The following guide walks you through the steps of blocking specific ports on a Windows machine to harden the computer system.
Most Windows users don't come into contact with ports on a regular basis, or at all. While some may encounter ports when they set up a new email address in a desktop mail program, or when standard ports such as 80 or 21 are mentioned in news articles, ports are usually ignored for the most part.
Ports broken down to the core enable communication between a Windows PC and something else, for instance Internet sites or mails servers.
Windows is configured by default to have certain ports open. This is usually done for compatibility purposes to avoid issues when certain services are used.
It is a good idea however to close ports that are not use to harden the system and avoid attacks against these ports. The recent SMB ransomware incident for instance could have been avoided for instance if the port would not be open by default.
Which ports are open anyway?
If you never checked ports on a Windows machine, you may wonder which ports are open on it, and how to find that out.
I suggest you use programs for that, as they offer more details and are more accessible than other means.
CurrPorts is a free portable program that you can run right after download. It lists all programs and services in the interface, all Internet connections, and all local ports that are open at that time.
The list of open ports may be useful on its own, but most of the time you may have a hard time deciding whether it is required for functionality, or not. There is also the case where you may need the functionality on a network, but not over the Internet.
You do need to research the ports that you don't know about to make an educated decision about that. One site that you may find useful for that is Steve Gibson's website where you can search for ports and get information on many common ones.
You may also run port checks from the Gibson website directly by clicking on one of the available port scan options there (e.g. common ports, file sharing, or all service ports). You need to concentrate on the ports listed as open in this case.
Blocking ports in Windows
Once you have made the decision to block a port on a Windows machine, you need to find a way to do so. Most personal firewalls, including Windows Firewall, support the blocking of ports. You may also block ports if you have access to the admin interface of a router or modem, as many come with options to do that as well.
The benefit of blocking it in the router is that it is blocked for all devices you use on the router level. So, if you'd block it on the machine level, you'd have to do so for any device you use at that point or in the future.
Blocking ports using Windows Firewall
The process itself is simple, and should not take long to complete:
- Tap on the Windows-key, type Windows Firewall, and select Windows Firewall with Advanced Security from the results.
- Click on Inbound Rules when the firewall window opens.
- Select New Rule from the Actions pane.
- Select Port from the Rule Type listing.
- Select TCP or UDP, and specify the ports, or a port range (e.g. 445, or 137-139).
- Select block the connection.
- Select when the rule applies (leave default if unsure).
- Add a name, e.g. Port 445, and a description, (e.g. reason for blocking, and date/time).
Note: It can happen that you run into issues after blocking ports on the machine. Apps may not work properly anymore, or you may not be able to connect to certain resources. If that is the case, the port that you disabled in firewall may be needed for that. You can undo the blocking of ports at anytime in the firewall as well.
Repeat the steps for any other port that you want blocked on the Windows PC.
Second note: Programs such as Nirsoft's CurrPorts will still reveal that services or programs are listening on those ports. This does not change when you block ports on Windows. What happens however is that the connection to these services and programs is refused, because connections to the port are blocked by the system.
It is not difficult to block ports on Windows PCs. While you may spend some time researching the open ports before you start blocking them, doing so will pay off in the long run.
Some ISPs have started to block common attack ports on behalf of their users as well to reduce the attack surface. You can run scans on Gibson's website to find out if that is the case for you.
Now You: Do you block ports on Windows? If so which and why?