|Internet Connection Security for Windows Users|
|by Steve Gibson, Gibson Research Corporation|
My Port 139 is open!|
How can I close it?
So, who is responsible? It must be some other program running inside your system either with your misguided knowledge and permission, or without. You must understand that Windows is the ONLY program that has ANY business opening and listening on port 139. The most common culprit is one of the many "Evil Port Monitors" that I've made such a fuss about.
One of the most common port 139 opening evil port monitors is "NukeNabber". NukeNabber is not your friend. If you're running it, terminate it then try testing your Shields and Ports again!
If you are not running NukeNabber, but your port 139 remains open, you will need to track down the program that has opened this port. I am hoping that my forthcoming free hyper-speed port scanner will incorporate the technology to show its users which programs have opened which ports, though I have not yet confirmed that I can do this in the clean and stable fashion that I require. Please be sure to subscribe to the GRC Corporate News Blog so that you can be informed when we have important news.
In the meantime, all I can suggest is that you examine all of your running programs to isolate the program that's holding port 139 open. Best luck!
|Why isn't my Port 113 Stealthed? I'm using a firewall to stealth my entire machine, but the ShieldsUP! port probe shows port 113 to only be closed instead of stealthed! What gives?|
Port 113 is associated with the Internet's Ident/Auth (Identification / Authentication) service. When a client program in your computer contacts a remote server for services such as POP, IMAP, SMTP, or IRC, that remote server sends back a query to the "Ident" server running in many systems listening for these queries on port 113. Essentially, the remote server is asking your system to identify itself . . . and you. This means that port 113 is often probed by attackers as a rich source of your personal information.
You may recall, from my explanation of Stealthed ports, that attempting to connect to a stealthed port is both costly and painful for the contact initiator which is why it's so cool to stealth our machines. But the problem with simple stealthing of port 113 is that we don't want to hurt the servers we are trying to contact when they turn around and send us their IDENT query. If they get no response at all from their port 113 query, our connection to them (which initiated their query in the first place) will be delayed or perhaps completely abandoned.
Note that not all servers generate IDENT queries. So, depending upon your ISP, stealthing port 113 may not be any problem for you. However, you'll note that requirements for port 113 are common enough that most mature firewalls (BlackICE Defender, AtGuard, NIS2K, etc.) include built-in default rules allowing IDENT queries to pass through. These rules result in the IDENT's status being "closed" rather than "stealth."
So what can you do?
You may be able to remove or disable your firewall's default rule for IDENT (port 113) and run it in full stealth mode without trouble. If you do this, keep on the lookout for trouble connecting to less common servers, like IRC, which might have problems that you haven't encountered before.
Or, you can leave the default rule in place and live with your system's IDENT service port being visible to the outside world. Be aware that this provides a means for intruders to detect an otherwise stealthed computer. And they'll know you're running a firewall since other things are stealthed, but not port 113.
Or, you can switch to the very latest, highest technology, and best adaptive firewall which is smart enough to stealth this port against random probes, while still showing it as "closed" to queries from valid servers . . .
|ShieldsUP! shows my ports as 'Closed' and not 'Stealth', but I want Stealth! How do I get 'Stealth'?|
'Stealthed' ports are a, strictly speaking, a violation of proper TCP/IP rules of conduct. Proper conduct requires a closed port to respond with a message indicating that the open request was received, but has been denied. This lets the sending system know that its open request was received so that it doesn't need to keep retrying. But, of course, this "affirmative denial" also lets the sending system know that a system actually exists on the receiving end . . . which is what we want to avoid in the case of malicious hackers attempting to probe our systems.
I coined the term 'Stealth' when I developed this site's port probing technology to describe a closed port that chooses to remain completely hidden by sending nothing back to its attempted opener, preferring instead to appear not to exist at all.
Since 'Stealthing' is non-standard behavior for Internet systems, it is behavior which must be created and enforced by means of a firewall security system of some sort. The native TCP/IP interface software used by personal computers will ALWAYS reply that a port is closed. Therefore, some additional software or hardware, in the form of a 'stealth capable firewall' must be added to the computer system in order to squelch its "closed port" replies.
