Understanding About Port 135
Port 135 is a Windows Remote Procedure Call (RPC) port that is used for remote management and communication between Windows devices and services. Understanding how this port functions and the risks associated with it is important for managing the security of Windows environments.
Key Takeaways
- Port 135 is the main port for Windows RPC services, allowing for remote management and communication.
- Malware and hackers exploit it to spread infections and gain access to systems. Blocking it is critical for security.
- Proper configuration of RPC and firewall rules are necessary to harden Port 135 while still allowing necessary RPC communication.
- Monitoring and limiting access to Port 135 helps prevent exploitation and attacks.
- Disabling or restricting RPC services reduces the attack surface associated with Port 135.
Overview of Remote Procedure Call (RPC)
RPC (Remote Procedure Call) is a protocol that allows programs on one computer to execute code and access services on other systems across a network. Microsoft extensively used RPC in Windows for file sharing, printing, naming services, and various system management tasks.
How Does Port 135 Work?
Port 135 is the main port used by RPC services in Windows operating systems. It is called the RPC endpoint mapper and facilitates communication between RPC services by directing network traffic to the correct RPC process on remote computers.
When an RPC request comes in, the endpoint mapper listens on Port 135 and determines which RPC service should handle the request based on the packet’s destination address. It then routes the traffic to the RPC server process responsible over a dynamically assigned port.
Some key RPC services in Windows that rely on Port 135 include:
- Service Control Manager (SCM): Allows remote starting and stopping of Windows services
- Server: Provides remote management capabilities, including registry editing, file manipulation, system shutdowns, etc.
- Locator: This function enables RPC name services for locating servers, disks, pipes, and other network resources.
- EventLog: Provides remote access to Windows event logs.
- Samr: Handles user authentication requests by connecting to the Security Accounts Manager.
- Lsarpc: Exposes security account and policy data to clients through the Local Security Authority.
- Netlogon: Authenticates domain controller connections and handles login requests.
- Spools: Controls printing and print spooler access.
- Wmi: Gives access to Windows Management Instrumentation for system monitoring and management.
Without Port 135, none of these vital management functions would work across networks. That is why it is essential for communication between Windows servers and workstations.
What are the Security Risks of Port 135
While RPC and Port 135 are critical for remote Windows administration, they also introduce significant security risks if not properly secured. Some of the main threats associated with Port 135 include:
- Malware Exploitation
- Remote Code Execution
- Distributed Denial of Service (DDoS)
- Information Disclosure
- Lateral Movement
Malware Exploitation
Many worms and viruses, such as Conficker, Sasser, and Wannacry, specifically target vulnerabilities in the Microsoft RPC services dependent on Port 135 as infection vectors. By flooding the port with malicious RPC requests, they can exploit weaknesses to execute code and spread malware.
Remote Code Execution
Port 135, combined with vulnerable RPC services, can be exploited to execute arbitrary commands on remote Windows systems. This allows attackers to gain unauthorized remote access and perform malicious actions, such as installing backdoors or stealing data.
Distributed Denial of Service (DDoS)
Attackers can abuse RPC communication via Port 135 to overwhelm systems and networks with an excessive volume of requests, which can result in a denial of service and system crashes.
Information Disclosure
Flaws in RPC services can sometimes be leveraged to pull sensitive data, such as system credentials, registry hives, and authentication information, from remote systems over Port 135.
Lateral Movement
Once an attacker gains access to one system on a network, Port 135 provides an avenue for compromising additional systems by moving laterally using RPC, allowing them to quickly infiltrate networks.
How to Secure Port 135 Against Attacks
Because malicious actors frequently target Port 135 to breach into Windows environments, proper configuration is necessary to secure it. Some tips include:
- Block Access at the Firewall
- Restrict RPC Services
- Patch and Update Regularly
- Use Authentication and Encryption
- Monitor and Limit Access
- Deploy Additional Security Layers
Block Access at the Firewall
Create firewall rules to block all external traffic over Port 135 by default. Only allow access from specific systems that require RPC connectivity for remote management tasks. This prevents external attacks from reaching the port.
Restrict RPC Services
Determine which RPC services, such as Server, Wmi, Netlogon, etc., are absolutely necessary and disable any others to reduce the attack surface. If possible, disable RPC functionality entirely.
Patch and Update Regularly
Apply the latest security updates for Windows and RPC services to ensure no known vulnerabilities can be exploited over Port 135. Keep systems updated against emerging threats.
Use Authentication and Encryption
Configure RPC services to require authentication and encrypt traffic to prevent unauthorized access, data disclosure, or man-in-the-middle attacks.
Monitor and Limit Access
Use tools like Sysmon to log all connection attempts to Port 135. Review regularly and limit access to only trusted sources. Be suspicious of any unknown or unauthorized activity.
Deploy Additional Security Layers
Consider using additional security solutions, such as IPsec, SMB signing, and RDP encryption, to further harden RPC communications against attacks.
Proactively securing Port 135 is one of the most important steps for protecting against damaging Windows malware and intrusions. Combining the measures above can help minimize the risks.
Final Thoughts
Port 135 is fundamentally necessary for the proper functioning of Windows RPC services that allow remote management, file sharing, and communication. However, due to many vulnerabilities, attackers also heavily target it.
By implementing a robust defense-in-depth strategy involving firewall rules, access controls, service hardening, network segmentation, and up-to-date patching, organizations can securely benefit from RPC while minimizing risks from Port 135 exploits. Striking the right balance is crucial for Windows security.
Frequently Asked Questions (FAQ) Related to Port 135
Why is Port 135 a security risk?
Port 135 is a security risk because it provides the endpoint mapper service for Windows RPC communication. Vulnerabilities in RPC services often allow remote code execution, malware spread, DDoS attacks, and other exploits over Port 135.
What is the exact purpose of Port 135?
Port 135’s main purpose is to listen for incoming RPC requests and direct them to the correct RPC server process for handling based on the packet destination address or UUID. This enables remote communication and management between Windows machines.
Should Port 135 be blocked by default?
Yes, generally, Port 135 should be blocked at perimeter firewalls and only allowed access from internal sources that require RPC connectivity for administration tasks. This helps prevent external exploits. Proper authentication and encryption can make some limited exceptions.
Can I completely disable Port 135?
You typically cannot completely disable Port 135 since core Windows functions for file sharing, printing, authentication, and management depend on the RPC services using this port. Disabling it entirely would cause system instability or failure.
Is there an alternative to RPC and Port 135?
Not directly. RPC allows unique cross-network communication between Windows systems that is not easy to replace. However, using strong network segmentation, authentication, and encryption provides additional layers of security on top of RPC to help minimize risks.
How can I detect attacks on Port 135?
Look for connection spikes or brute force activity in firewall logs indicating port scanning or exploit attempts. Use IPS to detect known RPC exploit signatures. Monitor logs from security tools and RPC services themselves for anomalies.
What’s the best way to manage RPC security?
Use a remote procedure call (RPC) firewall to manage RPC network traffic. Disable unneeded RPC services. Apply the latest security patches. Use IPsec policies to authenticate and encrypt RPC communications between hosts. Limit RPC connections only to trusted sources.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
