# Windows 7 Port 135 Listening



## Terran_Ghost (Feb 5, 2010)

Thanks for your time.

I spent about 20 minutes googling this this morning and I couldn't turn anything definitive up. I've been doing system hardening and gone so far as to run dcomcnfg and disable dcom completely (which seems foolhardy and also opened port 546 inexplicably). I just want 135 to stop listening. Microsoft's stupid default-permit paradigm is extremely frustrating. How can I get 135 to stop listening?










PS: I also have a bunch more ports on the 4xxxx range listening for no reason. Any insight into either of these matters would be greatly helpful. Thanks again!


----------



## lunarlander (Sep 22, 2007)

In dcomcnfg, my computer properties, go to Default Protocols tab, and remove the listed protocols. ( write down what you remove before removing ). This removes the 135 port in XP, haven't tried it in Win 7.


----------



## Terran_Ghost (Feb 5, 2010)

First and foremost thanks very much for the reply.

When I said I had disabled dcom I was unclear - I both unchecked the box and removed all entries in Protocols (tcp/ip was the only one)

Problem remains.


----------



## Stoner (Oct 26, 2002)

In my router, I port-forward 135 ( and others) to a non existing computer.
True, port 135 is still in a listening mode, but incoming to it would be diverted to 'nowhere'.

And I block various ports in my firewall, 135 being one of them.


----------



## dvk01 (Dec 14, 2002)

windows inbuilt firewall in W7 automatically blocks port 135 inbound
you need to let outbound connections on 135 to work for winodws to work properly
if you use W7 then use windows firewall & it will do a good job of protecting you


----------



## Stoner (Oct 26, 2002)

dvk01 said:


> windows inbuilt firewall in W7 automatically blocks port 135 inbound
> you need to let outbound connections on 135 to work for winodws to work properly
> if you use W7 then use windows firewall & it will do a good job of protecting you


Gibson has this to say about port 135:
http://www.grc.com/port_135.htm


> Port 135 is certainly not a port that needs to be, or should be, exposed to the Internet. Hacker tools such as "epdump" (Endpoint Dump) are able to immediately identify every DCOM-related server/service running on the user's hosting computer and match them up with known exploits against those services





> Although applications may be "DCOM enabled" or "DCOM aware", very few, if any, are actually dependent upon the presence of its services. Consequently, it is usually possible (and generally desirable if you're comfortable doing such things) to shut down DCOM and close port 135 without any ill effects.


I wasn't 'comfortable' shutting down DCOM but blocked access as noted.
What issues am I facing by doing this?


----------



## Terran_Ghost (Feb 5, 2010)

1) If you block the port at the gateway level local machines on the network can still access it. A concurrent local machine, as I'm sure you are aware, has a high likelihood of being infected with a virus or worm that can affect other machines on the LAN. This is not secure.

2) If you block the port at the Windows Firewall level and the firewall bears an exploit or is intermittently disabled (as happens during testing of different software not infrequently) local infected machines have direct access to a listening port known to be insecure. This problem is exacerbated in airports and other wifi hotspots.

This is how worms spread on an intranet.

A properly-built OS on an intelligent paradigm defaults all of its features to be inaccessible to any other machines for any reason until they are explicitly permitted (UNIX is an example of this paradigm, but not in all cases, this implementation, nor is it mainstream enough to be sufficiently supported in a home network environment).

Windows allows many of its features to be accessed by other machines without the administrator's knowledge or permission.

This is insecure, and I would like to shut all of those features down.

Port 135 is one of the primary issues.

This problem is exceedingly frustrating.

Please help me understand how I can do this.


----------



## Stoner (Oct 26, 2002)

Thanks for the explanation 

A learning event for me...... my home internet connection sharing is on the simple side and my computers aren't set up for a local network so it's been my assumption there was no transmission between them. If I'm incorrect, I would like to be corrected so that it is addressed.. 

I saw this posted at one of the links on Gibson's site and wondered if this is of interest to your situation:
http://accs-net.com/smallfish/dcom.htm



> Disabling DCOM alone may not close Port 135 as there are other apps that can force it open. Try the "Ports Finder" feature of AWSPS www.atelierweb.com/pscan/ to determine the cause (15 day fully functional free trial) or use a similar program. See Buzz Walradt's GRC FAQ Links website for other programs: web2.airmail.net/buzz/faqlinks.htm.


----------



## jiml8 (Jul 3, 2005)

I, too, failed to shut down port 135 when I installed Windows 7 Pro in a virtual machine last spring (my one and only Win7 installation).

You *should* be able to block it using the Windows firewall, but I wouldn't trust that for a variety of reasons.

I wound up installing Online Armor and setting a rule to block all inbound connections. Since that time, I have never found a reason to shut down Online Armor for any purpose so this has worked adequately though I certainly understand your concern about making your machine vulnerable should you need to turn it off intermittently.

My solution has another component that probably you can't duplicate because I assume yours is an installation on bare hardware.

When I installed Win7 and figured out how incredibly chatty it was, and how porous it was, I rearranged my virtual networking on the host machine (Linux) to move my Windows virtual machines onto their own host-only subnet, and firewall them using iptables in Linux. Subsequently, I set up iptables rules to keep Win7 from talking to anyone I didn't want it talking to, and a simple script command in Linux can enable/disable ALL network access for that subnet. I also can allow that subnet to access the internet while blocking it from the rest of my LAN, thus addressing the possible worm transmission vectors should I need to disable security on Win7 temporarily for any reason.

My trials and tribulations setting up Win7 are in these two threads:
http://forums.techguy.org/windows-7/912477-solved-windows-7-sure-chatty.html
http://forums.techguy.org/windows-7/912485-solved-networking-win7-win2000.html

though I doubt they will help you much.


----------



## Terran_Ghost (Feb 5, 2010)

Thanks for the well-thought-out replies. I am still having this problem. Would anyone object if I repost this question in the Windows 7 Forums?


----------



## Stoner (Oct 26, 2002)

Terran_Ghost said:


> Thanks for the well-thought-out replies. I am still having this problem. Would anyone object if I repost this question in the Windows 7 Forums?


It might be better to ask a moderator to move the thread than start a duplicate.
Just hit the report button in the bottom right hand corner of one of your posts and make the request.


----------



## dvk01 (Dec 14, 2002)

moved to networking which is more appropriate


----------



## Terran_Ghost (Feb 5, 2010)

Bump for relocation to T-Junction.

Quick get the obs up.


----------

