Disable unnecessary or unwanted service, this process
Sometimes called “hardening” which is highly desirable for security purposes. Some users may wish to harden their system in order to avoid the need for a firewall. In other cases, a user may wish to perform a temporary hardening in order to safely access the internet for the first time after installing Windows. Updates, patches, and security software can then be downloaded. This article describes a hardening method which doesn’t require downloading anything from the internet. This is first method which is simple but the instructions here are aimed at power users who aren’t afraid to alter the registry, and who knows enough to back it up before making changes. The changes made are reversible of course.
The ports that are found on a new install that required closing include the NetBIOS (file and printer sharing) group … ports 137, 138 and 139 … with the associated (on this system) port 445. Also, DCOM port 135 must be closed.
Below is the procedure for closing these ports.
The NetBIOS group of ports
From the desktop, select Start - Settings - Network and Dialup connections. Depending on how many internet adapters you have installed, there may be several Local Area Connection items. Start with your primary hardware adapter. In my case it’s an Ethernet adapter as shown below:
Double click on this item and select Properties. Uninstall everything except Internet Protocol (TCP/IP).
Select the Sharing tab and uncheck “Enable Internet connection sharing for this connection”. Click “OK”.
Right click on the Local Area Connection item again and select “Properties”. Select “Properties” again.
Then select “Advanced”. Click on the WINS tab. Select “Disable NetBIOS over TCP/IP”.
Click “OK”. There is no need to reboot at this point. Just hit Cancel if prompted.
Check your other adapters (Local Area Connections) to make sure their settings are identical to the new settings of this first adapter.
Port 445
———–
From the desktop select Start - Run and type regedit
Find the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NetBt\Parameters
Double click on the item TransportBindName
Remove the string of characters in Value Data leaving it blank.
Make a note of the Data string value for possible future reversal purposes.
Exit the registy editor.
Port 135
———–
From the desktop, select Start - Run
Type: c:\winnt\System32\Dcomcnfg.exe
Select “Default Properties”
Uncheck “Enable Distributed Com on this computer”
Select “Default Protocols”
Remove any listed, leaving a blank
Start the registry editor again and find the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
With Rpc highlighted, click on Edit at the upper left of the screen. Click on New and then select Key.
You will see a key added under Rpc. Rename the key Internet (See screenshot below).
With that new key highlighted (as below) select Edit again. Click on New and then string. Enter the Name UseInternetPorts. Then double-click on the newly created item UseInternetPorts and enter N for the Data value.
Note that reversal can be done simply by deleting the Internet key you added.
You are done. Exit the registry editor and reboot.
To check your work, open a DOS window (CMD.EXE) and type netstat -an immediately after booting up. I’ve found that when working with a new install of Windows (no updates or patches), the result is empty. No ports appear at all. After updating to IE 6 I find a tcp port numbered just over 1024 Listening. Sometimes udp port 68 will appear as well. These ports are not open. Immediately after hardening, it is ok to go ahead and install Sp 4 and all the critical security patches.
You can verify that all ports are closed by going on the internet, and using web sites which offer port scanning services.
Here are a few links:
http://scan.sygatetech.com/
PC Flank: Make sure you're protected on all sides.
https://www.grc.com/x/ne.dll?bh0bkyd2
In addition to backing up all your data, it’s wise to do periodic checks. In the context of this article, one simple check is the net stat -a test to make sure nothing you’ve installed has modified the work you have done here. Make sure to do this check after a Windows Update, or after installing any new Windows services. As said above changes made are reversible. If at later time you wish to enable file and printer sharing with other computers on your local network, there is a free utility named wwdc.exe available which will do much of the reversal automatically.
It’s a good idea to disable services you’re not using in order to further harden the OS and lighten the load on available resources. For example, if you don’t use Fax, disable it. Similarly, Telnet can be disabled. Wideband users can safely disable Telephony. If your computer has no printer installed, the Print Spooler can be disabled. If you prefer to do Windows updates periodically when you do maintenance and backups, there’s no reason to have Automatic Updates enabled. I don’t use Task Scheduler, and I disable it as well.
There are several other items that I’ve disabled, such as TCP/IP NetBIOS Helper Services, Net Meeting Remote Desktop Sharing, Remote Access Auto Connection Manager, Remote Access Connection Manager, and Remote Registry Service.