To get full stealth-mode status from your system, I highly recommend using the completely FREE ZoneAlarm 2 firewall from ZoneLabs, Inc. Visit their website at www.ZoneLabs.com to learn more about this excellent and free firewall, then download the latest version.
|Your ShieldsUP! site easily sees my computer's IP address. Though I trust you, I figure that anyone else can see anything that you can. So how can I hide my IP address while I'm on the web?|
|The accessibility of your machine's IP address does not, in and of itself, represent any real security risk. In order for you to use the Internet at all, information must be able to find its way back to your computer. This requires a two-way path between your computer and remote machines. Your machine's unique IP address is the way data finds its way back to you. It's true that this necessarily creates some degree of security vulnerability, but only as much as is absolutely required for any sort of "connection" to remote resources on the Internet. The best thing to do is to be concerned and responsible about your machine's security. Follow the steps outlined on this site and keep an eye on the security-related software I develop in the future. I'm working on solution to these problems.|
|Your site doesn't talk about ICS (Microsoft's Internet Connection Sharing) or NAT (Internet Network Address Translation), could you say something about them?|
|As has been explained throughout this site, every machine on the Internet is identified and located using a unique IP address. This allows returning data to be routed to the proper machine by its address. But, this straightforward system has since been enhanced in an important way known as Network Address Translation or NAT.
In a NAT-based system, a single IP address represents the NAT router . . . behind which can lie an entire private network of machines! The machines on this private network (behind the NAT router) use IP addresses that have been set aside for just this purpose. They generally start with 192.168.x.x or 10.x.x.x. These address ranges are NEVER used by regular machines on the Internet so that any machines on the private network can know that they're talking amongst themselves.
When one of the machines behind the NAT router needs to contact resources on the public Internet, the request is routed through the NAT router (since that's what connects the machines to the Internet). The NAT router reformats the outgoing data packet so that it appears to originate from IT, instead of the actual originating machine, and sends it on its way. Then the data returns the process is reversed and the data packet is sent to the originating machine on the private network. Thus, when viewed from the perspective of the external public Internet, ALL of the machines behind the NAT router appear to be a single machine with that one (NAT router) IP address.
This is useful for two main reasons:
First, it allows many machines to share a single IP address. Any cable modem or DSL user with a single IP address can use NAT technology to "multiplex" their single IP across as many machines as they like! So, rather than paying your connection provider for additional IP's, you can be running all the machines you want for no additional money!
Secondly, NAT very effectively HIDES all of your machines from the prying eyes of the Internet! Anyone scanning across your IP address will ONLY be able to "see" the NAT router! (Which is generally much more secure than the average PC.) So, they won't actually be touching any of your machines located BEHIND the router! Moreover, none of the software running inside your PC can "give out" your network's public IP address because it is completely unknown to your machines! Only the NAT router knows the public IP of your network, your machines only know their private "behind the router" IP's. So Internet client programs, like your web browser which send out the machine's IP address with every request, will be completely fooled and foiled when they're running behind a NAT router.
Where do you get NAT routing?
The second edition of Windows 98 provides options for built-in NAT routing in the form of its ICS (Internet Connection Sharing). I don't like this solution, though, because it requires that the ICS machine always be running to provide NAT services for the rest of the network.
My absolute favorite solution for personal and small office NAT routing is the new Linksys "Etherfast Cable/DSL Router". It is now available in TWO versions, with and without a built-in high-performance 4-port 10/100 switch. With a street price in the neighborhood of just $105 or $155, this feature packed router and (optional) four-port hub, provides expandable connectivity for up to 253 machines and even offers a rudimentary packet filtering firewall which, for example, can easily be told to block ports 137-139 and completely prevent all NetBIOS file sharing insecurity!
