What should we do to block port 139 from allowing connections?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
What should I do to block port 139?

Comodo firewall freeware on WinXP constantly reports Active Connections on
port 139: Protocol: TCP, Listening: 139, Bytes In: 0B, Bytes Out 0B

Googling for "Comodo Listening:139", I find the warnings disturbing:
http://www.iss.net/security_center/advice/Exploits/Ports/139/default.htm

The web sites say "Port 139 NetBIOS  NetBIOS Session (TCP), Windows File
and Printer Sharing is the single most dangerous port on the Internet. All
"File and Printer Sharing" on a Windows machine runs over this port. About
10% of all users on the Internet leave their hard disks exposed on this
port. This is the first port hackers want to connect to, and the port that
firewalls block"

Similar dire warnings are at http://www.linklogger.com/TCP139.htm & others.

What should I do to block this port 139 (I have no need for file sharing or
printer sharing among computers).

Please advise,
thanks in advance

Re: What should we do to block port 139 from allowing connections?
On Thu, 8 Jan 2009 22:48:30 -0800, J. Bouziane wrote:

<snip, snip>
 
Quoted text here. Click to load it

Consider removing this PFW.
http://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/i_cant_install_comodo_firewall_pro-t9508.0.html
http://forums.comodo.com/help_for_v2/how_to_uninstall_comodo_firewall-t1184.0.html ;topicseen
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=10

Read through:
Deconstructing Common Security Myths.
http://technet.microsoft.com/en-us/magazine/cc160979.aspx
Scroll down to:
"Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."

Exploring the windows Firewall.
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
"Outbound protection is security theaterˇXitˇ¦s a gimmick that only gives the
impression of improving your security without doing anything that actually
does improve your security."

For the average homeuser, the Windows Firewall in XP does a fantastic job
at its core mission and is really all you need if you have an 'real-time'
anti-virus program, [another firewall on your router or] other edge
protection like SeconfigXP and practise Safe-Hex.
The windows firewall deals with inbound protection and therefore does not
give you a false sense of security. Best of all, it doesn't implement lots
of nonsense like pretending that outbound traffic needs to be monitored.

Activate and utilize the Win XP built-in Firewall; Uncheck *all* Programs
and Services under the Exception tab.

Windows XP: How to turn on your firewall.
http://www.microsoft.com/protect/computer/firewall/xp.mspx

Read through:
Understanding Windows Firewall.
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Using Windows Firewall.
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx

Quoted text here. Click to load it

Seconfig XP 1.0
http://seconfig.sytes.net /
(http://www.softpedia.com/progDownload/Seconfig-XP-Download-39707.html )
Seconfig XP is able configure Windows not to use TCP/IP as transport
protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139
and 445 (the most exploited Windows networking weak point) closed.
OR
Configuring NT-services much more secure.
http://www.ntsvcfg.de/ntsvcfg_eng.html

Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html
Hundreds Click on 'Click Here to Get Infected' Ad
http://www.eweek.com/article2/0,1895,2132447,00.asp

Good luck :)

Re: What should we do to block port 139 from allowing connections?
On Fri, 9 Jan 2009 15:26:53 +0700, Kayman

Quoted text here. Click to load it

Bad advice IMHO -- COMODO Firewall is excellent, much better than the
Windows XP Firewall.

Quoted text here. Click to load it

Take what Microsoft says about security with a grain of salt --
Microsoft has a terrible security record, and much of what's in that
article is self-serving spin.

Most security experts consider outbound filtering, done right, to be an
important protection.  No matter how careful you are, infections are
still quite possible, and outbound filtering can help minimize damage
from such infections.  The advice in this article is a bit like saying,
you won't ever need an antibiotic if you take care not to get infected.

Quoted text here. Click to load it

Firewall Challenge, Results and comments
<http://www.matousec.com/projects/firewall-challenge/results.php

   Comodo Internet Security is rated 90%, Level 10+, Very good

   Windows Live OneCare is rated 5%, Level 1, Not recommended
   One of the worst products tested, listed in red
   [Windows Firewall (XP) is not even considered worth testing.]

   "So, what does it mean if the product fails even the most basic tests
   of our challenge? It means that it is unable to do what its vendor
   claims it can. Such a product can hardly protect you against the
   mentioned threats."

