Re: Blocking port 135?

[Sean Donelan <sean () donelan com>]

On Fri, 1 Aug 2003, Christopher L. Morrow wrote:
> On Fri, 1 Aug 2003, Sean Donelan wrote:
> > In reality blocking port 135 is almost never sufficient.  Its slightly
> > better than waving a dead chicken over your PC.
>
> its far less stinky than the chicken option though, you must admit that.

yep.

If you want to be in loco parentis for users, most residential users
should block *ALL* inbound connections using a statefull firewall. Most
residential users do not intend to run Internet servers.  Blocking port
135 is not sufficient to "protect" Microsoft software.  There are lots of
other holes.

Practically, the best place to make this decision is as close to the user
as possible.  The ISP doesn't "know" what the user intended to do.
Mind-reading customer care hasn't worked out as well as we thought.

There are cheap hardware firewalls and free/cheap software firewalls that
are easy and effective to use.  Most places that sell PC's also sell
personal firewalls, anti-virus, and even backup systems.

Your own personal firewall can block everything out of the box, and can be
changed locally (you don't need to wait for the ISP).