dslreports logo
site
spacer

spacer
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


About

Mark
Premium
join:2001-11-15
Phoenix, AZ
kudos:1

RPC - Port 135

RPC Service - Windows NT based machines (2000, XP)

Remote Procedure Call (RPC) is a technology that's used to support distributed applications with various components located on different machines. RPC is used in client/server applications.
dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

Re: RPC - Port 135

RPC is also used within a single machine (the 'Remote' really refers to calls between address spaces). A lot of NT software uses RPC, so you can't just disable RPC entirely.

(RPC typically doesn't use TCP/IP for intramachine use, it uses a faster kernel-supported communication mechanism.)
mosaic19

join:2003-02-03
Mobile, AL

port that spammers love?

in recent times, microsoft windows 2k and xp users are being attacked by spammers through this RPC service.
there was a time when annoying spam popups interupt every 2k/xp users in the middle of their work. it was very irritating. u could disable messenger service to prevent "admin alert spams." The last thing i've heard that it is impossible to disable port 135 without using a firewall.
does anyone here know any updated news about this rpc port?
beharrison

join:2002-07-10
Columbia, SC

Open RPC port 135 for Outlook to Exchange traffic

Exchange clients such as Outlook and Outlook Express use port 135 to connect to Exchange servers. If you have remote users who VPN into your network, this port must be open on the firewall to all them to access the Exchange server. There are numerous Q articles on this topic in the MS Knowledgebase. It is not necessary to open 135 for Outlook Web Access users, as they connect via port 80.
brenteverett

join:2003-04-25
Houston, MO

Re: Open RPC port 135 for Outlook to Exchange traffic

said by beharrison:
Exchange clients such as Outlook and Outlook Express use port 135 to connect to Exchange servers. If you have remote users who VPN into your network, this port must be open on the firewall to all them to access the Exchange server. There are numerous Q articles on this topic in the MS Knowledgebase. It is not necessary to open 135 for Outlook Web Access users, as they connect via port 80.
This may depend on how the VPN is set up. If the VPN tunnel can carry any TCP/IP traffic then it is not necessary to open port 135, just the port(s) for your type of VPN (PPTP, L2TP, IPSec).
r4d1sh

join:2003-05-04
UK

How to turn off in win2k

OK-The messenger port can be set to 'manually' start instead of 'auto'(when windows boots up) by going to-control panel, administrative tools, services, messenger. Set it to 'manual'. I had the same pop-up crap from advertisers-really damn annoying (especially during a quake game,which happened many times!) Since setting to manual, I havent had a single pop-up ad, and I havent noticed any side effects of shutting it down at all! Hope this helps-regards, r4d1sh!

sssssss

@in-addr.btopenworld.

Re: How to turn off in win2k

To r4d1sh:
The pop up ads you mention can be stopped by going into services in administrative tools and disabling 'messenger'. This is NOT the same as windows messenger, they're completely different processes. Problem solved.

sssssss

@in-addr.btopenworld.

Re: How to turn off in win2k

Oh....

Christ I'm tired :/

BWx232

@adelphia.net
That is what he said- He didn't say anything about Windoes messenger- He discribed how to turn off the messenger service.

Kob

@actcom.co.il
Side effect: Shutting down Messenger Service will also disable
system alert messages like reaching the limit of the Event Viewer entries etc.
CShirey

join:2003-07-17
Euclid, OH

How do I close the port in WinXP Pro?

If I use Outlook and Outlook Express from my home computer only (do not connect from anywhere else) do I need this port to be open?

CShirey
skisplat
Premium
join:2003-07-17
Metairie, LA

How do I..

I really do not need this port at all, how do I close it?

hardened

@rr.com

Re: How do I..

Basically you can close the port but if you do
you are shutting a lot of functionality off...

Its also not an easy task to do....
I wrote up a breakdown on how to harden your system in kerio security forum once...

But only I just mentioned this since its a difficult process...I will include a similar breakdown here:

A secure system is one that doesn't advertise shares using netbios and closes ports 135-139 and port 445.
However you can skip Section 1, to try and avoid losing some functionality.

Section 1: Turning off Netbios

(Warning this will disable your ability to share anything.)
(If you truly need to share files,
consider running a ftp server such as raiden.)