--
Best regards,   FAQ for Wireless Internet: <http://wireless.navas.us
John            FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: What should we do to block port 139 from allowing connections?
On Fri, 09 Jan 2009 13:22:19 -0800, John Navas wrote:

Quoted text here. Click to load it

I am glad you said "IMHO"! Anyway, which 3rd party software manufacturer
are you representing?

Quoted text here. Click to load it

Oh really! Ever considered communicating with the authors? And have you
ever checked on their credentials?
BTW; what are yours?

Quoted text here. Click to load it

Their os's were less secure prior NT WinXP. Be more specific, after all
we're talking about a pc and not a mac.

Quoted text here. Click to load it

How so? The application we're talking about comes with the purchase of the
operating system; It's an integral part of the os.
 
Quoted text here. Click to load it

Oh, really? You mean the so-called 'security experts' writing website ads
for 3rd party firewall applications?

Quoted text here. Click to load it

A silly statement. Where did you get that idea from?
(ZA or Sunbelt websites?)

Quoted text here. Click to load it

A pitiful analogy. Comparing a virtual world with the real world is nothing
but phantasmagorical.
 
Quoted text here. Click to load it

Well, you're obviously not paying close attention especially to details!
Microsoft not ever claimed that their firewall included outbound traffic
control. And yet matousec are (repeatedly) testing it for something what is
not and was never there in the first place!
Based on this fact alone, one could assume that matousec are colluding with
the makers of 3rd party firewalls (PFW).

Re: What should we do to block port 139 from allowing connections?
On Sat, 10 Jan 2009 19:51:12 +0700, Kayman

Quoted text here. Click to load it

None.

Are you rude by nature, or do you have to work at it?

Quoted text here. Click to load it

We should take your word instead?  Hmmm... don't think so.

--
Best regards,   FAQ for Wireless Internet: <http://wireless.navas.us
John            FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: What should we do to block port 139 from allowing connections?
On Sat, 10 Jan 2009 11:45:44 -0800, John Navas wrote:

Quoted text here. Click to load it

It seem your perception of things require fine tuning.
 
Quoted text here. Click to load it

Wasn't it you who brought up f/w testing conducted by masousec?
And who is "we"? Which organization do you represent? (Oh, another rude
remark).
*You* may not comprehend the context of what is being said but many others
will.
Have a wonderful day :)
EOD

Re: What should we do to block port 139 from allowing connections?
On Sun, 11 Jan 2009 08:17:05 +0700, Kayman

Quoted text here. Click to load it

Deity help them.

--
Best regards,   FAQ for Wireless Internet: <http://wireless.navas.us
John            FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: What should we do to block port 139 from allowing connections?

Quoted text here. Click to load it

COMODO Firewall is junk.....or at least the uninstaller is junk.

Have you tried to uninstall it John ?

Uninstalling it leaves you with a non-functioning network.

I just spent 3 hours getting it running again. It added a whole bunch
adapters in the Device Manager Network Interfaces that can't be removed.


Re: What should we do to block port 139 from allowing connections?
On 20/01/2009 00:20, DanS wrote:
Quoted text here. Click to load it
Thanks for the info, I was going to try it on an XP machine but after
reading that and the "uninstall" info. on the Comodo forums I will
forget about for a while.
<http://forums.comodo.com/help_for_v3/comprehensive_instructions_for_completely_removing_comodo_firewall_pro_info-t17220.0.html ;msg119226#msg119226>
A bit like the uninstall of the old versions of ZA.

Re: What should we do to block port 139 from allowing connections?

Quoted text here. Click to load it

Just a little background......

I was a ZoneAlarm user since......well I don't remember, it's been that
long. I paid for version 4.something a long time ago, and had used that
up until this past October. At that time, I built a new PC, and installed
XP w/SP3. The version 4.? wouldn't install 'on this OS'....SP3...I'd used
it on SP2 no problems.

I had always used the older version because it was a firewall only, and
that's it. It wasn't some all-encompassing security 'suite'. I was
actually delighted when I visited the ZoneAlarm web page and saw there
was a free version of the current 8.x. The free version though was only
the firewall, and not a free version of the security 'suite'.

