Tech Tip: This is how You Disable Dcom & close Down Port 135

Is port 135 flapping in the wind ?

Possibly being a security risk if your firewall is not blocking this port.
Even if your firewall is blocking this port. Just the thought of this port
being left open by the Microsoft operating system annoys you and you would
like that port 135 closed once and for all

Check to see what ports are currently open. This is best done when you first
boot in to windows and have not connected to the net

1)open command prompt - start > run > cmd

2)type in the following command:

netstat -an

-a this switch lists all listening ports
-n lists all addresses & ports in numerical order

You will see port 135 listening

Note: Before making any registry changes or continuing with this procedure.

- Create a system restore point, Backup your computer & export each registry
path before modifying any Registry entries.


....This is how you disable Dcom & Close Port 135

Disable Dcom

1) Start Registry Editor - start > run > regedt32

2) Navigate to the following registry Key

- HKEY_LOCAL_MACHINE \ Software \ Microsoft \ OLE

3) Located at the right side. Select the item named EnableDCOM and modify
the value to N


This next step Will Close Port 135

4) Open registry editor & navigate to this registry key

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Rpc

5) Right click on & Modify the value named DCOM Protocols

6) Under the Value Data, you will see values like
DCOM Protocols

Value Data:

ncacn_ip_tcp REG_SZ rpcrt4.dll
ncacn_nb_tcp REG_SZ rpcrt4.dll
ncacn_np REG_SZ rpcrt4.dll
ncacn_ip_udp REG_SZ rpcrt4.dll
ncacn_http REG_SZ rpcrt4.dll

Any value attached to DCOM Protocols is what keeps the Port 135 / epmap
(endpoint mapper)

7) Under Value Data highligt Everything listed and DELETE All by using your
Delete key or your Backspace key.

DCOM Protocols

Value Data:



Click ok

All there should be is DCOM Protocols with no values

8) Done with registry editor ..exit or close registry editor

9) Open Control Panel > Administrative Tools > double click Services

Disable the following services since DCOM has also disabled


- COM+ Event System
- COM+ System Application
- System Event Notification

10) Finally Restart the computer...

For verification when your computer has restarted open the command prompt.

Type netstat -an and for certain you will see port 135 closed.

Then you can celebrate... yippee!, dance around the room,scream out your
window.. and say bye bye port 135!

Hope this has Helped you in finally closing the Pesky Port 135.

Have a Good One

"Marbles" <Marbles@discussions.microsoft.com> wrote in message
news:65E18DE0-1DC0-4C1B-8F16-E5D3E3B2272A@microsoft.com...
> Is port 135 flapping in the wind ?
>
> Possibly being a security risk if your firewall is not blocking this port.
> Even if your firewall is blocking this port. Just the thought of this port
> being left open by the Microsoft operating system annoys you and you would
> like that port 135 closed once and for all
>
> Check to see what ports are currently open. This is best done when you
> first
> boot in to windows and have not connected to the net
>
> 1)open command prompt - start > run > cmd
>
> 2)type in the following command:
>
> netstat -an
>
> -a this switch lists all listening ports
> -n lists all addresses & ports in numerical order
>
> You will see port 135 listening
>
> Note: Before making any registry changes or continuing with this
> procedure.
>
> - Create a system restore point, Backup your computer & export each
> registry
> path before modifying any Registry entries.
>
>
> ...This is how you disable Dcom & Close Port 135
>
> Disable Dcom
>
> 1) Start Registry Editor - start > run > regedt32
>
> 2) Navigate to the following registry Key
>
> - HKEY_LOCAL_MACHINE \ Software \ Microsoft \ OLE
>
> 3) Located at the right side. Select the item named EnableDCOM and modify
> the value to N
>
>
> This next step Will Close Port 135
>
> 4) Open registry editor & navigate to this registry key
>
> HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Rpc
>
> 5) Right click on & Modify the value named DCOM Protocols
>
> 6) Under the Value Data, you will see values like
> DCOM Protocols
>
> Value Data:
>
> ncacn_ip_tcp REG_SZ rpcrt4.dll
> ncacn_nb_tcp REG_SZ rpcrt4.dll
> ncacn_np REG_SZ rpcrt4.dll
> ncacn_ip_udp REG_SZ rpcrt4.dll
> ncacn_http REG_SZ rpcrt4.dll
>
> Any value attached to DCOM Protocols is what keeps the Port 135 / epmap
> (endpoint mapper)
>
> 7) Under Value Data highligt Everything listed and DELETE All by using
> your
> Delete key or your Backspace key.
>
> DCOM Protocols
>
> Value Data:
>
>
>
> Click ok
>
> All there should be is DCOM Protocols with no values
>
> 8) Done with registry editor ..exit or close registry editor
>
> 9) Open Control Panel > Administrative Tools > double click Services
>
> Disable the following services since DCOM has also disabled
>
>
> - COM+ Event System
> - COM+ System Application
> - System Event Notification
>
> 10) Finally Restart the computer...
>
> For verification when your computer has restarted open the command prompt.
>
> Type netstat -an and for certain you will see port 135 closed.
>
> Then you can celebrate... yippee!, dance around the room,scream out your
> window.. and say bye bye port 135!
>
> Hope this has Helped you in finally closing the Pesky Port 135.
>
> Have a Good One
>
Thank you, but I thought Windows XP SP2 firewall is already blocking
incoming connections; have you tried any security tests before making this
change? In other words what does it buy you in terms of security? Have you
run "tcpdump" or another sniffer program to see what it was doing prior to
making this change?

