The ports I found on a new install that required closing include the NetBios (file and printer sharing) group ... ports 137, 138 and 139 ... with the associated (on this system) port 445. Also, DCOM port 135 must be closed. The instructions here are aimed at power users who aren't afraid to alter the registry, and who know enough to back it up before making changes.The changes made are reversable, of course.If at a later time you wish to enable file and printer sharing with other computers on your local network, there is a free utility named wwdc.exe available which will do much of the reversal automatically:
http://www.firewallleaktester.com/wwdc.htm

The NetBios group of ports
------------------------------------
From the desktop, select Start - Settings - Network and Dialup connections.
Depending on how many internet adapters you have installed, there may be several Local Area Connection items. Start with your primary hardware adapter. In my case it's a Ethernet adapter as shown below:

Double click on this item and select Properties.
Uninstall everything except Internet Protocol (TCP/IP)

Select the Sharing tab and uncheck "Enable Internet connection sharing for this connection". Click "OK". Right click on the Local Area Connection item again and select "Properties". Select "Properties" again. Then select "Advanced". Click on the WINS tab. Select "Disable NetBIOS over TCP/IP".

Click "OK". There is no need to reboot at this point. Just hit Cancel if prompted. Check your other adapters (Local Area Connections) to make sure their settings are identical to the new settings of this first adapter.

Port 445
-----------
>From the desktop select Start - Run and type regedit
Find the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBt\Parameters
Double click on the item TransportBindName
Remove the string of characters in Value Data leaving it blank.  Make a note of the Data string value for
possible future reversal purposes.

Exit the registy editor.

Port 135
-----------
From the desktop, select Start - Run
Type:  c:\winnt\System32\Dcomcnfg.exe
Select "Default Properties"
Uncheck "Enable Distributed Com on this computer"
Select "Default Protocols"
Remove any listed, leaving a blank.


Start the registry editor again and find the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
With Rpc highlighted, click on Edit at the upper left of the screen. Click on New and then select Key. You will see a key added under Rpc. Rename the key Internet (See screenshot below).  With that new key highlighted (as below) select Edit again. Click on New and then string. Enter the Name UseInternetPorts Edit again and select New and then string. Enter N for the Data value. It should appear as in this screen shot:

Note that reversal can be done simply by deleting the Internet key you added.
You are done. Exit the registry editor and reboot.

To check your work, open a DOS window (CMD.EXE) and type netstat -an immediately after booting up. I've found that when working with a new install of Windows (no updates or patches), the result is empty. No ports appear at all. After updating to IE 6 I find a tcp port numbered just over 1024 Listening. Sometimes udp port 68 will appear as well. These ports are not open. Immediately after hardening, it is ok to go ahead and install Sp 4 and all the critical security patches.

You can verify that all ports are closed by going on the internet, and using web sites which offer port scanning services. Here are a few links:
http://scan.sygatetech.com/
http://www.pcflank.com/
https://www.grc.com/x/ne.dll?bh0bkyd2
Don't be concerned with the firewall promotional propaganda you'll find. As long as all ports test as closed, you are ok. I've been connected to the internet for typically twelve hours per day via DSL service for years with no firewall or router and never experienced any problems.

Warning!
Prevention of viruses and other malicious code involves far more than just hardening internet ports. Be aware that if you allow malicious code to run on your computer, it can do practically anything, including modifying the registry and settings. In addition to backing up all your data, it's wise to do periodic checks. In the context of this article, one simple check is the netstat -an test to make sure nothing you've installed has modified the work you have done here. Make sure to do this check after a Windows Update, or after installing any new Windows services. Please see the Appendix for an example of closing port 3372 if necessary. And avoid installing IIS.The second Reference url below, an article by Marchand, will give you clues on disabling other services and closing other ports. 

References:
http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm
http://www.hsc.fr./ressources/breves/min_srv_res_win.en.html
http://www.nacs.uci.edu/windows/DefaultPortsforWindows2000.html

Appendix:

The procedure below, a particular example of closing port 3372, also serves to illustrate how to disable unwanted services in general.

Let's say that the netstat -an result shows tcp port 3372 LISTENING. This more than likely indicates that, for whatever reason, the Microsoft Distributed Transaction Coordinator (MSDTC) has been activated and msdtc.exe is running. To close the port, do the following:

Start - Settings - Control Panel -Administrative Tools
Select Services
Find Distributed Transaction Coordinator  and right click on it. Select Properties
Under the General tab find Startup Type
Set to Disabled. Click OK and reboot.

Home