Question about port 135 and 445.

Wing wrote:


No, it doesn't mean that someone is trying to hack into your computer.

Port 135 is the DCOM port and is used by the MS O/S to communicate with
other machines on a network including the Internet that's giant network
too. However DCOM is used in a closed environment using Component Object
Model communication between machines. Yes, if you leave that port open,
then something can compromise the machine and the machine can be
controlled or COM objects can be controlled via that port using RPC(s).

Yes, 445 is the MS NT based O/S's port for sharing resources between
machines in a closed and protected environment.

You have a personal FW/host based packet filter on the machine that's
protecting the ports on unsolicited inbound traffic on all ports, which
is the traffic the PFW is blocking -- normal everyday traffic out there
on the Internet that could lead to the machine being compromised if the
machine was not being protected.

If this is a single machine directly connected to the modem, then you
should disable/uninstall MS File and Print Sharing and Client for MS
Networks off the NIC (Network Interface Card) and it will close the
Windows Networking ports 137-139 UDP and 445 TCP and no communication
can happen on the ports period. You have no need to be networking.

Port 135 as far as doing anything with the NT O/S to close that port,
you should just leave it alone and let the PFW protect it.

Here are some other things you can do to better secure or harden the NT
based O/S to attack.

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

You should try to practice safehex.

http://www.claymania.com/safe-hex.html

Duane :)

Duane Arnold > wrote:



Not necessarily:
http://www.grc.com/dcom /

optikl wrote:


That all depends on the applications running on the machine are doing.
Some applications may need DCOM active on the machine in order to work.

If I am going to do something along the line of shutting down DCOM on a
NT based machine, then I am going to the MS site.

I won't have anything to do with Gibson. ;-)

But in general, one should just leave something like DCOM alone and let
a FW or packet filter protect the port.

Duane :)

Duane Arnold > wrote:


However they don't need any binding of network services for DCOM.



They say that a utility "dcomcnfg" exists. Or that adding the relevant
registry entries is trivial as well:

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole]
"EnableDCOM"="N"
"EnableDCOMHTTP"="N"

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc]
"DCOM Protocols"=hex(7):00,00



http://www.grcsucks.com for a coverage of his biggest errors. Wanna choke...



Eh... no? Once the packet filter is down and makes a mistake, you're
busted. Disable DCOM network binding and you're safe until someone
changes the configuration, which under a restricted account is usually
only the case when installing a new Windows patch (and you can easily
check if it changes your configuration).

Sebastian Gottschalk wrote:


Good information, however, for me I can't do it I need DCOM running on
my machines. ;-)

Duane :)

Duane Arnold > wrote:



Can't your read? This entry doesn't disable DCOM at all (which would
make your system pretty unusable), it only disables offering DCOM as
network service for remote invokation. Almost noone needs that.

Sebastian Gottschalk wrote:


I didn't really bother to read it. But again, thanks for the info.

Duane :)

Duane Arnold wrote:


There is no such thing like a "DCOM port". It's the RPC portmapper
(RpcSs) that is bound to 135/tcp.

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Ansgar -59cobalt- Wiechers wrote:


DCOM uses port 135 and that's how COM and COM+ objects communicate in
remote situations on the network using the MS platform.

With .NET solutions, MS uses .NET Remoting where as the developer can
chose any port above 1024 as the port to do remote communications
between  objects. However, .NET objects can be converted to interface
with existing COM objects and it's going to do it on port 135 the DCOM
port.

You can call that port anything you want but it's the DCOM port to me
and nothing else and DCOM uses that port on the MS platform.

Duane :)

Duane Arnold wrote:


Nope. DCOM uses RPC which uses port 135. RPC is not limited to DCOM and
there's a lot more than DCOM that uses RPC on a Windows host.

cu
59cobalt
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Ansgar -59cobalt- Wiechers wrote:


As fas as that's concerned, RPC is used by SVCHOST too  and a whole host
of other things that run not limited to DCOM so there you go I agree
with you.

But to me as a programmer, it's the DCOM port.

We can sit here and go back and forth about it all day long. I got my
view of it and you got your view of it and I am going to leave it at that.

Duane :)

135 is DCE-RPC. This is one possibility, how DCOM and COM+ may be
implemented.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Thanks for your information.

Wing