--
Allan

From: "Marbles" <Marbles@discussions.microsoft.com>

| Is port 135 flapping in the wind ?
|
| Possibly being a security risk if your firewall is not blocking this port.
| Even if your firewall is blocking this port. Just the thought of this port
| being left open by the Microsoft operating system annoys you and you would
| like that port 135 closed once and for all
|
| Check to see what ports are currently open. This is best done when you first
| boot in to windows and have not connected to the net
|

< snip >

I use a Linksys BEFSR81 Cable/DSL Router which uses NAT Translation and I specifically block
TCP/UDP ports 135 ~ 139 and 445 on the Router. Most, if not all, Cable/DSL Routers have
simplistic FireWall constructs. Therefore I have no problems and I need no modifications on
my LAN side nodes. :-)


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Thank You for your replies. This post was meant for people who are interested
in closing that port. On Numerous posting sites people have asked how to
close this port.

Just in case some one spots the post and is interested in doing so.The
solution is described.

Yes I use a hardware based firewall and it blocks ports. To tighten
security further I choose to close this port completely.

Router is a good first measure for security. Yes in theory, a router if
configured correctly could be almost invulernable. The key word is ALMOST.

So the question comes down to..

Do you rely and hope that your router or firewall will be 100% reliable,
100% of the time ?

Pesonally I think going the extra step for the long term is a proactive one.
In the manner of preventing it before it does or possibly happen.

There has been some programs that will silently disable some parts of a
firewall. If a firewall is vulnerable same goes for a router.

Here's an article on port 135 - http://www.grc.com/port_135.htm - while your
there test your first 1056 ports by using Shields Up.

Thanks for your 2 nano bytes of feed back

Cheers

From: "Marbles" <Marbles@discussions.microsoft.com>

| Thank You for your replies. This post was meant for people who are interested
| in closing that port. On Numerous posting sites people have asked how to
| close this port.
|
| Just in case some one spots the post and is interested in doing so.The
| solution is described.
|
| Yes I use a hardware based firewall and it blocks ports. To tighten
| security further I choose to close this port completely.
|
| Router is a good first measure for security. Yes in theory, a router if
| configured correctly could be almost invulernable. The key word is ALMOST.
|
| So the question comes down to..
|
| Do you rely and hope that your router or firewall will be 100% reliable,
| 100% of the time ?
|
| Pesonally I think going the extra step for the long term is a proactive one.
| In the manner of preventing it before it does or possibly happen.
|
| There has been some programs that will silently disable some parts of a
| firewall. If a firewall is vulnerable same goes for a router.
|
| Here's an article on port 135 - http://www.grc.com/port_135.htm - while your
| there test your first 1056 ports by using Shields Up.
|
| Thanks for your 2 nano bytes of feed back
|
| Cheers

My last feedback -- don't rely on information on GRC, the scare monger.
Gibson made his money selling a program to change the interleave of MFM/RLL drives when
there were free alternatives.
Gibson is not an authorative source for INFOSEC related information.

And yes, my BEFSRxx, with ports specifically being blocked, is 100% reliable.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eY0Kwl6iIHA.1184@TK2MSFTNGP04.phx.gbl...

> My last feedback -- don't rely on information on GRC, the scare monger.
> Gibson made his money selling a program to change the interleave of
> MFM/RLL drives when
> there were free alternatives.
> Gibson is not an authorative source for INFOSEC related information.
>
> And yes, my BEFSRxx, with ports specifically being blocked, is 100%
> reliable.
>
> --
> Dave
Dave, I don't know if you are aware of the tweak to disable NetBios without
editing the Registry :
http://security.symantec.com/sscv6/N...SCEFRQBCBZLSRZ
I checked my services and I already had COM+ Sys App service disabled; I
believe most users with standalone PC's can safely disable this service.
(That is, even without disabling DCOM as per the OP's instructions).
Even after you disable NetBios as per the instructions on the Symantec
website, you cannot disable the NetBios service; it is still needed for
connectivity for some reason. You would still need to block ports 135-138 in
your router after making this tweak.

--
Allan

Hello Fellas

GRC is a beginning source of security. Yes there are many sources of info on
the net that can give you detailed info on security. Starting at Microsoft
web site.Lots of resources on and making adjustments to you OS.

Does you router have the ability to detect programs that access the net and
also prevent programs access as well ?

