections to port 445 will be closed. If necessary, a similar rule can be created for port 139.

Closing ports via the command line

The second method involves command line operations and is more suitable for advanced Windows users.

  1. Click Start and in the search bar at the bottom of the menu, type “ cmd". In the list that appears, right-click on cmd and select Run as administrator.
  2. Copy the command into the command line window netsh advfirewall set allprofile state on. Click Enter.
  3. Then copy the following command: netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445". Click Enter again.

As a result of the procedure, a Windows Firewall rule will also be created to close port 445. Some users, however, report that this method does not work on their machines: when checking, the port remains in the “LISTENING” status. In this case, you should try the third method, which is also quite simple.

Closing ports through the Windows registry

You can also block connections to port 445 by making changes to the system registry. This method should be used with caution: the Windows registry is the main database of the entire system, and an accidental error can lead to unpredictable consequences. Before working with the registry, it is recommended to make a backup copy, for example, using CCleaner.

  1. Click Start and in the search bar enter "regedit". Click Enter.
  2. In the registry tree, navigate to the following directory: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters.
  3. A list of options will appear on the right side of the window. Right-click in an empty list area and select Create. From the drop-down menu, select DWORD value (32-bit) or DWORD value (64-bit) depending on your system type (32-bit or 64-bit).
  4. Rename the new parameter to SMBDeviceEnabled, and then double-click on it. In the window that appears Changing a parameter in field Meaning replace 1 with 0 and press OK for confirmation.

This method is most effective if you follow the above instructions exactly. It should be noted that it only applies to port 445.

To make protection more effective, you can also disable the Windows Server service after making changes to the registry. To do this, do the following:

  1. Click Start and enter in the search bar "services.msc". A list of Windows system services will open.
  2. Find the Server service and double-click on it. As a rule, it is located somewhere in the middle of the list.
  3. In the window that appears, in the drop-down list Startup type select Disabled and press OK.

The above methods (with the exception of the third) allow you to close not only port 445, but also ports 135, 137, 138, 139. To do this, when performing the procedure, simply replace the port number with the desired one.

If you later need to open ports, simply delete the created rule in the Windows Firewall or change the value of the parameter created in the registry from 0 to 1, and then enable the Windows Server service back by selecting from the list Startup type meaning Automatically instead of Disabled.

Important! It is important to remember that port 445 in Windows is responsible for sharing files, folders and printers. Thus, if you close this port, you will no longer be able to “share” the shared folder with other users or print a document over the network.

If your computer is connected to a local network and you need these functions for work, you should use third-party protection tools. For example, activate your antivirus firewall, which will take control of all ports and monitor them for unauthorized access.

By following the recommendations above, you can protect yourself from invisible but serious vulnerabilities in Windows and protect your data from numerous types of malicious software that can penetrate the system through ports 139 and 445.