I had installed that and had been using it since then, and then last
week, I noticed the internet was slower than it used to be. Typically I
was getting around 3.5mbps d/l speed, but now was only getting 1.8
mbps...about half.

It wasn't until the wife was d/l'g something on her PC, and I was
watching over her shoulder when I noticed she was getting the 3.5 mbps on
the d/l, and subsequently checking the other PC's in the house, and they
were all getting 3.5 mbps, so it was at that point I realized the
slowness was only on my PC. I did everything I could to try to resolve
the issue....even thinking maybe it was something with SP3.....who knows
what changes they put into it. I even selected 'Shutdown ZoneAlarm' from
it's systray icon context menu, but as it turns out, doing that
apparently does not 'shutdown' ZA, but instead I think it just stops
monitoring, as it's process is still running.

I finally decided to try to uninstall ZA, which I did, and that back the
speed back to normal. I was initially apprehensive about uninstalling it,
since if that wasn't the problem, I'd have to reinstall, and retrain it,
and set the manually added rules again.

That was where my quest for a new firewall began, and Comodo was the one
I tried first. I installed it, it said to reboot. I did. At reboot, there
was no systray icon for it (apps like that typically add a system tray
icon), there was a process running though. I figured I'd just run the exe
again, as many apps show the config applet when you run the exe again,
but nothing showed. I tried some different internet apps that use
different ports, no warnings about anything, started up a server app, no
warning. Hmmm. Well this does me no good. Uninstall.

The PC would get to the XP loading screen with the progress bar going.
Then just freeze. Safe-mode would work. Safe-Mode w/Networking would
freeze. That helped me narrow it down to the fresh uninstall of Comodo. 3
different LSP fix utilities later nothing. At that point, I uninstalled
the Windows Networking service. Rebooted. Fine. Re-installed Windows
Networking, reboot, all is well.

Except for the Device Mangler entries under Network adapters. In addition
to my actual adapter, there is:

Direct Parallel
WAN Miniport (IP)
WAN Miniport (L2TP)
WAN Miniport (PPPOE)
WAN Miniport (PPTP)

*As far a I can recall*, none of those were there before. I have them all
marked as Disabled, but can remove none of them. When I go to unistall,
the error message reads.....

"Failed to uninstall device. The device may be required to boot up the
computer."

I don't think so, not if they are all disabled !!!!!!

So....that's my story and I'm sticking to it.

(Of course, now for the obligatory digg........serves me right for taking
a recommendation from Navass.)




Re: What should we do to block port 139 from allowing connections?
On 21/01/2009 23:31, DanS wrote:
Quoted text here. Click to load it
The last paid for ZA I have is one of the 5.5's and is installed on my 2
oldest XP machines. I have no intention of ever installing SP3 on these,
one is a 7 year old desktop and the other a 3 year old laptop both of
which have SP2 and all the other necessary, desktop has no wlan updates,
updates after SP3.
Quoted text here. Click to load it
I am trying ZA 8.0.065.000 on Vista at the moment without any problems
so would not be surprised if SP3 is causing a hiccup.
  I even selected 'Shutdown ZoneAlarm' from
Quoted text here. Click to load it
Yes, you would have needed to "Open the ZoneAlarm program, go to the
OVERVIEW ->  PREFERENCES tab, and make sure the Load At Startup box is
UNchecked. Close the program, then right-click on the ZA icon and select
Shutdown.
  REBOOT."
Then try it.


Quoted text here. Click to load it
Were you able to remove all of ZA before the comodo install as I have
read it does not like remnants of other firewalls?
Uninstall of ZA:-
<http://www2.nohold.net/noHoldCust542/Prod_1/Articles55646/CompleteUninstallNonNT.html
I have only tried this with the old versions.