....If not or If so

A simplified scenario for your Router

In XP svchost by default accesses the net. DHCP service is just one service
that is launched through the svchost process. Firewalls recognize this to be
a legit process and no blocking is performed unless you specifically block
svchost.

What ever service that is using svhost as a launch point will all ready have
access. A legit process or a naughty program that incorporates its process to
part of the svchost.

Then if a nasty service some how got on your Operating System. Launching it
self through Svchost. Your router has just been compromised by this rogue
svhost service.

Router 99.98% ..why you ask?? 100% perfection to infinity is where we all
fall short including technology.

Allan has the correct approach in how to contructively learn and make
adjustments to propel his learning process further.


An interesting discussion have a good weekend fellas !


"Allan" wrote:

>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:eY0Kwl6iIHA.1184@TK2MSFTNGP04.phx.gbl...
>
> > My last feedback -- don't rely on information on GRC, the scare monger.
> > Gibson made his money selling a program to change the interleave of
> > MFM/RLL drives when
> > there were free alternatives.
> > Gibson is not an authorative source for INFOSEC related information.
> >
> > And yes, my BEFSRxx, with ports specifically being blocked, is 100%
> > reliable.
> >
> > --
> > Dave
> Dave, I don't know if you are aware of the tweak to disable NetBios without
> editing the Registry :
> http://security.symantec.com/sscv6/N...SCEFRQBCBZLSRZ
> I checked my services and I already had COM+ Sys App service disabled; I
> believe most users with standalone PC's can safely disable this service.
> (That is, even without disabling DCOM as per the OP's instructions).
> Even after you disable NetBios as per the instructions on the Symantec
> website, you cannot disable the NetBios service; it is still needed for
> connectivity for some reason. You would still need to block ports 135-138 in
> your router after making this tweak.
>
> --
> Allan
>
>
>

Marbles wrote:
> Hello Fellas
>
> GRC is a beginning source of security. .....Snipped


Actually, Gibson is considered by many to be a very poor source for
computer security advice. Gibson has been fooling a lot of people for
several years, now, so don't feel too bad about having believed him. He
mixes just enough facts in with his hysteria and hyperbole to be
plausible. Despicably, Gibson is assuming a presumably morally superior
pose as a White Knight out to rescue the poor, defenseless computer
user, all the while offering solutions that do no good whatsoever.


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

From: "Marbles" <Marbles@discussions.microsoft.com>

| Hello Fellas
|
| GRC is a beginning source of security. Yes there are many sources of info on
| the net that can give you detailed info on security. Starting at Microsoft
| web site.Lots of resources on and making adjustments to you OS.
|
| Does you router have the ability to detect programs that access the net and
| also prevent programs access as well ?
|
| ...If not or If so
|
| A simplified scenario for your Router
|
| In XP svchost by default accesses the net. DHCP service is just one service
| that is launched through the svchost process. Firewalls recognize this to be
| a legit process and no blocking is performed unless you specifically block
| svchost.
|
| What ever service that is using svhost as a launch point will all ready have
| access. A legit process or a naughty program that incorporates its process to
| part of the svchost.
|
| Then if a nasty service some how got on your Operating System. Launching it
| self through Svchost. Your router has just been compromised by this rogue
| svhost service.
|
| Router 99.98% ..why you ask?? 100% perfection to infinity is where we all
| fall short including technology.
|
| Allan has the correct approach in how to contructively learn and make
| adjustments to propel his learning process further.
|
| An interesting discussion have a good weekend fellas !
|

The problem with that scenerio, you are already infected. I am more interested in keeping
hackers and I-worms (and some exploitation Trojans) from getting in.

Safe Hex is the *best* protection backed up by anti virus software.

The Router can't be "compramised". It can not be accessed from the WAN side and it runs
from ROM.

I don't believe in "tweaking" the OS. I believe in border protection and won't use software
based FireWall applications.

Tweaking the OS can have negative side effects as in breaking various OS communication
constructs.

Yes... This is a good discussion. :-)


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Not necessarly that a computer has to be infected. All it takes is an
exploitation of the svchost process.

Routers are vulnerable. Proof that Cisco, one the largest networking
suppliers had a router comprimised. If Cisco had an exploitation of a
router.Then certainly Linksys ,Dlink or any other router are vulnerable..its
a thing called time & exploitation. Or a matter of time before some brainiac
discovers another exploitation of a router

************************************************** *****
The following link is presented for the purpose of evidence that Routers can
be comprimised. This information intent is for evidence and not the purpose
to lead others to do such acts of a malicious nature**

************************************************** ******
Cisco Router Exploitation

********** http://antionline.com/showthread.php?t=197482 **********

************************************************** *******

Yes I concur on your findings of shutting down services can negate the
function of the OS. Just be very careful on what you turn off. Never turn off
Remote Procedure Call (RPC) service. It's the backbone for all the services.

*** Yes... This is a good discussion. :-)**** Bingo Thats the ticket !***


>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>