J
Jason Wade
Let's say that I don't have a firewall, and I don't
want sasser to get me.
Is there any way to close port 445 in win xp?
want sasser to get me.
Is there any way to close port 445 in win xp?
N
null
See the links on my network page. To make it easy, use the WWDC.EXE
utility:
http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm
Art
http://www.epix.net/~artnpeg
J
Jason Wade
I don't want to download any programs to close these ports.
According to that page, port 445 is used by the RPC Locator.
If I disable that service, then port 445 will close, right?
(I'm not on a winxp system right now, so I can't test it.)
L
losl(removethis)
Will PCs with WinXP (not patched with MS updates) and not firewalled but
behind a router running NAT be infected by SASSER or its varients?
Thank you for your info!!
J
Jason Wade
Google is my friend:
http://www.petri.co.il/what_is_port_445_in_w2kxp.htm
Tcp/445 is used by netbios over tcp/ip.
This is what the instructions say to disable that port:
<quote>
How to disable port 445?
You can easily disable port 445 on your computer. To do so follow these
instructions:
1.
Start Registry Editor (Regedit.exe).
2.
Locate the following key in the registry:
HKLM\System\CurrentControlSet\
Services\NetBT\Parameters
3.
In the right-hand side of the window find an option called
TransportBindName.
4.
Double click that value, and then delete the default value, thus
giving it a blank value.
4.
Close the registry editor.
5.
Reboot your computer.
After rebooting open a command prompt and in it type
netstat -an
See that your computer no longer listens to port 445.
</quote>
I'd like some winxp guru to tell me that this works and is
not harmful to the computer.
D
Duane Arnold
A machine setting behind a NAT router will have port 445 closed by default
to the public Internet. The router stops unsolicited inbound traffic to the
machines from the Internet. Port 445 is mainly used for file sharing
between NT based O/S(s) such as Win 2K, XP, and 2K3 on the LAN behind the
router.
So if you have placed a machine into the DMZ of the router with file
sharing active on the machine and not firewalled or you have opened port
445 to the public Internet by doing port forwarding or triggering to map
port 445 to an IP/machine, then that's trouble. Otherwise, I think you're
pretty safe behind the router.
However, you should apply all MS Critical Security patches to the machine
ASAP.
Duane
N
null
Yes. And Marchand details how to shut down many other services and
close other ports as well:
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html.en
Since I don't use 2K/XP I can't test any of this. I'm interested in
hearing how 2K/XP users make out using WWDC.EXE. Why not do it the
easy way if it works?
Art
http://www.epix.net/~artnpeg
N
null
BTW, I just saw on alt.comp,freeware that some guy hosed his Win 2K
system using the WWDC.EXE utility. Seems most users of Win 2K/XP are
stuck with having to use a firewall. I've heard that manually shutting
down services can lead to deep doodoo as well if you're not an expert.
Art
http://www.epix.net/~artnpeg
J
Jason Wade
To protect against current and future rpc exploits.
But viruses are sometimes very specific. For example, sasser only
goes in through 445.
Just in case I did the patch wrong, and the fw goes down
I want the system to be safe. Somebody here said, "paranoia comes
from experience and is not necessarily a bad thing."
I see that several services use port 445 in winxp: rpc locator,
netbios over tcp/ip, and others.
What if I disable the rpc locator in the services manager and
disable netbios over tcp/ip for the internet connection?
Port 445 would still be open, but maybe the exploit that
sasser uses would be closed.
IOW, I'm asking what subservice of port 445 does sasser exploit
that I can safely disable?
C
chris000012002
No don't disable that service I'm no expert but from what I've read the
serve us rather important.
http://www.blackviper.com/WinXP/service411.htm#Remote_Procedure_Call_(RPC)
http://www.blackviper.com/WIN2K/win2kservice411.htm#Remote_Procedure_Call_(RPC)
C
chris000012002
No don't disable that service I'm no expert but from what I've read the
service rather important.
http://www.blackviper.com/WinXP/service411.htm#Remote_Procedure_Call_(RPC)
http://www.blackviper.com/WIN2K/win2kservice411.htm#Remote_Procedure_Call_(RPC)
R
Richard Steven Hack
This thing wrecked my 2000 big time. Add/Remove Programs no longer
worked, and after trying Recovery Console and assorted other measures,
I was forced to do a complete reinstall.
God, do I hate Windows... That goddamn Registry is the dumbest idea
in computing for decades.
R
Richard Steven Hack
Yup, that was me. Add/Remove Programs would no longer function, and
other effects of a hosed Registry. Tried Recovery Console, but I
didn't have a recent backup (my bad) and was forced to do a complete
reinstall after spending a couple hours trying some Registry fixes
Microsoft suggests in their KnowledgeBase.
I really hate the Registry. Microsoft needs to rip that damn thing
out and pitch it.
D
Duane Arnold
So, a program you ran to manipulate the registry and it hosed it and you
blame MS?
One manipulates the registry at his or her own risk.