Quoted text here. Click to load it
Quite a few people on the Comodo forums mentioned this and seemed to
have varying success at their removal. Did you try the batch file that
they are using to clean the registry entries?
Quoted text here. Click to load it


Re: What should we do to block port 139 from allowing connections?
On 09/01/2009 08:26, Kayman wrote:

Quoted text here. Click to load it
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
Quoted text here. Click to load it
That is an interesting statement considering the Vista Firewall has
outbound protection. Why have they implemented it if it is worthless?
<http://technet.microsoft.com/en-us/magazine/2008.06.security.aspx
"Services in Windows Vista can run with a highly restricted token. In
essence, each service has its own security identifier (SID), which is
unique to that service. This Service SID can be used to restrict access
to resources, such as network ports. This is the same functionality we
saw earlier when we looked at restricting traffic to users. This means
that even though two services may run as NetworkService, they cannot
manage each other's processes and the firewall can be configured to
allow only one of them to communicate out. If the one that is blocked is
compromised, it cannot hijack the allowed service and use its allowed
port to communicate out because the port is restricted by Service SID.
This functionality is another one of the very cool security features
added to Windows Vista, and the new firewall uses it to actually provide
real security value by outbound firewall filtering."

Re: What should we do to block port 139 from allowing connections?
On Sat, 10 Jan 2009 10:09:06 +0000, LR wrote:

Quoted text here. Click to load it

Different operating system!
Managing the Windows Vista Firewall
http://technet.microsoft.com/en-us/magazine/cc510323.aspx
(read in its entierty, twice, then re-read again :) )

Re: What should we do to block port 139 from allowing connections?
On 10/01/2009 11:48, Kayman wrote:
Quoted text here. Click to load it
That link is producing exactly the same page as the one I provided so I
have read it.
Why is the author so insistent that "outbound blocking" was used just to
prevent compromising other systems? I have used it to stop programs from
just having access to the internet. This Vista machine I have insists on
trying to access the Internet using " Synaptics Pointing Device Driver",
"HP Software Update", "HP Quickplay"
and some others at monotonous regularity even though I set them for "no
auto-updates" and I use the firewall so they are blocked until I can see
some necessity for their access.
and some others a

Re: What should we do to block port 139 from allowing connections?
On Sat, 10 Jan 2009 13:49:25 +0000, LR wrote:

Quoted text here. Click to load it

Mea culpa! I just responded to your post without clicking on the link you
had provided.

Quoted text here. Click to load it

No, not the author but the makers of 3rd party software firewalls are.
You've got to read the entire article more carefully:
"There is a very simple fact about outbound filtering that its proponents
fail to take into account. The usual argument from the host-based firewall
*vendors* is that if a system is compromised, whether by a worm or by an
interactive malicious user, outbound filtering will stop the worm from
infecting other systems or will stop the attacker from communicating out.

Jesper said: *"This is not true."*

What is true is that, all else being equal, outbound filtering would have
stopped some historical malware. However, if Windows XP had come with
outbound filtering, the worms we have seen so far would more than likely
have been written to turn it off or else to circumvent it."

Jesper can be contacted...why don't you give it a go?
http://msinfluentials.com/blogs/jesper/
He's a busy man but will usually respond to reasonable postings. Besides,
he sometimes hangs out at microsoft.public.windows.vista.security

Re: What should we do to block port 139 from allowing connections?
On Sun, 11 Jan 2009 08:16:14 +0700, Kayman

Quoted text here. Click to load it

Now there's an oxymoron.  LOL

--
Best regards,   FAQ for Wireless Internet: <http://wireless.navas.us
John            FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: What should we do to block port 139 from allowing connections?
Quoted text here. Click to load it

I hear ya.  I've gone so far as to add DNS entries dumping those hosts to
localhost.


Re: What should we do to block port 139 from allowing connections?
Quoted text here. Click to load it

Better to point them somewhere that has a process listening on port 80.
If you redirect to your localhost and don't have an http server running,
each one has to time out, instead of getting a quick 404.

I've come to recognize the "404" page from the server where I point
them, popping up as an ad-blanker on some pages.

--
Clarence A Dold - Hidden Valley Lake, CA, USA  GPS: 38.8,-122.5

Re: What should we do to block port 139 from allowing connections?

Quoted text here. Click to load it

Aha. Thanks.
--
W. Oates

Re: What should we do to block port 139 from allowing connections?

Quoted text here. Click to load it

True.  But since most of them are 'sight unseen' in their operation it
doesn't make much difference.  I would give some added logging though, but
as long as the errant app can't get it's connection I really don't care much
about it.



Site Timeline