How to shutdown open ports in XP

[Andres]

Hello everybody, i just ran the security test and i it came with good results, but there are 2 pontentially dangerous filtered ports... how can i CLOSE THEM ... im using Windows XP PRO..

Thanx, peace.

[YeOldeStonecat]

I'm going to guess you're only using XP's built in firewall?

Two basic approaches, a software firewall like ZoneAlarm or Sygate...or my preferred method...get behind a NAT router (hardware firewall approach).

[RAAF453_Shep]

just did the same test, and had 3 open ports....

but when I closed them... I couldnt surf at all !

I run the Tiny Firewall .. on top of the XP... and just cant figure how to atleast filter those....
O have just upgraded from W98... and never saw these bloody pop up's asking me to pay a one time fee to stop them from spamming me with messages ! wow... I have already disabled the MSN chat ... I'll run Trill when I get to that point.... but resolving the security issues are primary .

is it because I am using the FREE version ???

Cheers !

( open ports....3 -135/-1025/-5000 )

[Norm]

Have a good read on the following link, I think it may have something to do with port 5000

quote "Why did this disaster happen?
(UPnP), which is installed and running in all versions of Windows XP — and may be loaded into Windows 98 and ME — essentially turns every one of those systems into a wide-open Internet server. This server listens for TCP connections on port 5000 and for UDP 'datagram' packets arriving on port 1900. This allows malicious hackers (or high-speed Internet worms) located anywhere in the world to scan for, and locate, individual Windows UPnP-equipped machines. Any vulnerabilities — known today or discovered tomorrow — can then be rapidly exploited"

http://grc.com/unpnp/unpnp.htm

There's a tool for download that will disable the The Universal Plug and Play service, look around for it on that link.


Good luck.

[RAAF453_Shep]

Thanks Norm,,,, nice wheels !
got that patch, and will give the test a go again.

Folding my lil AMD's arse off !!!

I want again, to thank you all for these wonderful tips , one day , I will find my place among , all you wonderful STARS !!!

[Norm]

No problem, you're welcome.

From what I can tell, port 135 is used by the windows messenger service. It's NOT MSN messenger, but it's a service used to send messages between networked PC's.

You can disable this service in Control Panel>Administrator tools> Services.
There's a long list of services there, just look for the messenger service, highlight it, right click and select properties. From there you can select 'disable' or 'manual' and it won't run when you bootup any more. Programs may be able to start it if you use 'manual', but if you disable it, only you can start it up when/if you want to.

I hope this will close those ports for you.

[Norm]

Hmmm, I was wrong about port 135, although you still would want to disable that messenger service, as a lot of spam and popups will bug the hell out of you with it enabled.

Exchange clients such as Outlook and Outlook Express use port 135 to connect to Exchange servers. If you have remote users who VPN into your network, this port must be open on the firewall to all them to access the Exchange server. There are numerous Q articles on this topic in the MS Knowledgebase. It is not necessary to open 135 for Outlook Web Access users, as they connect via port 80.

[Cryogenic]

Andres,

I reckon that YeOldeStonecat and Norm are there or there abouts particularly if you disenable MS Messenger. Also stop MS's PunP leaky port by downloading a simple prog. from Steve Gibson at the Gibson Research Corp. which you'll find somewhere in these pages or thro' an Internet search. It's Freeware and will switch it on again like a light if/when you want to play internet based games. (No, I don't work for the company). I've seen a claim that MS have fixed this leaky door, but...

The other thing to try within XP Pro, if you are brave enough, is to hit "Start" , "Run" then type "msconfig" into the box, then when you press enter a li'l ol' Alladins Cave opens to show you which progs are running on your PC behind the scenes. If you go to the "Settings" tab within the page you see, you'll find a list of programmmes running courtesy of Mr. Gates, some of which you may decide you don't want. Simply deselesect the check boxes to stop the ones you do't want and "Apply". This is not hazardous as this will not stop Windows from starting and you can always reverse the select/de-select routine by running msconfig after starting your PC to re-instate. I suggest tho', to be on the safe side, you try dropping one item at a time and re-booting before taking further steps, also take further advice if you don't know what the listed programmes are.

Good Luck

[RAAF453_Shep]

well I tried the security test here, and it showed the 4 porst open....
then went to GRC which showed them closed... or filtered....report follows...

GRC Port Authority Report created on UTC: 2003-08-13 at 16:10:21

Results from scan of ports: 0, 21, 23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
19 Ports Closed
6 Ports Stealth
---------------------
25 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 135, 139, 445, 1025, 1026, 5000

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
which do I believe ?
the speedguide test showed 4 open... just previous to that test @ GRC....

just curious. or mildly worried, will scratch a few fleas, chew on my tail. roll in the dirt a few times, and think about it ,... lol

[TonyT]

As you have probably read already, a closed port is not good, but it's better than opened. A closed port let's the scanner know that your machine exists, but is not readily accessable, unless he tries some evil exploit to trick the closed port into opening for him.