Summary: Basically Disable all netbios drivers,
reboot, your ports should be closed.

How to do it:

1. First go into your services and turn off netbios helper. 2. Then go to my computer\hardware\Device Manager,
click on view, show hidden devices,
look for non-plug and play drivers,
then look for netbios, disable it..
3. Reboot, if no errors occurs..your set.
4. Go to a dos prompt, and double check,
to see if port 135 is closed.
Type: netstat -an.
5. If not go to Section 2.

(You should see ports 135-139 are missing and port 445,
is closed as well.)

Section 2: The hard way of closing port 135, you

1. Open regedt32
2. Export below keys into a backup reg file.
3. Change items below in registry.

Basically find:
HKLM\Software\Microsoft\OLE
Look for: EnableDCOM
Look for: EnableRemoteConnect
Change value from: Y to N
(If not present then add it.)
(Reg_SZ)

Then go to:
HKLM\Software\Microsoft\RPC\ClientProtocols
Look for: ncacn_ip_tcp
Look for: ncagd_ip_udp
Remove Them.
(Reg_SZ)

HKLM\Software\Microsoft\RPC\DCom Protocols
Look for: ncacn_ip_tcp
Remove It.
(Reg_Multi_SZ)

Section 3: Closing Port 445.

HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Look for: SMBDeviceEnabled
Change it to: 00000000
(If not present then add it.)

(To simplify some of it, copy below to a text file name it Dcom-Smboff.reg. Double click on file and it should make changes automatically remember this will not remove any of the ncacn reg entries those have to be done by hand.)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="N"
"EnableRemoteConnect"="N"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"SMBDeviceEnabled"=dword:00000000

If you perform all these steps this should turn off port 135 and 445, and stop remote users from running any programs.

Reply to this message if you have questions.

Hardened.

Hardened

@rr.com

Re: How do I..

I forgot to mention,
you can turn off dcom using dcomcnfg.exe.

Type dcomcnfg.exe when window opens,
go to enable distributed COM,
and remove the checkmark.
Go to Default Protocols and remove all the protocols.

Your done.

Hardened.
MrBentor

join:2003-02-18
Seattle, WA

The MS DCOM Buffer overflow exploit on port 135

There is a big bad exploit based on this port

The DCOM Buffer overflow exploit can give anyone root access in an instant to you Windows PC or server.

Some information = »www.eeye.com/html/Research/Tools···COM.html

We even scanned and tested machines at work and found we can get in to many of our employee’s machines with no effort because they did not install the patch we told them to.

I even had to install the patch to fix this exploit, using the exploit. The helpdesk had calls from surprised people when their machine suddenly rebooted as a result of installing the patch.

It was pretty creepy being able to get root access to so many Windows machines with no effort what so ever.

D_D

@adelphia.net

closing port 135

go here and download dcombobulator to close port 135 easiet way to open and close with this program
»grc.com/freepopular.htm

spuddiver
bbr addict

join:2002-11-28
Herts, UK

Re: closing port 135

I found this article by Stanford University IT staff »securecomputing.stanford.edu/por···ter.html regarding the RPC exploit a clear indication that Microsoft OS's are littered with holes.

MonkeyJ

@mindspring.com

The Admin Popup Messenger Solution

At »www.grc.com They have a "SHOOT THE MESSENGER" program in which you can run and it detects if your popup admin spam program is running.. and has the option/ability to turn off the program..
it's very useful..
I've already "shot" my messenger

Your welcome if this helps :P
-MonkeyJ
Owner/Operator »MonkeyBlast.com

wowzers

@rcsntx.swbell.ne

Port 135 traffic disabled .. (I think ..)

I do believe all major US ISP's have completely disabled port 135 traffic as a result of the RPC exploit, as it was a major flaw that packet kiddies could use to greatly increase their numbers because so many people neglect to patch their systems, and let’s not forget stop the blaster worm from spreading.

However, this is just what I heard, I haven’t really read anything official that says so.

