none
How can i block port 135 on Windows Server 2008 R2?

    Question

  • Hi All,

    We are having our servers hardened and we failed on a penetration test because port 135 is open on our 2008 R2. they said i should close those ports. 

    i am searching over the net but all i saw was closing it on XP. however it did not work on 2008.

    can anyone of you have tried closing that port (135) on a windows 2008 machine and probably teach me how??

    Thanks 

    Wednesday, March 06, 2013 6:54 PM

Answers

  • Try rpccfg, and unselect your internet nic.

    Check that registry key if it can be good for you;

    By default, the portmapper RPC service binds to all network interfaces.

    A registry value, ListenOnInternet, controls whether the portmapper RPC service
    binds to all interfaces or not. By default, this value does not exist and has
    implicitly a default value of "Y":

    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\
    Value: ListenOnInternet
    Type: REG_SZ
    Content: "Y" or "N"

    When set to "N", TCP port 135 will only listen on interfaces specified by the
    Bind value described in the previous section. (rpccfg.exe's section)

    Make the netstat -ano, and be sure it's associated with like svchost (not any other third part tool)


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Tuesday, March 12, 2013 2:57 AM
    Moderator

All replies

  • try here: http://technet.microsoft.com/en-us/library/dd448575(v=ws.10).aspx

    there is a predefined rule (several) including one for Windows File and Printer Sharing - this one include permit rules for TCP135 and TCP445.

    also here is some end-user info which may help:

    http://windows.microsoft.com/en-us/windows-vista/enable-file-and-printer-sharing

     


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, March 06, 2013 8:40 PM
  • Hi, 

    i did rules on blocking port 135 on firewall, ip sec. 

    but when i scan the port from outside (internet) it is open.

    also, when i execute netstat -an | find /i "listening"

    TCP    0.0.0.0:135            0.0.0.0:0              LISTENING

    the result is above.. 

    so i am asking how can i make port 135 not listening. It is a possible security risk according to our Auditor. 

    Hope someone can help

    Wednesday, March 06, 2013 9:41 PM
  • Hi

    135 is used too for the RPC for a lot of role (like netlogon,  see http://support.microsoft.com/kb/832017/en-us)

    What roles that server got ?

    Blocking that port might get a lot of services down. You can't filter that port to allow it to talk to only your LAN user ? Better configure the firewall is the best option IMO.

    Some blog tell to uninstall "Client for Microsoft Networks" to completely remove the port 135... but unless it's a standalone server in a corner, I don't recommand to do it.


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Thursday, March 07, 2013 2:08 AM
    Moderator
  • Hi yagmoth55, 

    It is a DNS Server. Standalone. 

    2 NICs for Internal remote and one for public for External DNS requests. upon scanning on the external IP it shown port 135 as open.

    Thursday, March 07, 2013 1:46 PM
  • On the external NIC you got only TCPv4 selected ?

    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Friday, March 08, 2013 2:20 AM
    Moderator
  • On the external NIC you got only TCPv4 selected ?

    yes.. you are right.. 

    Monday, March 11, 2013 4:40 PM
  • Try rpccfg, and unselect your internet nic.

    Check that registry key if it can be good for you;

    By default, the portmapper RPC service binds to all network interfaces.

    A registry value, ListenOnInternet, controls whether the portmapper RPC service
    binds to all interfaces or not. By default, this value does not exist and has
    implicitly a default value of "Y":

    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\
    Value: ListenOnInternet
    Type: REG_SZ
    Content: "Y" or "N"

    When set to "N", TCP port 135 will only listen on interfaces specified by the
    Bind value described in the previous section. (rpccfg.exe's section)

    Make the netstat -ano, and be sure it's associated with like svchost (not any other third part tool)


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Twitter - @yagmoth555 ()
    Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Tuesday, March 12, 2013 2:57 AM
    Moderator