What ports show as closed?
What ports show as stealth?

It does not make much difference which port scan test you try, though Gibsons used a diferent approach than the port scan PHP script used by Speedguide. The GRC scan is a more robust application, an actuall exe program on the GRC server, with different features than the SG port scanner.

I will wager that you have some Services set to start Automatically. The default XP install has 32 services running at system start up. See http://www.blkviper.com to read about XP services and follow his table of services to see how to configure your machine.

Other than that, get a cheap Cable/DSL router with NAT and all ports will be stealthed.

[Thorazine]

Your other option to closing those ports is to use IPSec and deny traffic to the ports. However the downside to that is you have to be pretty good with the policy tool to know how to configure (it's really not too terribly hard). We are talking about Pro not Home right?

I guess the only advantage to this is the policy agent will be alot friendlier to system resources than a third-party tool.

[RAAF453_Shep]

Yes Pro... ok now I have lost all hope.

I now have 6 opened to all ... 137,138,139 ---all TCP
1025---NFS or IIS
1026---UDP
5000------UPNP ( which I already did the patch for ! ) as well as disabled in the services config.

I didnt get that worm , but wonder what else is going on.
I have been hammered with
"Someone on address cp319275-a.ndwrt1.lb.home.nl [217.123.0.112] wants to send ICMP packet to your machine"

I saved alot of these ...by cut n paste , to a log file , and they make no sense to me.. but they just started in the last couple of days...
I am screwed. I am gonna give it all up. let them take my OS, and do what they will... none of this is helping. Ignorance is bliss.

[TonyT]

I now have 6 opened to all ... 137,138,139 ---all TCP

The above 3 ports are OPEN because you have TCP bound to the MS Client and File & Print Sharing. Not sure about XP, but in win2k you unbind by:

1. rt click Network icon on desktop & select Properties
2. select Local Area Connection
3. Click Advanced Menu
4. Select Advanced Settings
5. Clicj Bindings and Adapters Tab
6. Uncheck Internet Protocol (TCP/IP) listed under File & Print Sharing and Client for Microsoft Networks.

The way your system is set up, with those ports opened, anyone with half a brain can access your system remotely, and even if you run a software firewall, many still know how to access your system. You are living dangerously!

Port 1025:
You could have one of these Trojans: Fraggle Rock, md5 Backdoor, NetSpy, Remote Storm

Port 1026:
You have not correctly disabled the Windows Messenger Service.

Port 5000:
This port is used by the scheduler for peer-to-peer plug and play functionality for network appliances. More detailed information about this program do you get directly at Microsoft:
http://support.microsoft.com/default.as ... -US;323713

At Start\Run write msconfig and remove the entry ssdpsrv.exe on autorun. After restarting the port will be closed.

[Butter]

I have been reading & reading & reading . . . . am I ready to ask a question . . . . Nah!! but here goes! Just recently (a day or so ago) I started having issues - I went to GRC and found that all ports are open except 3. The have a section to fix that but it does not apply to XP, only 95/98 or win/NT. I went to download the utility unpnp but it downloaded weird. The icon for the exe file had a red X over it and would not work. I run WinXP pro. ZoneAlarm Pro - BitDefender anti virus. I also thought it was zone alarm Pro slowing everything down (when I turned zone off my email worked and things picked up some) so I uninstalled and reinstalled the newest version and now I have TrueVector error messages showing up everytime I open my browser saying it had to close . . . Just a wisp of help would be appreciated!! Up to the 16th of Sept I had no problems and have only had 2 virus's in the last five years and they were caught.

Butter

[Butter]

I think that you are on right now so I want to ask a question... I am having so many problems right now with trueVector. i have been on the zone forum - this forum and many others. I can not completely get my brain wrapped around this issue. But no matter what I do I can't fix it. install uninstall install and so on!! startewd when I upgraded to zone 8. Got any ideas?? It is all over the forum boards. Oldsod said it may be my virus portection bit de fender.

[bilbus]

wow .. man you need to enable your windows firewall.

port 135,137 (legacy RPC ports) 445 (xp / 2000 RPC ports)

You need to close those off to the WAN .. thats the number 1 way to get your computer exploited by worms.

First off get a a router, that will close those ports to the wan.

I can not stress how bad it is to have those 3 ports open.

Windows firewall is plent to close out those ports .. just make sure you dont have the exception checked allowing "file and printer sharing" (Windows RPC)

Having those ports open means that if i know your ip address i could view your hard drives files over the internet.

Close 5000 UPNP is bad.

"Someone on address cp319275-a.ndwrt1.lb.home.nl [217.123.0.112] wants to send ICMP packet to your machine" means that somone is pinging your ip address

ICMP = ping