Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

blocking ports on windows firewall


  • Please log in to reply
16 replies to this topic

#1 reaching

reaching

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 09 June 2015 - 12:36 PM

 I think something is wrong but I'm not sure what.

For starters, I read that there are common Ports that should be blocked for internet security. I've tried to block these Ports in windows firewall, but immediately, in the Control Panel, under "Allow these programs through Windows firewall", I see my rules with a check in front of them. I want them blocked.

Some of the Ports I'm trying to block are: 135-139, 445, 5000, and some other remote Ports.

Does anyone know anything about this?

The operating system is Windows 7 home premium.
 

  •  


BC AdBot (Login to Remove)

 


#2 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 09 June 2015 - 12:48 PM

Okay, this is strange(?). If I enable the rule to block Ports in windows firewall, the rule is checked in "allow a program through windows firewall" located in the control panel under system and security(I never added my rule to the allowed program list). If I uncheck the rule in "allow programs through windows firewall", then the rule is disabled in windows firewall, and only in private profiles(which means the Ports are no longer blocked) . Initially, when I created the rules, I blocked public, private, and domain profiles in rule set up.

Maybe I'm off base but it seems like there is some kind of script to keep these Ports open.                  



#3 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:02 PM

Posted 09 June 2015 - 05:13 PM

Ive never used Windows FW outside of its default settings but it might help if you disabled printer and file sharing and disable network discovery. What you really want to do is disable a service listening on a port, not block a port.

The plug and play (UPnP) is a feature that can be turned off in a router.

 


How Can I Reduce My Risk to Malware?


#4 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 09 June 2015 - 08:37 PM

Thank you shelf life. I really appreciate you replying.

I have disabled those things(I don't have access to router with my isp so I can't disable upnp through them but I believe I disabled it in services).

I disables SSPD in services (that's network discovery?)

Computer seems to be still listening on port 135, for example.

I read an article about closing the Ports that hackers commonly attack and so I was trying to do as the article suggested.

Now that I've started the process, I'm trying to understand if my computer is acting normally. In other words, if someone else tried to block Ports 135-139 as a rule, I wonder if their computer would automatically add the rule to "allow programs through windows firewall(in control panel)" with a check. Is this default behavior in windows or is it just me and if it's just me...why?

Thanks again for replying.

#5 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:02 PM

Posted 10 June 2015 - 05:29 PM

If you want to "tighten up" your machine so to speak, then a inexpensive NAT router (properly configured) with SPI would help. SPI just means some type of a crude firewall. Features can vary from vendor to vendor but pretty sure all have some type of "FW" built in.

 

SSPD is network diccovery service.

 

The UPnP i was referring to is a feature of routers and would only be a risk if the router was vulnerable. Older and unpatched. And of course you have a router.

 

For 135 you may have to disable another service, maybe RPC., not sure. I dont think thats a good idea though and not neccessary. Why?

Because your ISP most likely blocks these ports and in order to be succesful the ports would have to be exposed to the internet and reachable from the internet.

 

 

 

 


How Can I Reduce My Risk to Malware?


#6 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 10 June 2015 - 08:03 PM

Thank you again for your reply.

I.have time Warner cable and an ethernet connection so I do not have access to their router. I assume they have the necessary firewall set up.

Hmmm....I put windows firewall back to default settings but I have a concern. I was looking at "protocol and ports" for a few of the core networking rules and it says to allow from any port to any Port. That doesn't seem too safe. It looks like all the Ports are open.

Maybe I need to start a new thread?

My goal is to be safe. I will follow your advice when I'm ready to set up my own Router although I have never configured a firewall for a router.

#7 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:02 PM

Posted 11 June 2015 - 05:42 PM

hi,

It can be confusing.

 

I do not have access to their router

Not their router. It would be your router in your home. a router lets more than one device share a internet connection. It also provides another layer of security. There not hard to set up.  The firewall set up in a router is usually: enable/disable: thats it. 

 

Windows 7 firewall is good in its default setting. No need to change anything unless your sure what your doing.  What your seeing: port to port refers to ports on your own computer which is safe.

 

A open port is only a concern if its exposed to the internet and reachable from the internet.

 

How do you determine if one of your ports is open? 

You start a scan of your machine from outside your network. Your machine is 'port scanned' and results are displayed. There are quite a few sites both legit and malicious that will port scan your machine and display results.

This is where you would start. You will probably find all your ports are closed.

GRC has a popular port scanner called ShieldsUP! that will port scan and display results.

 

https://www.grc.com/x/ne.dll?bh0bkyd2

 

 

 


How Can I Reduce My Risk to Malware?


#8 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 11 June 2015 - 06:40 PM

Oh...thank you so much for going through this with me. Okay I'm going crazy.

I have used Shield's up when I was stumbling around on the internet. The first couple times I did it, I passed. At this point I had blocked the aforementioned Ports. The results on shields up said that the first 1036 Ports were stealth (green) but none of them were closed(blue). Is that normal??

After I read your recent post, I decided to test it again to report accurate results. I had put firewall back to default settings and retested. This time I failed the TRUE STEALTH test. All the Ports were still stealth (green) but I failed ICMP Echo requests (ping). Apparently, my computer responded when it should not have.

The author said firewall can be set to ignore pings. I have no idea where that is or how to set it in windows firewall.

The only thing that changed was putting windows firewall back to default settings and also having Time Warner unbridge the router so more than one machine could access the internet at a time. What else can cause my results to change?

I don't have a personal router set up in my home. Time Warner Cable gave a modem that is also a router. Wifi is disabled on it so I can't get into router to do anything. At some point, I may set up my own router.

So the corenetworking rules says specially

Local Ports: All Ports
Remote Ports: All Ports

Doesn't it mean allow from any port on my computer to any remote port anywhere? That's my understanding. You say all of that is about .my computer?

Uggggh.

#9 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 11 June 2015 - 09:56 PM

Okay, I did some research. Stealth is okay. I was hoping for closed Ports but apparently, both stealth and closed Ports do not receive packets. There seems to be a debate about which is Better.

As for the pinging, I found a site that instructs uh how to make a rule to block the responds to the
Ping (even when creating this rule, windows automatically put my rule in "allow through windows firewall with a check; it may be fault behavior but it's bugging me because I don't understand).
Anyway, this didn't work but I read that TWC's router may be what's responding to the ping and not my computer. Other things in GRC Shields Up were fine.

I tend to panic whenever I see something I don't understand. Knowing a little makes everything seem like a threat. It's exhausting....lol.

Edited by reaching, 11 June 2015 - 10:04 PM.


#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:02 PM

Posted 12 June 2015 - 08:07 AM

 

stealth (green) but none of them were closed(blue). Is that normal??

stealth or closed is ok. Is being stealth more secure or better than closed? It is a whole new subject.

 

 

I failed ICMP Echo requests (ping)

Responding to a ping or not responding is also debatable as to its implications as far as being safer or more secure goes.

Pretty sure W7 FW will respond to pings by default.

 

If your router is in use then its your router thats responding to the port scans. I would leave the default set up in Windows FW and use the router. This is a good configuration.

 


How Can I Reduce My Risk to Malware?


#11 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 12 June 2015 - 10:56 AM

Thank you Shelf Life.  I hope you don't mind a couple more questions. 

 

I will put windows firewall back to default settings.

 

As for the router, it turns out I do have access to it since they unbridged it

 

Anyhow, when I first tried to type in default user name and password, it would not let me in.  I never changed it and I wonder if Time Warner changed it.

Anyway, I reset the router and changed the default password.  Do you think its possible someone had access to it.?

 

I saw the upnp you spoke of earlier.  When I tried to disable it, I was booted out of the router, and in the browser address window, it said http bad request or something like that? What causes that and how do I disable it?

 

There were three firewall settings in the router: Maximum, medium, and custom, I believe.  I think custom was the default.  I put it on maximum but I don't know which is safer?  What do you think?


Edited by reaching, 12 June 2015 - 10:57 AM.


#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:02 PM

Posted 12 June 2015 - 09:49 PM

No problem. You have a wired ethernet connection so you want to disable the routers wireless function or set up a strong password and encryption settings for the wireless feature. Even though your not using wireless you dont want somebody else jumping on it.

 

Not sure, maybe TW changed the password from the default? Iam not familiar with modems that have built in routers provided by a ISP.

 

I think medium would work for the FW, not sure what Maximum and medium refer to though?

 

You could get more info off the modem vendors website. How to set it up correctly, disable wireless or configure wireless. What maximum and medium refer to.

And why disabling UpnP boots you out. I would bet its a Motorola Surfboard modem.

 

 

 


How Can I Reduce My Risk to Malware?


#13 reaching

reaching
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 13 June 2015 - 07:43 AM

That was really good advice to look for a Manual. I did find one on line. It did explain the firewall settings. I don't quite understand so I chose medium. The default was low.

I got booted because the internet connection was intermittent. When I hit save, the internet was down for a few seconds. I added an usb ethernet connection that made internet connection stable. Then when I tried again I was able to disconnect upnp.

I did change passwords and disabled wifi.

Thanks so much for your help.

Oh, once I disabled wifi, GrC Shields up doesn't report my computer responding to pings.

I still would like to understand why windows firewall behaves as it does when I try to block a port. I'll take your advice and leave the default settings. According to GRC, I'm secure.

Thanks so much for your time.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 PM

Posted 13 June 2015 - 08:37 AM

There are online port scanning services which can be used to check for open and vulnerable ports:
  • Shields Up will alert users of any ports that have been opened through firewalls or NAT routers.
  • Online Port Scan allows you to scan individual TCP ports to determine if the device is listening on that port.
  • Subnet Online Port Scanner allows you to scan a host or IP for an open or closed TCP port.
  • MxToolbox Port Scan allows you to check what services are running and open.
  • Open Port Check Tool allows you to check your external IP address and detect open ports on your connection.
  • AuditMyPc Firewall Test will check your computer for ports that are commonly left open and could allow your computer to be compromised.
There are third party utilities that will allow you to manage, block, investigate and view detailed listings of all TCP and UDP endpoints on your system, including local/remote IP addresses, state of TCP connections and the process that opened the port:Other utilities and tools:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:02 PM

Posted 13 June 2015 - 09:34 AM

Ok reaching, your welcome. Windows OS firewall and a router that provides some type of rudimentary FW is a good configuration.  Happy safe surfing out there.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users