NAT is such an important topic that I will be expanding the coverage of it greatly and will be creating another subsite to discuss these concepts at length. If you're subscribed to my eMailing System you'll know when the new site is in place.
|What happened to the free NoShare and LetShare utilities? They were on this site for a while, then they disappeared and the versions I had have now "expired". They worked great, so why are they gone?|
NoShare and LetShare were terrific solutions for quickly, easily, and reversibly disabling and enabling NetBIOS resource sharing. But they required more technical support than we were able to provide. With this site's traffic being as high as it is, so many thousands of copies were being downloaded every day that even a low percentage of people who wanted to know "how to install it" (you don't) or how to remove it (just delete it) or where it went in their computer after they downloaded it (how should we know????) that the responsibility of supporting a "code solution" was too much. Also, many people don't like running random executable programs (especially people who don't know me and the way I author programs.)
So, when I figured out how to use network binding to achieve the same results I joyfully discontinued offering NoShare and LetShare . . . and the technical support questions died down almost immediately. If you really want to use them, those links above will get you new, non-expired, versions. But we will not answer eMail about them . . . okay?
|Can I still download files through the Internet after implementing your security recommendations? I don't want to be completely cut off!|
|Yes. The "Network Bondage" instructions only affect the availability of Windows-style file and printer sharing where you actually see other computer's drives, directories, and printers as resources on your machine, or others have your machine's resources available on their computers. There will be no affect on your ability to use the Internet's facilities, file transfer, web browsing, etc.|
|My ports 80 and 443 are open because I'm running a web server. Does this mean I'm less secure?|
Well, since servers are a point of attack and are a weak link in any system's security profile, some responsibility does come hand-in-hand with running a web server. New security vulnerabilities are being discovered almost daily, so keeping up with security bulletins is extremely important.
Please do take these issues seriously . . . a friend of mine running Microsoft's very insecure IIS 4.0 web server recently had all of the hard drives in his server erased by an Internet vandal who renamed one hard drive volume label just to show that it was a deliberate attack and not some random Windows NT meltdown.
|How do I close my open ports? Your Port Probe shows that I have some open ports that should be closed, but I don't know how to close them. Why don't you include some information about how to close each of those ports?|
|Low numbered "system ports" are generally opened by various Internet server applications running within a computer. Therefore there is no single "standard" program that opens each type of port. For example, port 80 is the default port through which web browsers communicate with web servers. So if port 80 is open (and you're not running one of the Evil Port Monitors) you probably have a web server of some sort running on your machine. But the port probe has no way of knowing which web server you might be running. But it does tell you what type of server typically uses each type of port. That's really the best it can do. (Note that even ICQ has a personal web page option that opens port 80!)|
|I'm confused about whether I need a firewall. ShieldsUP! says that my system has no vulnerabilities. So does this mean I don't need a firewall?|
You never need a firewall to protect yourself from file and printer sharing intrusions since they can be handled by simply unbinding the unsafe Microsoft services from the Internet's TCP/IP transport protocol.
But that's not a complete answer because a firewall could still help in other ways. For example, if a Trojan horse program somehow took up residence in your system it would open a high-numbered port that was not checked by ShieldsUP! Then, any time you were connected to the Internet that open Trojan port could be scanned and located. At this point your entire system would be laid open to the attacker who could do anything he likes. A firewall proactively blocks unauthorized network traffic so that the Trojan living inside your computer could never be found or used to compromise your system.
So, in other words, everyone really does need a firewall. Please see my "Personal Firewalls" page for news of the best, and free, firewalls available!
|I have a firewall installed. But according to ShieldsUP! my port 139 is still open. Any idea why this port is still open even with a firewall?|
|Different firewalls may choose differently to leaving Windows NetBIOS file and printer sharing open or closed with their default settings. So, just installing a firewall doesn't instantly protect you. The firewall may need some help from you to determine what you want to be protected from! Therefore, you may need to examine the software's configuration settings to determine how to close external access to the dangerous NetBIOS ports 137, 138, and 139.|
I think my system is already infected by a Trojan horse program.|
Will a firewall help me?
|Sure, absolutely. Since a firewall checks, scans, and blocks traffic flowing both ways through it, both into and out of your computer, you should be able to easily prevent unauthorized communication by a Trojan horse program. Note, though, that you should also really consider removing that suspected Trojan from your machine. It's just not safe having a bad program running inside your machine. You can never know for sure what it might do!|
|What about Internet gaming?|
|Internet gaming does not rely upon NetBIOS file and printer sharing in any way. So, you can completely unbind those services from the Internet's TCP/IP transport without any impact on your ability to connect with other gamers over the Internet. Everything will work just fine.|
|What if I want to access other files but not share any of my own?|
That's actually very possible. Your local files and printers are shared by the "File and printer sharing for Microsoft Networks" component, whereas access to remote files is enabled by the "Client for Microsoft Networks" component. So, if you want to access remote resources belonging to other machines, you will need to have the "Client for Microsoft Networks" bound to the transport protocol which connects you to that remote machine. (This would be TCP/IP for trans-Internet resource sharing.) But if the "File and printer sharing for Microsoft Networks" is unbound from any dangerous transports (e.g. TCP/IP) then your system's resources will not be available for sharing by other machines.
Note, however, that your port 139 will be held open continuously for examination and connection by all passing Internet scanners. That's the consequence of using any of the Windows NetBIOS resource sharing clients without a firewall.
|Is a software firewall running on a machine less secure than a completely separate hardware firewall peripheral?|
In an "absolute" sense I suppose that no software solution could be as safe as having a separate "appliance" acting only as a firewall. However the least expensive of those costs about $350 US, whereas there are extremely effective software firewalls that are completely free.
If you're asking whether software firewalls can be in some fashion "penetrated" or compromised by external software, the answer is absolutely not. Due to the way these packages operate they are invulnerable to external attack and they are more easily updated as new types of attacks are discovered.
Having said that, I should confess that prior to bringing this ShieldsUP! site online I spent more than $5,000 for an industrial strength, stand-alone, hardware-based firewall appliance. I knew this site would come under significant attack by Internet "baddies" who would want to bring it down. So, I felt that going all the way with Internet security made sense for me. But, if I were a typical user with a cable modem or DSL connection, I'd be totally happy with any good software firewall.
|How can I restore access to components that have "drifted off" in order to bind them to the NetBEUI protocol?|
The only reason I recommend "anchoring" unbound service and transport components to safe adapters is to allow them to be easily "rebound" at any later date. For example, if you decided that you need to share a directory for a few hours you could easily rebind the Microsoft service components to the TCP/IP transport, reboot, and you're good to go. In other words, there's really nothing wrong with having "lost sight" of components that have drifted off.
But, if you would feel better having "binding access" to all of your installed components, simply re-install them through the Network properties dialog box using the "Add..." button. Once they have been re-installed, they will be well anchored and bound to everything. So you'll need to carefully unbind them and anchor them to a safe transport and adapter.
|Nothing that I do closes port 80 but I'm sure I don't have a web server running. Got any ideas?|
|Believe it or not, the recent version of ICQ contains a built-in mini web server which opens port 80! You can keep ICQ from opening port 80 by disabling the web server part of the program: Click the services button at the bottom of the buddy list window, and select "MY ICQ PAGE", at the top of the next list is "activate my home page". Make sure it is unchecked. That should keep ICQ from opening port 80!|
|I'm using NAT (Network Address Translation). Doesn't this means that I'm pretty safe?|
Yes. Network Address Translation such as the Internet Connection Sharing (ICS) built into the second edition of Windows 98, allows multiple computers to share a single Internet connection. This is accomplished by assigning "private" IP addresses to the sharing machines. Since the external Internet sees only the single IP address of the NAT translating computer, there's absolutely no way for external Internet scanners to reach past the translating computer. This creates a high degree of security for the machines "behind" the main NAT computer.
Note that the main NAT computer is accessible from the Internet and needs to be protected.
|I'm using an eMail virus scanner (a POP proxy) that's holding my port 110 open. Could you explain what that's all about?|
In order to filter your incoming eMail, an anti-virus eMail system interposes itself between your eMail client (your eMail reader) and your eMail server. Since eMail clients retrieve mail by connecting to a POP (Post Office Protocol) server on port 110, the anti-virus filter runs its own little POP server (generally called a POP Proxy) on your system's port 110. Then your eMail client retrieves its new mail from the computer's own port 110. But, as you have already detected, a side effect of this is that your machine's port 110 is "open" for detection and scanning by anyone else on the Internet!
