Results 1 to 9 of 9

Thread: Common Ports Probe shows 135 RPC OPEN!

  1. #1
    metallica Guest

    Default Common Ports Probe shows 135 RPC OPEN!

    Just run Common Ports Probe from Gibson Research ( http://www.grc.com/ )and got
    Warning:
    135 RPC OPEN! (Remote Procedure Call) "This impossible-to-close port appears in most Windows systems. Since many insecure Microsoft services use this port, it should never be left "open" to the outside world. This port has been exploited to send "Messenger Spam" pop-ups to Microsoft windows users. Since it is impossible to close, you will need a personal firewall or NAT router to block it from external access. Do it soon!"

    Per a previous thread suggestion, went into ZA Security Suite and change the server rights for the Internet Zone. Change all of those with Allow to Ask except those that ZA Security Suite "strongly recommends that you do not change those settings", such as for Generic Host Process for Window Services | System, A popup with heading System Programs: Applying custom settings to System Programs could cause serious problems with your computer including crashes and Internet connectivity problems. ZA Security Suite strongly recommends that you do not change those settings.

    Retest with the Common Ports Probe from Gibson Research, result still the same, Port 135 is still open.

    Any remedy?

    Is this a common issue with ZA Security Suite?
    (Common Ports Probe is at http://www.grc.com/)

    Thks in advance.

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    naivemelody Guest

    Default Re: Common Ports Probe shows 135 RPC OPEN!

    Read thru these - pay attention to Guru Oldsod - http://forums.zonelabs.org/zonelabs/...ssage.id=18551
    read all.<hr>Very often the same questions come up; it's easy to do a search with the red box at the top of board - you can often find past issues/ questions/ problems with resolutions or just insights.
    http://forums.zonelabs.org/zonelabs/...;sort_by=-date
    <hr>NaiveMelody NYC 10-20-07 - White Rabbit - Jefferson Airplane (&gt; Starship
    )








  3. #3
    watcher Guest

    Default Re: Common Ports Probe shows 135 RPC OPEN!

    Dear Metallica:

    I closed this port on my computer using a Registry edit. Drill down to HKLM\SYSTEM\CurrentControlSet\Services\RpcSs.
    Add the following string value name and data value:

    ListenOnInternet=N

    You must reboot for this to take effect.

    Hope this helps.

    WATCHER

  4. #4
    metallica Guest

    Default Re: Common Ports Probe shows 135 RPC OPEN!

    Thanks, WATCHER, for the suggestion.

    I must confess that it is my first time venture into RegEdit.

    I run RegEdit and it only shows the HKEY' but no HKLM. Using Edit | Search and search for &quot;HKLM\SYSTEM\CurrentControlSet\Services\RpcSs &quot;, did not produce result. (XP Home, an HP machine)

    Can I ask if you can walk me thru how to add the string as suggested. Much appreciated.

  5. #5
    watcher Guest

    Default Re: Common Ports Probe shows 135 RPC OPEN!

    Dear Metallica:

    Sure. Click Start, Run, type regedit, then click OK. The Registry Editor opens by default with the last subkey that you had clicked on. Otherwise, you will see 5 root keys listed under My Computer. Click on the + symbol next to HKEY_LOCAL_MACHINE(HKLM) to expand its subkeys. Do the same and expand out SYSTEM. Do the same and expand out CurrentControlSet. Do the same and expand out Services. Now find the subkey RpcSs beneath Services and click ON it to highlight it. Right click RpcSs subkey, click Export, then when the Export Registry File dialog box opens, give it a filename such as RpcSsBEFORE.reg and save to a convenient location on your hard drive. This is a backup of the subkey in case you need it. Now, right click the RpcSs subkey again, highlight New, then click String Value.
    In the right pane, you will see a highlighted entry with a value name of New Value #1. Type in ListenOnInternet and if the name can't be typed in, right click it and click Rename. Now typeListenOnInternet. Now, double click on ListenOnInternet and, in the Edit String dialog box, type in N in the Value data: field. Click OK. Make sure it is displayed in the right pane as entered above. Now close out Registry Editor and reboot.
    Check with a port mapper such as netstat and you will see port 135 no longer appears.

    Hope this helps.

    WATCHER

    Message Edited by WATCHER on 10-26-2007 08:23 PM

  6. #6
    metallica Guest

    Default Re: Common Ports Probe shows 135 RPC OPEN!

    Thank you Watcher for being so kind to list all the steps for a newbie like me.

    Followed the instructions and using RegEdit, arrived at
    My Computer\HKEY_Local_Machine\System\CurrentControlS et\Services\RpcSs
    and successful added the ListenOnInternet.
    It is displayed in the right pane as Name:ListenOnInternet, Type: REG_SZ, Data: N

    And reboot my XP machine as instructed (several times since, and each time checked it still displays as above).

    When tested with Gibson Research's Shield's Up's Common Ports tool, it still shows as port 135 open.

    (Tried also removal of the McAfee's SiteAdvisor program, still the same...)

  7. #7
    watcher Guest

    Default Re: Common Ports Probe shows 135 RPC OPEN!

    Dear Metallica:

    Sorry, when I did my Registry edit, I also performed the following 3 Registry edits the same day:

    HKLM\SOFTWARE\Microsoft\OLE

    Change the following value names to these data values:

    EnableDCOM=N
    EnableRemoteConnect=N


    HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Param eters

    Add the following DWORD value name and data value:

    SmbDeviceEnabled=0(decimal)

    Port 135 should be closed now.

    WATCHER

  8. #8
    metallica Guest

    Default Re: Common Ports Probe shows 135 RPC OPEN - Alas!

    Thank you, Watcher, for your prompt reply of additional steps.

    I was initially unsure about shutting down the DCOM. Did a search on the subject DCOM on windowssecrets.com and came up with this:
    http://windowssecrets.com/L030904-02...ool-Port-Scans
    which leads me to Steve Gibson's freeware: The DCOMbobulator at
    http://grc.com/dcom/

    Alas, using the &quot;DCOMbobulate Me!&quot; tab of the DCOMbobulator did the job. The port 135 now closed.

    I checked RegEdit, and looks like DCOMbobulator did the following Registry edit:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

    EnableDCOM=N DcomBob did that
    EnableRemoteConnect=N DcomBob didn t do that

    Whether the DCOMbobulator disable some of the RPC dependent services, I don't know.

    Granted, it is the same Steve Gibson's grc.com that I've been using to test the common ports, not sure if there is any bias (I wd doubt that).

    So thank you again WATCHER, you're a big help!

  9. #9
    watcher Guest

    Default Re: Common Ports Probe shows 135 RPC OPEN - Alas!

    Dear Metallica:

    You're welcome. Yes, the DCOMbobulator is a front-end(GUI) for doing this. I don't know much about DCOM (Distributed Component Object Model)other than it defines the remote procedure call that allows those objects to be run remotely over a network.

    EnableRemoteConnect=N prevents a modem from dialing out when Windows starts. It is not related to DCOM.

    SmbDeviceEnabled=0 closes port 445 from being used by SYSTEM, which like port 135, is set to listening by default.

    These are just O/S hardening tweaks to make it harder to attack. The less ports open and listening, the better. Logical ports have been compared to windows on a house.

    WATCHER

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •