Before I Buy/Try Windows 7 Pro ...

For a single workstation is it possible to close all ports on W7
like it is possible to on XP Pro by disabling services and editing
the registry?

-- 
Redwine



0
Redwine
9/26/2010 9:58:10 PM
grc.techtalk 27358 articles. 1 followers. Follow

14 Replies
501 Views

Similar Articles

[PageSpeed] 38

Redwine wrote:
> For a single workstation is it possible to close all ports on W7 like
> it is possible to on XP Pro by disabling services and editing the
> registry?

I don't know. You can probably close most of them, but I haven't tried
because the built in firewall blocks them all by default.

-- 
Crash

"It is not necessary to change. Survival is not mandatory."
~ W. Edwards Deming ~
0
Dave
9/26/2010 10:16:47 PM
On 9/26/2010 5:16 PM, Dave "Crash" Dummy wrote:
> Redwine wrote:
>> For a single workstation is it possible to close all ports on W7 like
>> it is possible to on XP Pro by disabling services and editing the
>> registry?
>
> I don't know. You can probably close most of them, but I haven't tried
> because the built in firewall blocks them all by default.


Err, umm, make sure you test that,
and when it take effect, and also
occasionally check for automatically
added programs/pass since some programs
1st and 3rd party seem to set themselves.

You should be able to use similar to the
Vista blocking (hand set) for ports and
services plus available port ranges for
things like rpc..but be aware if using
task scheduler, auto-update, or remote
sessions/management that may be impacted.
(For stand alone (not Domain) units)

Once above is done you should keep a backup
of all the registry/modified areas in case
an update/service pack shifts or loses them.

-- 
How vain it is to sit down to write
when you have not stood up to live.
Henry David Thoreau, Journal, 19 August 1851
0
NT
9/26/2010 10:55:45 PM
On 9/26/2010 5:58 PM, Redwine wrote:
> For a single workstation is it possible to close all ports on W7
> like it is possible to on XP Pro by disabling services and editing
> the registry?
>

I am sitting here wondering what one would do with a workstation which has 
all ports closed. Some sort of specialized number crunching application? If 
closing all the ports is the goal then unplugging the network cable is the 
way to go.
0
John
9/26/2010 11:25:37 PM
"John McGaw" <nobody@nowh.ere> wrote:
> On 9/26/2010 5:58 PM, Redwine wrote:
>> For a single workstation is it possible to close all ports on W7
>> like it is possible to on XP Pro by disabling services and editing
>> the registry?

> I am sitting here wondering what one would do with a workstation which has all 
> ports closed.
> Some sort of specialized number crunching application? If closing all the ports is 
> the goal
> then unplugging the network cable is the way to go.

Well, let's see what we have the capability to do on a standalone
workstation that has one hard drive and three partitions, (1)System,
(2)Data, (3) Images and no sockets listening on any ports:

(1) Connect to the Internet.

(2) Print Documents with a laser printer.

(3) Test and analyze new/old software.

(4) Portscan various suspicious IP addresses.

(5) Telnet to various suspicious IP addresses
and see what information may be gained.
(especially on port 135, 137,138,139 and 445)

(6) Send and receive e-mail

(7) Play video games when wanted to.

(8) Do research on the Internet via search engines.

(9) Use Microsoft Office.

(10) Use Adobe to work with .pdf files.

(11) Study programming languages and code test apps.

(12) Upload documents and edit my website.

(13) There may be a few more things that can be done.

Perhaps you misunderstood the kwestgin? ... ;)

-- 
Redwine



0
Redwine
9/27/2010 2:49:10 AM
On Sun, 26 Sep 2010 19:49:10 -0700, Redwine wrote:

> Well, let's see what we have the capability to do on a standalone
> workstation that has one hard drive and three partitions, (1)System,
> (2)Data, (3) Images and no sockets listening on any ports:

Since most browsers I have used actually listen on loopback ports, I suspect 
that web surfing would be greatly curtailed by closing all ports.

Further to that, ports are only opened by services which require them to be
open. But I don't know all of the Windows 7 services which open ports. So I
can't say which services you would need to disable, or their dependencies.

-- 
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum
0
Norman
9/27/2010 5:12:55 AM
"Norman Miller" <exfenestrate@spammers.invalid> wrote:
> On Sun, 26 Sep 2010 19:49:10 -0700, Redwine wrote:
>
>> Well, let's see what we have the capability to do on a standalone
>> workstation that has one hard drive and three partitions, (1)System,
>> (2)Data, (3) Images and no sockets listening on any ports:

> Since most browsers I have used actually listen on loopback ports, I suspect
> that web surfing would be greatly curtailed by closing all ports.