As I've stated here many times before, open ports are a serious cause for Internet security concern, and in the case of Norton's Antivirus POProxy, the concern turns out to be very real!
First, the old news:
In a Dec. 22nd, 1999 article, MSNBC starts out: "Security hole found in Norton antivirus app. KeyLabs tests confirm e-mail scanner fears in AntiVirus 2000." What's worse, in that article Marian Merritt of Symantec states: 'We do not intend to create a "patch" since the issue is one we understand and do not view as a "bug" or security flaw.' Think again Marian! For more, see this story on BugNet!
Then, not many days later . . .
Symantec, apparently responding to pressure from this web site (since they wrote to me directly and asked me to please immediately update my pages here) they changed their minds and decided that it was a bug and released one of their "Live Update" patches for NAV2K. Here's BugNet's story about the patch. As you'll see, BugNet's writers are not much happier about Symantec's reluctant cure than I am.
The Continuing Problem . . .
The problem is that despite their statements to the contrary, the eMail scanning patch continues to leave port 110 wide open, completely visible, and listening for any passing Internet scanner. (See their LiveUpdate notification of 12/27/99 where they falsely claim that the port has been closed.) Instead, what Symantec did was to check the IP address of anyone who actually takes an interest in your port 110 by connecting to it and "disconnecting" any connection that doesn't originate from the local machine.
The problem with this half-baked solution, as I've repeatedly told them, is that open ports create vulnerability as they were shown shortly after the product's first release. For example, I already know how to crash any system running NAV2K by exploiting a weakness that's inherent in their solution. And while I'm certainly not going to take advantage of that weakness, you can bet that anything I know, many other "bad guys" do too!
And what's worse, now they've made it very easy to locate systems that are running NAV2K! First they've made port 110 completely visible, then they've made its behavior non-standard, and thus detectable! Any dedicated scanner could be sweeping the net, cataloging all of the Windows systems running NAV2K, and when the next weakness is found it that product the scanner would have a ready-made catalog of exploitable systems.
This is not what you want when you spend money for security.
The final cure!
On January 14th, after suffering a continual bombardment from the press about this persistent problem, Symantec released another LiveUpdate patch to NAV 2000 which firmly and finally closes port 110 to all external traffic while leaving it available only to the local system's eMail client. This is a clean and elegant solution and is exactly what we needed.
I consider this case closed. If your system's port 110 is open, you're using Symantec's NAV 2000 with eMail filtering active, and you have not yet applied the latest Live Update fix . . . what are you waiting for?
|After passing all of the ShieldsUP! tests and adding a firewall I went to www.anonymizer.com and it saw all sorts of stuff! I thought I was safe!|
|The "Port Detective" website gave me completely different answers than yours. It shows that all of my ports are open, but you say they're closed. So who's right?|
What? You mean you have to ask? We're the ones who are correct, of course! <<grin>> (Actually, we're both correct!)|
This has caused confusion since the "Port Detective" site is testing for something completely different than we are: The "Port Detective" site is checking your system's ports to see whether they are already in use or are accessible and available for use for running Internet servers. Therefore, when they say the port is "open", what they really mean is that it's available and accessible from the Internet. But from this site's perspective, this means that the port is currently closed since there's no server running behind it holding it open!
The "Port Detective" site is useful if you happened to want to run a Web, FTP, POP, SMTP, or other Internet service from your computer and want to be sure that your ISP, corporation, school, or whomever, had not blocked access to your computer's ports from the Internet.
Therefore, we are both correct and provide useful, though very different, information. I only wish that the "Port Detective" folks had used the term "Closed" when referring to accessible and closed ports rather than saying that they are "Open".
Gibson Research Corporation is owned and operated by Steve Gibson. The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
|Last Edit: May 28, 2010 at 12:37 (2,168.31 days ago)||Viewed 75 times per day|