Ravenhaft

@ksc2mo.swbell.ne

Don't disable RPC

I consider myself to be computer-savvy, seeing as how I spend a great deal of time using them. However, I had no idea what the RPC protocol (I now know full well whe it is) was and disabled it because my friend thought it would be funny (this was during the incident where nearly everyone with Windows XP was having random shutdowns related to the RPC protocol). RPC controls about half of what windows does, including system restore. Much to my chagrin, I was forced to format and reinstall windows.

LinuxFrag

@rcsntx.swbell.ne

Re: Don't disable RPC

Just dump windows and go with linux

keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB

1 edit

General recomendation to close at Internet bndry

In general, as an extra layer of security, ordinary home and SOHO Windows users should block external access to TCP and UDP ports 135-139 and 445 and TCP ports 593.

Most software firewalls do this in their default settings.

Many NAT routers can be configured to block these as well.
bst544

join:2002-10-24
Atlanta, GA

Re: General recomendation to close at Internet bndry

I just went and used tcp/ip filtering and only allow certain ports to gain access to the outside world. The rest of them I dont need and the firewall helps me out too.
Ghetto_Child

join:2004-05-30
Montreal, QC

Re: General recomendation to close at Internet bndry

Hey I was trying to use TCP/IP filtering in my windows 2000 pro also but it didn't have any affect. I blocked ports 80 and a few others that are normally used just to see if it works and I was still able to browse the internet with my Internet Explorer 6 and I ran a netstat scan to see the active connections, a bunch of IPs were there with port 80 established. I turned of the filtering since it wasn't doing any difference for me.

You guys are very close to what I'm looking for though. I'm trying to find out how to manually open/close specific ports. In particular TCP 6699 and UDP 6257 for WinMX connections. I am using an Efficient Networks SpeedStream 5200 DSL Modem (not in bridge mode) and when I set my IP automatically I cannot make any TCP or UDP connections with WinMX but if I set my IP manually to a range within the DSL modem I can make a TCP connection with WinMX but no UDP connections. What should I do?

moudyman

@62.139.x.x

closing ports

Guyz u can also use IPsec policy for assigning a policy that block traffic to & from any source or distenation ports & IPs its so simple and useful & i tried it with ports 135-139 & 4444 UDP & TCP & it really worked and blocked all traffic to these ports & blocked the RCP exploid so try it

mammel toe

@comcast.net

Close All Open Ports

I've used registry tweaks, services.msc, DCOMbobulator, Shoot the Messenger, UnPlug n' Pray, X-Teq Setup, XP-AntiSpy, etc., but port 135 was the only port that wouldn't close. I found this site »www.hsc.fr/ressources/breves/min···.en.html followed all the instructions and I always have 0 ports open when I type netstat -an after a reboot.

gnomm

@arcor-ip.de

phone home printersoftware

hy,
I was reading through all of this and tried netstat for the 1st time.
reason: I was wondering why my new printer software would try to connect to the internet each time I opend wordpad for example.
pressing ctrl+alt+del there was a "lexpps" program showing up in the task manager (I got a lexmark printer..).
to get to the point: with netstat I realized that on startup of win98 no port was listening but as soon as I opened word or wordpad it came to listen on tcp 135, 1025, 1028 and udp 1028!
after kicking out this mysterious "lexpps" with the taskmanager it still listened to tcp ports 135 & 1025 until restart.
strange eh?
any suggestions?

thx
-gnomm

lllIIlllIIl

@comcast.net

a

This was one of the hardest of all ports to close. Be sure to scan your connection for open ports, some routers have ports open and remote features enabled by default.

gnomm

@arcor-ip.de

Re: a

hy!
your message brought great relief to me! thank you very much. I wonder why I were so dumb not to just rename the program....it´s usually the 1st thing I do..tzz.

so now port 135 stays shut after starting word/wordpad and there´s less work to do for my harddrive.

Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

Querying RPC endpoints

Microsoft's RPCDUMP utility is great for enumerating the RPC endpoints: run it with the /S IPaddress option and it will show all the endpoints with their names. It's broken out into several sections per protocol, and the ncacn_np (named pipes) listings include the machine name.

Adding the /I parameter actually attempts to ping the services, though in most cases you'd only expect the ncacn_ip_tcp (regular TCP/IP) transport to be reachable.
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site