Re: Do I need these services listening?

From: Gerald Vogt (vogt_at_spamcop.net)
Date: 03/14/05 

Date: Mon, 14 Mar 2005 15:06:45 +0900

I recommend to make a manual system restore point before making the changes.

Rod wrote:
> svchost (port: epmap)

Port 135

start dcomcnfg.exe (sorry mine in German, so I hope you still find it.)
- open branch component services (the first one in my list)
- open branch computer (the only one in the sublist)
- right-click My computer and open properties.
- select the tab General/Standard Settings/Properties(??).
- deselect the checkbox "DCOM (Distributed COM)" to deactivate DCOM.
- select the tab standard protocols
- remove all protocols listed.
- OK the window
- close the dcomcnfg window.
- reboot
- this should close port 135.

> system (port: microsoft-ds)

Port 445 (microsoft-ds)

Add a registry entry to the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

add a DWORD there named "SMBDeviceEnabled" and set the value to 0 (zero).

After a reboot this should close port 445.

> system (port: netbios-ssn)
> (n.b.: I have a small home LAN network with local file & printer
> sharing, so don't think I can
> disable Netbios without cutting off the LAN services)

That makes it a little bit more tricky. The easiest thing would be to
bind file sharing services to IPX/SPX/NetBEUI protocol. This is
non-routable i.e. it cannot go into the internet. If you have that you
can unbind it from IP and it should close the IP ports.

If you want to stick with IP then you won't be able to close the netbios
ports 137,138,139 on the serving computer. You can get them closed on
the clients, however, with the disadvantage that you loose automatic
netbios name resolution. If you access the server only by IP address it
still works. You can create your own entries in the hosts file if you
assign fixed local addresses to the computer in your network.

To do so on the client, open the properties window of the network
connection (i.e. the Local Network Connection). On the client, make sure
that "File- and printer sharing in microsoft networks" is disabled (no
checkmark). This binding is the server side which you won't need on the
client. You need the "Client for Microsoft Networks" though so leave it
enabled. Next, select the "Internet Protocol (TCP/IP)" in the list
(leave it checked) and click the properties button. Go to the WINS tab
and select the radio button for "Deactivate NetBIOS over TCP/IP".

Also check all your other network connections. All dialups/DSL dialups
should have file- and printer sharing as well as the client for MS
networks always disabled. The TCP/IP WINS properties must have NetBIOS
over TCP/IP always deactivated. These settings would only be a security
risk as you would have file sharing or client traffic going over the
dialup. Depending on what kind of other network connections you have,
you could also reconfigure all the others in the same fashion. Only the
network connection that is connected to your LAN really requires the
client for MS networks.

If you reboot after these changes, ports 137, 138, 139 should be closed
and gone on the client computer. Again, name resolution does not work
anymore. You can access file shares for instance with something like
\\192.168.1.2\documents if 192.168.1.2 is the IP address of the serving
computer. With fixed IPs and a hosts table you can get name resolution.

> lsass (ports: 500, 4500)

Start "services.msc", select the service "IPSEC-Services", right-click
properties. Set the service to "Manual" and stop it. This should close
port 500 and 4500.

Gerald