Hot Take WARNING: port 135 STAYS OPEN EVEN IF U BLOCK IT in Win 11 24H2

Victor M

Victor M

Level 26
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
1,507
5,610
2,469
Discovered an alarming thing today: Port 135 STAYS OPEN and LISTENING even if you block it using Windows Firewall !! This enables remote RPC attacks. If you have a hardware firewall, or something like PFSense or ipfire, you should block it there.

I could be wrong, but I remember that previously it does not do that when blocked with a firewall.
 
Last edited:
  • Like
Reactions: ProblematicPions, Zero Knowledge, simmerskool and 1 other person
Windows can open ports as much as it wants, but if ports are closed on my router, no one can gain access or attack the device. Every properly set up router has all ports closed by default. UPnP should also be disabled and you should always port forward manually so no app can abuse it.

People keep forgetting all routers have firewall that regulates traffic before they reach your device. Windows Firewall is second line of defense that regulates traffic for PC itself.
 
  • Like
Reactions: EASTER, Zero Knowledge, simmerskool and 4 others
Victor M said:
@Marko :) . Yes I realize that some modem/routers block it, but mine doesn't and it is a BELL modem/router.
Click to expand...
If the port is open and you didn't open it yourself, you have UPnP enabled. Disable it in router's settings and the port should be closed.

You shouldn't rely on Windows Firewall for anything other than regulating internet access for installed apps and programs.
 
  • Like
  • Hundred Points
Reactions: piquiteco, simmerskool, Victor M and 3 others
Victor M said:
Discovered an alarming thing today: Port 135 STAYS OPEN and LISTENING even if you block it using Windows Firewall !! This enables remote RPC attacks. If you have a hardware firewall, or something like PFSense or ipfire, you should block it there.

I could be wrong, but I remember that previously it does not do that when blocked with a firewall.
Click to expand...
Default System Services Rely on the said port, Windows 11 keeps Port 135 open for the RPC Endpoint Mapper, which is tied to services like the DCOM Service Control Manager. These services listen on the port to negotiate connections for tasks such as remote procedure calls, which are crucial for features like printing, user authentication, and group policy enforcement in domain environments. Even if no external connections are active, the port may appear "listening" in local scans (e.g., using netstat or nmap) because it's bound to internal processes.
Scans might detect the port as open locally, but it's typically not exposed externally unless firewall rules allow it. For instance, the port is often configured to listen on localhost (127.0.0.1) for NetBIOS-related functions, which handle internal networking like file and printer sharing. Attempting to block it via firewall settings (e.g., Windows Defender Firewall or third-party tools like Norton) may not fully close it in local views because the underlying service continues to bind to the port internally. But even if firewall rules are set to block inbound/outbound traffic on Port 135, the port can still show as open in scans if the rules don't apply to local loopback traffic or if there are exceptions for system services. Additionally, dynamic port ranges (e.g., 49152-65535) used by RPC can keep communications active, indirectly keeping Port 135 involved.
In most cases, Port 135 staying open isn't a sign of a problem but rather a design choice in Windows for seamless operation. However, if the scan is external (e.g., from another device), it could indicate improper firewall exposure, so make sure your scan result is from another devise for a correct result.
 
  • Like
  • Hundred Points
Reactions: piquiteco, Zero Knowledge, simmerskool and 5 others
  • Like
  • Hundred Points
Reactions: simmerskool, Trident, Parkinsond and 1 other person
Marko :) said:
Go to following site and check if your port is open, just to be sure.

Open Port Check Tool -- Verify Port Forwarding on Your Router

A free open port check tool used to detect open ports on your connection. Test if port forwarding is correctly setup or if your port is being blocked by your firewall or ISP.
canyouseeme.org

If it is, we'll have to troubleshoot why is it open.
Click to expand...
and to check from your local network, install this app PortDroid - Apps on Google Play on your phone ( if you have an android) and scan your pc for open ports.
 
  • Like
Reactions: piquiteco, simmerskool, Trident and 1 other person
Marko :) said:
Go to following site and check if your port is open, just to be sure.

Open Port Check Tool -- Verify Port Forwarding on Your Router

A free open port check tool used to detect open ports on your connection. Test if port forwarding is correctly setup or if your port is being blocked by your firewall or ISP.
canyouseeme.org

If it is, we'll have to troubleshoot why is it open.
Click to expand...
Screenshot_24-8-2025_18226_canyouseeme.org.jpeg
 
  • Like
Reactions: piquiteco, lostpass and Trident
Parkinsond said:
May be because the website performs port scanning which could be considered as a malicious act.
Click to expand...
If we take this in consideration, they should flag Bing as pornography. Because if you search any pornography term, you get explicit results. 😂

It would be malicious if it did something malicious and without user knowledge, but the website itself said it's a testing tool so...
 
  • Like
  • Hundred Points
Reactions: simmerskool, Brahman and Parkinsond
Marko :) said:
If we take this in consideration, they should flag Bing as pornography. Because if you search any pornography term, you get explicit results. 😂

It would be malicious if it did something malicious and without user knowledge, but the website itself said it's a testing tool so...
Click to expand...
Symantec browser protection did not flag this website, but on several occasions, Symantec flags clean websites, while McAfee does not; McAfee webadvisor is more convenient for day-to-day use.
 
  • HaHa
Reactions: Marko :)
Looks like I remember wrong. I just tried it on a Win 10 box, and tried to block tcp 135 using Windows firewall,. The win 10 box netstat also says 0.0.0.0 Listening . So I think I can conclude that windows does not allow one to block TCP 135 and they wrecked the firewall to do so. .

EDIT: chatGPT says if DMZ is enabled and even if it has a non-existent machine specified then it could be exploited. So check your router if you ever used the DMZ and turn it off.
 
Last edited:
Parkinsond said:
Symantec browser protection did not flag this website, but on several occasions, Symantec flags clean websites, while McAfee does not; McAfee webadvisor is more convenient for day-to-day use.
Click to expand...
All of these security extensions block legitimate sites not just Norton or McAfee; it's their job to be as paranoid as they can be because the goal is prevention. If entire site has one suspicious executable file among thousand of others, they'll block entire site and not the URL that leads to that suspicious executable file. This is the main reason why I'm not using them.

We just recently had an example where thedaddy(.)dad, a streaming site was blocked despite not being malicious. They would just annoy me.
 
  • Like
  • Hundred Points
Reactions: ForgottenSeer 94738, lostpass, simmerskool and 1 other person

You may also like...