Fortunately, no problems at all with Firefox as I give it access to the
localhost on 127.0.0.1 and DNS on UDP port 53 only, and there is
no listening on any TCP ports when launched to a blank page or during
an established connection with a server. Those connections are closed
and there is no listening on 'all interfaces' at 0.0.0.0:0 . Blazing fast, 
too!

-- 
Redwine 


0
Redwine
9/27/2010 7:24:43 AM
On 9/26/2010 10:49 PM, Redwine wrote:
snip...
> Well, let's see what we have the capability to do on a standalone
> workstation that has one hard drive and three partitions, (1)System,
> (2)Data, (3) Images and no sockets listening on any ports:
snip...
> Perhaps you misunderstood the kwestgin? ... ;)
>

No, I didn't misunderstand but perhaps the question asked was not the one 
intended. The original post called for "closed" ports. If all ports are 
closed then #1, 4, 5, 6, 8, and 12 are right out of the question since they 
call for connection to the Internet and closed ports simply do not connect. 
If applications are free to open ports willy-nilly then they are not truly 
closed. On reconsideration I see that you must have been asking about 
closing listening ports but that is not how it appeared at first reading.
0
John
9/27/2010 1:38:17 PM
Nope, you can not close all listening ports in Vista/7 .

In particular, Remote Procedure Call (RPC) is listening on port 135 for any
incoming communication. Scary.
There are several additional "epithermal" ports open also.
No one knows how to close these ports, as far as I can tell.
On top of these issues, IPV6 is running by default and can not be disabled.
All open IPv4 ports are duplicated as open IPv6 ports.

In XP and w2k, all listening ports can be closed.
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
Minimization of network services on Windows systems

The Windows Firewall is supposed to block incoming communication to RPC port
135. But only if the network type is Public and not Private.
Users often chose Private thinking that Private means more secure.

"Tcpview" from SysInternals is a program that shows open ports.
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
TCPView v3.02 By Mark Russinovich Published: August 2, 2010


This problem of open ports in Vista/7 makes Vista/7 a very poor choice for
portable computers.
One is much safer using XP in public internet access locations.

It took some time for folks to discover how to close ports in XP. Perhaps
time will provide info on how to close Vista/7 open ports.



0
RichardB
9/27/2010 5:18:54 PM
"RichardB" <proxy@noway.com> wrote:
> Nope, you can not close all listening ports in Vista/7 .

> In particular, Remote Procedure Call (RPC) is listening on port 135 for any
> incoming communication. Scary.

From: start/run/dcomcnfg ...does not get you to "Component Services" to
remove the protocols used?

Unbelievable, especially after Micrososft knew what happened on 135 in XP.
It's just a matter of time before the firewall is hacked through.

> There are several additional "epithermal" ports open also.
> No one knows how to close these ports, as far as I can tell.
> On top of these issues, IPV6 is running by default and can not be disabled.
> All open IPv4 ports are duplicated as open IPv6 ports.

Any third-party software firewall work on IPv6?

> In XP and w2k, all listening ports can be closed.
> http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
> Minimization of network services on Windows systems

> The Windows Firewall is supposed to block incoming communication to RPC port
> 135. But only if the network type is Public and not Private.
> Users often chose Private thinking that Private means more secure.

> "Tcpview" from SysInternals is a program that shows open ports.
> http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
> TCPView v3.02 By Mark RussinovichPublished: August 2, 2010

> This problem of open ports in Vista/7 makes Vista/7 a very poor choice for
> portable computers.
> One is much safer using XP in public internet access locations.

> It took some time for folks to discover how to close ports in XP. Perhaps
> time will provide info on how to close Vista/7 open ports.

It looks like XP Pro SP2 is gonna be my OS for a long time.

It's a /rotten/ shame Mark Russinovich is now with Microsoft.

-- 
Redwine




0
Redwine
9/27/2010 6:06:15 PM
"Redwine" <404@404.404> wrote in news:i7qmf0$4gg$1@news.grc.com:

> It's a /rotten/ shame Mark Russinovich is now with Microsoft.

I disagree.  He has some very good advice for them, and they listened.  
Google up some Channel Nine with him in it.  He hated the layers of linked 
dependancies and was a key figure in "minwin" which we now see in Win7's 
design.

-- 
Ciao, Dave
0
Dave
9/28/2010 8:38:29 AM
"Dave Taylor" <daveytay@nospamplshotmail.com> wrote:
> "Redwine" <404@404.404> wrote in news:i7qmf0$4gg$1@news.grc.com:

>> It's a /rotten/ shame Mark Russinovich is now with Microsoft.

> I disagree.  He has some very good advice for them, and they listened.
> Google up some Channel Nine with him in it.  He hated the layers of linked
> dependancies and was a key figure in "minwin" which we now see in Win7's
> design.

Unfortunately, I don't think Russinovich can be trusted anymore and one
example would be his /bogus/ defense of Vista's Security Model flaw.