One doesn't mess with something unknown like that messing around with the
registry without first doing a Registry Export, in case it's needed on an
Import to restore the registry back to its original state.
Duane
W
William W. Plummer
Richard Steven Hack said:
If they do, what will you have left to whine about?
G
Gary Petersen
William W. Plummer, on Fri, 07 May 2004 06:56:01 -0500, in
Please do not belittle the complaints.
The problems with M$'s OS's are very serious, and people have a right to
discuss them.
For example, the amount of misery caused to windows users by
the registry is untold. It would be much better to have
separate .ini files for each program/service (win3.1 style).
The registry has become a single point of failure that
requires special tools to manipulate (like regedit). Typically,
you're not going to have regedit on a floppy disk if the
system becomes unbootable.
And, of course, regedit requires the GUI, so it won't work from
a boot floppy.
And, of course, if a virus sets the right registry setting, you won't
be able to start regedit anyway, a catch 22.
In linux, even if I lock myself out of my computer my messing
up the /etc/inittab (a text configuration file), I just
boot from floppy, fix inittab with a text editor, and reboot.
Why can't w2k/xp be that easy to fix?
Please do not belittle the complaints.
The problems with M$'s OS's are very serious, and people have a right to
discuss them.
For example, the amount of misery caused to windows users by
the registry is untold. It would be much better to have
separate .ini files for each program/service (win3.1 style).
The registry has become a single point of failure that
requires special tools to manipulate (like regedit). Typically,
you're not going to have regedit on a floppy disk if the
system becomes unbootable.
And, of course, regedit requires the GUI, so it won't work from
a boot floppy.
And, of course, if a virus sets the right registry setting, you won't
be able to start regedit anyway, a catch 22.
In linux, even if I lock myself out of my computer my messing
up the /etc/inittab (a text configuration file), I just
boot from floppy, fix inittab with a text editor, and reboot.
Why can't w2k/xp be that easy to fix?
A
Ant
...
It is not necessary to disable RPC.
I run Win2k which may behave similarly to XP. I would advise renaming
the entry, say to "oldTransportBindName", rather than deleting its
value. That way it is easy to restore if something fails. When I do
this, I get error messages from NetBT in the event log:
"Initialization failed because the driver device could not be created"
A cleaner method is to disable raw SMB transport by adding this to the
registry:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Name: SmbDeviceEnabled
Type: DWORD (REG_DWORD)
Data: 0
I had previously disabled all unnecessary services on Win2k, and doing
this has closed port 445 with no adverse affects. I now don't have any
ports listening. Bear in mind that I'm a single workstation user with
no LAN.
YMMV.
It is not necessary to disable RPC.
I run Win2k which may behave similarly to XP. I would advise renaming
the entry, say to "oldTransportBindName", rather than deleting its
value. That way it is easy to restore if something fails. When I do
this, I get error messages from NetBT in the event log:
"Initialization failed because the driver device could not be created"
A cleaner method is to disable raw SMB transport by adding this to the
registry:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Name: SmbDeviceEnabled
Type: DWORD (REG_DWORD)
Data: 0
I had previously disabled all unnecessary services on Win2k, and doing
this has closed port 445 with no adverse affects. I now don't have any
ports listening. Bear in mind that I'm a single workstation user with
no LAN.
YMMV.
R
Richard Steven Hack
No, I blame the program AND MS - the program for screwing up and MS
for having the Registry which is too EASY to screw up.
I am aware of that.
Here you are absolutely correct - I should have backed up the Registry
first. On the other hand, the program involved said that it would
disable ports - while that should have been a clue to me to back up
the Registry, it did not explicitly say it would do anything to the
Registry.
I install and uninstall stuff all the time and while I should back up
the Registry before every install, ninety-nine percent of the time
there is no ill-effect.
However as someone else pointed out here, on Linux it is extremely
difficult to hose the system so bad as to require a reinstall. You
may have trouble finding the files involved or figuring out what they
do (which is also true on Windows) but at least they're there, they're
in text format, and they can be fixed.
The Registry is a poor idea even more poorly implemented. It is a
symptom of the "Big Brother" Microsoft mentality that critical system
files are both poorly documented and hidden from the user. It is one
thing to require administrator access to system files to protect them
and quite another to engage in obfuscation of the system.
F
FromTheRafters
Richard Steven Hack said:
I was under the impression that the registry was automatically
backed up every time the system successfully boots up. There
are several old backups from which one could choose the one
that they assume is the best (not to long ago, and not the latest
perhaps botched up one).
Write yourself a script which makes a backup of all of the initialization
files used by each and every program you have installed in case some
errant program messes one or more of them up.
....or better yet, make a central point for all such files so that it is easier
to manage them all in one or two files (with multiple backups of each
file). Oh...wait...that sounds alot like the Windows registry...nevermind.
P
Paul Proteus
Richard Steven Hack said:
I've used WWDC.EXE on my Windows 2000 and two XP machines without any
problems. Perhaps your registry was already screwed up and that program just
brought it out.