I'm looking at securing a web server (Windows Server 2008). A GRC port scan recommended that I close down port 135 (https://www.grc.com/port_135.htm). However, I've done this before with Windows Server 2003 and after doing this I wasn't able to RDP to the box.

Why is port 135 needed for RDP (port 3389) and since I don't have physical access to the box should port 135 be blocked (if so what about RDP)?

Thanks.


The RPC Endpoint Mapper (port 135) is definitely not required by RDP, and it is perfectly reasonable (and suggested) to block it on a firewall so non local hosts cannot attempt to enumerate and exploit services.

I only say this with certainty because I have many hosts configured like this, and actually just tested it to make sure I wasn't crazy ;-)


I think because parts of Terminal Services use it:

TCP Port 135 - RPC Terminal Services Licensing

TCP Port 135 - RPC Terminal Services Session Directory

So when you connect via 3389 - the server wants to see how your TS is licensed, etc so it uses TCP/135 to call your DC or wherever your TS Licensing is kept.

This article can help

http://support.microsoft.com/kb/908472/en-us


Yes! Close that port!

Done it? Whew...

Don't expose that port to the outside. Not a good idea. You'll be fine with just the RDP port open. Yes, I have empirically tested this with a server running RDP. Note that there are some DoS attacks against unpatched RDP servers, so be sure to get up-to-date.