However, at least I know what OS not to spend my money on now :)

-- 
Redwine 


0
Redwine
9/28/2010 6:35:14 PM
NT Canuck wrote:
> On 9/28/2010 1:35 PM, Redwine wrote:
> 
>> "Dave Taylor"<daveytay@nospamplshotmail.com>  wrote:
>>> "Redwine"<404@404.404>  wrote in news:i7qmf0$4gg$1@news.grc.com:
>>
>>>> It's a /rotten/ shame Mark Russinovich is now with Microsoft.
>>
>>> I disagree.  He has some very good advice for them, and they listened.
>>> Google up some Channel Nine with him in it.  He hated the layers of
>>> linked
>>> dependancies and was a key figure in "minwin" which we now see in Win7's
>>> design.
>>
>> Unfortunately, I don't think Russinovich can be trusted anymore and one
>> example would be his /bogus/ defense of Vista's Security Model flaw.
>>
>> However, at least I know what OS not to spend my money on now :)

/ ... /

We want to know how to close the listening ports on W7 and a once
fantastic application from Systernals and Mark Russinovich surely
would help ... if this person was /not/ employed by Microsoft.
Being employed by MS, how can you trust what he has coded on
Process Explorer ... except for what Microsoft *wants* you to
see?? You do what who's giving you your paycheck says to do.
(like defending Vista's Security Model flaw)

FWIW, I downloaded the latest version of it and the first
thing it does is try to connect out to Microsoft on TCP port 80
without asking for permission from the client. I'm gonna search
the Internet hoping to find an original version of process ex-
plorer from back around 2003.

-- 
Redwine
0
Redwine
9/28/2010 11:35:35 PM
On 9/28/2010 1:35 PM, Redwine wrote:

> "Dave Taylor"<daveytay@nospamplshotmail.com>  wrote:
>> "Redwine"<404@404.404>  wrote in news:i7qmf0$4gg$1@news.grc.com:
>
>>> It's a /rotten/ shame Mark Russinovich is now with Microsoft.
>
>> I disagree.  He has some very good advice for them, and they listened.
>> Google up some Channel Nine with him in it.  He hated the layers of linked
>> dependancies and was a key figure in "minwin" which we now see in Win7's
>> design.
>
> Unfortunately, I don't think Russinovich can be trusted anymore and one
> example would be his /bogus/ defense of Vista's Security Model flaw.
>
> However, at least I know what OS not to spend my money on now :)

See if you can pickup an unused VLK Win2000 pro,
that's only if you are familiar with device driver
hunting and don't need continuous IPv6 support.
(Most business by now should be on WinXP at a
minimum so the old VLK 'volume' licenses should
be available w/cd and old drives..just take the
old HD and 100 usd is still a good value for vlk)

I have an original VLK from 12/2000 CD w/valid
license and still install it occasionally on
my offline work machines but it's a bit tough
on newer (last 3 years) units for drivers.

WinXP sp2 is still useful (1/2 the net?) and
above that for newest computers/laptops the
Win7 pro is the ticket today in 64bit edition.
Just a thought ;) since latest video cards and
many additional hardware abilities for laptops
won't install or kick in w/o Vista or newer
and .NET support.

-- 
How vain it is to sit down to write
when you have not stood up to live.
Henry David Thoreau, Journal, 19 August 1851
0
NT
9/28/2010 11:52:38 PM
On 9/28/2010 6:35 PM, Redwine wrote:

> We want to know how to close the listening ports on W7 and a once
> fantastic application from Systernals and Mark Russinovich surely
> would help ... if this person was /not/ employed by Microsoft.
> Being employed by MS, how can you trust what he has coded on
> Process Explorer ... except for what Microsoft *wants* you to
> see?? You do what who's giving you your paycheck says to do.
> (like defending Vista's Security Model flaw).

If you are sharp enough to close the 'listening ports'
on WinXP then it's almost the same (just need to use
the command line a bit more) and you'd need to save
the registry changes so you don't need to do it again.
I don't know why exactly but MS is not fond of closing
the ports on Vista or Win7 but you can do it yourself,
there may be some problems with task manager tasks so
again..you likely have to do a bit more manually.

> FWIW, I downloaded the latest version of it and the first
> thing it does is try to connect out to Microsoft on TCP port 80
> without asking for permission from the client. I'm gonna search
> the Internet hoping to find an original version of process ex-
> plorer from back around 2003.

A lot of WinXP items just won't work for Vista since
the entry points and internal syntax of the files and
..dll's were changed (for security) and changed once
more in Win7..that wasn't to bug you (*g) that was
for a bit more security and to ease file/process
dependencies. Win7 is the cleanest (by default).

-- 
How vain it is to sit down to write
when you have not stood up to live.
Henry David Thoreau, Journal, 19 August 1851
0
NT
9/29/2010 6:59:59 AM
Reply: