Port 135 is one of those Windows networking details that stays invisible until it becomes a problem. If it is open where it should not be, attackers can use it for RPC reconnaissance, service enumeration, and follow-on attacks that turn into real security incidents fast. The fix is not complicated, but it does require disciplined firewall configuration and a clear understanding of how Windows security actually uses this port.
Cisco CCNA v1.1 (200-301)
Learn essential networking skills and gain hands-on experience in configuring, verifying, and troubleshooting real networks to advance your IT career.
Get this course on Udemy at the lowest price →This post explains what Port 135 does, why it is frequently abused, how to check whether it is exposed, and how to block it without breaking legitimate Windows operations. That includes host-based controls, perimeter filtering, and the practical exceptions that matter in domain environments and remote administration scenarios.
If you are working through Cisco CCNA v1.1 (200-301) concepts, this is also a useful real-world example of how access control, segmentation, and policy enforcement intersect with network troubleshooting. The same habits that help you secure a routed network also help you keep Port 135 from becoming an unnecessary attack path.
What Port 135 Does in Windows Environments
Port 135 is used by the RPC Endpoint Mapper on Windows systems. In plain terms, it helps applications locate the RPC services they need by answering the question, “Which dynamic port is that service actually listening on?” That makes it a directory service for remote procedure calls, not a typical end-user application port.
This matters because many Windows components depend on RPC. Remote administration, some domain operations, management tools, printing workflows, and legacy enterprise applications may all rely on it. Microsoft documents RPC behavior through its official Windows and security documentation, including guidance on firewall and RPC endpoint handling in Microsoft Learn.
Port 135 itself is not the whole RPC story. It usually brokers access to higher-numbered dynamic RPC ports. So when people say “block Port 135,” they are often talking about stopping the first handshake that reveals where RPC services live. That distinction is important, because blocking Port 135 without understanding dependent services can break administration workflows, while leaving it open broadly can expose the environment to scanning and abuse.
“Port 135 is less valuable because of what it carries directly and more dangerous because of what it reveals.”
Why it is easy to overlook
Port 135 is usually not user-facing. Most employees never interact with it, and many desktop users do not know it exists. That is exactly why it gets missed during firewall reviews. If a firewall rule was cloned years ago or a legacy app needed RPC once, Port 135 can stay open long after the original need disappeared.
- Common RPC-dependent functions: remote administration, service discovery, some directory operations, and legacy Windows management tools
- Common mistake: assuming “internal-only” means safe when internal lateral movement is still a major threat
- Practical risk: Port 135 can be reachable from places that were never intended to have Windows management access
For the networking side of this, Cisco’s official training and documentation on access control and segmentation concepts provide the right mental model, and Cisco’s reference material can be found through Cisco.
Why Port 135 Is a Security Risk
Attackers love Port 135 because it is a fast way to identify Windows hosts and map out RPC activity. A scanner can probe the port, identify the system as Windows-related, and start enumerating services or follow-up ports. That helps an attacker build a target profile before they attempt lateral movement, privilege escalation, or exploit chaining.
The history matters here. RPC-related weaknesses have been involved in some of the most disruptive malware and worm outbreaks in Windows ecosystems. When a vulnerability affects an RPC-enabled service, the blast radius can be large because one exposed service may lead to remote code execution or unauthenticated access across many systems. MITRE CVE records and MITRE ATT&CK techniques show how attackers systematically use discovery, remote services, and lateral movement once they find an opening.
Port 135 also supports the early phases of brute-force-style abuse. Even if the port itself is not a login prompt, it often helps reveal which systems are worth targeting, which services are present, and where trust boundaries are weak. That makes it a useful entry point for service enumeration and privilege escalation paths inside a flat or poorly segmented network.
Warning
Exposing Port 135 to the public internet is almost never justified. It increases attack surface, gives scanners a reliable Windows fingerprint, and can expose dynamic RPC services behind it.
Why scanners hit it first
Security tools, malware, and opportunistic attackers often scan Port 135 early because it is cheap and informative. One quick probe can tell them whether they are looking at a Windows host worth pursuing. If the host also answers on related ports, the attacker has already moved from blind scanning to targeted enumeration.
- Reconnaissance: identify Windows systems and reachable RPC services
- Enumeration: learn what management and legacy services are active
- Abuse: pivot to remote execution, lateral movement, or service impersonation paths
- Persistence: use the same discovery pattern repeatedly to map the network
Industry reporting from the Verizon Data Breach Investigations Report consistently shows that attackers rely on discovery, credential abuse, and lateral movement after initial access. Port 135 fits squarely into that pattern.
Common Threat Scenarios Involving Port 135
Port 135 is rarely the root problem. It is usually part of a chain. Once an attacker gets a foothold, they look for internal Windows systems that answer on RPC and then use that visibility to move sideways. A flat network makes this easier, because a compromised workstation can talk to many more assets than it should.
Lateral movement after a breach
After an endpoint is compromised, attackers can use RPC calls and service enumeration to discover reachable servers, identify administrators, and test which hosts allow remote management. If Windows security controls are weak, Port 135 becomes a pivot point for broader compromise. This is especially common where local admin privileges are reused or where segmentation is shallow.
Worm-style propagation and weak segmentation
In environments with broad east-west connectivity, worm-like behavior spreads quickly. If an RPC-enabled weakness exists anywhere in the subnet, a scanning tool or malware payload can propagate from one host to the next. This is why blocking Port 135 only at the perimeter is not enough; internal segmentation matters too.
Remote management abuse and vulnerable services
Administrative tools, legacy enterprise services, and poorly scoped RPC access can become the entry path for exploitation. If authentication is weak, patching is behind, or the service exposes sensitive functions, Port 135 can help expose the rest of the chain. For the broader operational context, NIST Cybersecurity Framework guidance on identify, protect, detect, and respond is a useful way to structure the control set around these risks.
Key Takeaway
Port 135 is dangerous because it helps attackers find Windows RPC services, not because it is a standalone “bad port.” The real risk is what it enables next.
How to Check Whether Port 135 Is Open
Checking Port 135 means looking at both the host and the network path. A local machine can show that it is listening, but that does not tell you whether a firewall or security group is blocking outside access. Likewise, a perimeter scan can show reachability from one network and miss exposure from another.
On Windows, start with built-in tools. They are fast, familiar, and available everywhere. Then confirm from an external or segmented source so you are not fooled by local-only visibility. This is the same discipline you would use when troubleshooting Cisco network reachability problems: verify the endpoint, verify the path, then verify the policy.
- Check local listeners: run
netstat -ano | findstr :135to see whether the system is listening on Port 135. - Check PowerShell: use
Get-NetTCPConnection -LocalPort 135to confirm TCP activity. - Test reachability: use
Test-NetConnection -ComputerName hostname -Port 135from another Windows host. - Scan externally: use
nmap -p 135 target-ipfrom a permitted scanning host to verify actual exposure. - Review firewall policy: inspect both Windows Defender Firewall and edge firewall/NAT rules.
Why multiple test locations matter
Testing from only the local machine can produce a false sense of safety. A host may be listening, but internal host firewalls or cloud security groups may block access. Or the reverse may be true: the host is hardened, but a perimeter rule exposes the port to a wider network than intended.
| Host-level test | Shows whether the service is listening on the Windows system itself |
| Perimeter test | Shows whether the port is reachable from another subnet, VPN, or the internet |
For cloud-hosted Windows servers, check the platform controls as well. AWS documents security group behavior in AWS documentation, and similar logic applies in other cloud environments: host firewalls and cloud network controls both have to agree.
When Port 135 Should and Should Not Be Accessible
There are legitimate reasons for Port 135 to exist. Domain-based Windows environments, some remote management tools, and legacy application dependencies may require RPC reachability between trusted systems. That does not mean it should be open broadly. It means it should be tightly scoped and documented.
Port 135 should rarely be reachable from the public internet. If you can reach it from outside the organization, you should have a very specific business justification, a change record, and compensating controls. In most environments, the correct answer is to block it at the perimeter and allow it only from known management sources.
- Usually acceptable: between servers and management subnets inside a controlled network
- Usually acceptable: over VPN from trusted administrator endpoints
- Usually not acceptable: broad access from user VLANs, guest networks, or the internet
- Usually not acceptable: “open just in case” rules with no owner or expiration
This is also a compliance issue. Broadly exposed management services can create problems under control frameworks such as NIST, PCI Security Standards Council, and internal audit requirements tied to least privilege and segmentation. Even when Port 135 is technically necessary, exposure should be limited to specific hosts and specific routes.
Special caution for high-value systems
Servers, domain controllers, and endpoints with remote administration enabled deserve extra scrutiny. If these systems are reachable on Port 135 from too many places, the blast radius of compromise increases. That is especially true if the same administrative account is used across multiple machines or if local admin rights are widespread.
Exposure is not just a firewall issue. It is a trust-boundary decision.
How to Block Port 135 Effectively on Windows
The most direct way to reduce risk is to block Port 135 on the host unless there is a documented need. Windows Defender Firewall can do this with inbound rules, and PowerShell or Group Policy can enforce the same policy consistently across multiple systems. The goal is not to make networking harder; it is to prevent accidental exposure.
For a single Windows host, create a blocking inbound rule for TCP 135. In many environments, you should also evaluate whether UDP-based RPC-related traffic is present and whether it needs to be restricted as well. The safest approach is to test the real application dependency before making assumptions about which protocol is in use.
- Identify the host group: decide which systems truly need RPC exposure.
- Create a test rule: block inbound Port 135 on a small pilot group first.
- Validate business apps: confirm remote management and legacy services still work where required.
- Enforce centrally: apply the rule through Group Policy or scripted PowerShell.
- Document exceptions: allow only known source IPs if access must remain open.
PowerShell and Group Policy approach
PowerShell is useful when you need repeatability. Group Policy is better when you need enterprise-scale enforcement. Both are valid; the choice depends on how mature your Windows management stack is.
A common pattern is to create a deny by default rule and then add narrow allow rules for approved management IPs. That is safer than trying to identify every possible destination that should be blocked. If RPC access is needed, explicitly scope it to a management subnet or jump host range instead of using broad internal ranges.
Pro Tip
Roll out the block to a test OU or pilot VLAN first. A clean pilot is the fastest way to catch legacy dependencies before the rule hits production.
Microsoft’s firewall and PowerShell documentation in Microsoft Learn is the right source for exact syntax and policy behavior.
How to Block Port 135 at the Network Perimeter
Host-based blocking is necessary, but it is not enough. If a perimeter firewall, router ACL, or cloud security group still allows Port 135 from untrusted sources, you are leaving the door open. A layered firewall configuration strategy gives you defense in depth: host rules protect the endpoint, and perimeter controls protect the network edge.
Block inbound Port 135 on edge firewalls unless there is a tightly defined reason not to. For internal segmentation, block it between VLANs or subnets that do not require RPC communication. That matters in both on-premises and cloud environments because lateral movement often succeeds when east-west traffic is over-permitted.
| Host-based blocking | Stops the service on the Windows machine itself |
| Network-based blocking | Stops traffic before it reaches the host and reduces scan noise |
For cloud workloads, use security groups, NACLs, and any cloud firewall controls available in the platform. AWS security groups are stateful allow controls, which makes them suitable for narrowing source IPs and management subnets. Log denied attempts and alert on repeated hits. A steady stream of blocked Port 135 traffic often means either active scanning or a misconfigured internal dependency.
The CISA guidance on reducing attack surface and hardening exposed services supports this layered approach. The same principle applies whether the workload is on-prem, virtualized, or cloud-hosted.
What to Do if Port 135 Must Remain Open
Sometimes you cannot close Port 135 entirely. A legacy application may depend on it, or a remote administration workflow may still require RPC connectivity. When that happens, the answer is not to leave it broadly reachable. The answer is to make the exposure as narrow and controlled as possible.
Start by limiting source IPs. Only allow known administrative subnets, jump hosts, or VPN address pools. Avoid broad RFC1918 ranges unless you can justify them. Then pair the rule with strong authentication, current patching, and least privilege so that a reachable service does not become an easy compromise.
- Restrict sources: allow only admin subnets or jump hosts
- Use VPN or bastion systems: keep management traffic off general user networks
- Apply least privilege: do not give broad admin rights just because RPC access exists
- Segment aggressively: keep high-value systems isolated from general user access
- Detect abuse: use EDR and IDS to watch for unusual RPC behavior
For regulated environments, this is also where auditability matters. If Port 135 must stay open, document the exception, the owner, the review date, and the business reason. That helps with internal control reviews and aligns with the control expectations often seen in frameworks such as ISACA guidance and broader enterprise risk management.
A narrow exception with logging is manageable. A broad exception with no owner is a liability.
Best Practices for Reducing Overall RPC Exposure
The best defense is to reduce how much RPC you need in the first place. If a service or legacy component is not required, remove it. If an application can use a modern management method with tighter access control, prefer that over broad RPC exposure. This is how you shrink attack surface instead of just reacting to it.
Keep Windows systems patched. RPC-related vulnerabilities are especially painful because they can affect management services and core platform functions at the same time. Patch management should be part of the same routine that reviews firewall rules and administrative access. If the port is blocked but the service is still vulnerable, you have only solved part of the problem.
- Audit services: identify what actually depends on RPC.
- Disable legacy components: remove unused services and management interfaces.
- Patch aggressively: keep Windows and dependent services up to date.
- Review firewall rules: verify Port 135 is not exposed unintentionally.
- Monitor traffic: watch for repeated scans, failed connections, and enumeration attempts.
For operational monitoring, align your detections with common attacker behavior. MITRE ATT&CK is useful for mapping discovery and lateral movement techniques, while OWASP and CIS Benchmarks help reinforce hardening discipline across systems. Even though those resources are not RPC-specific, the habit is the same: limit exposure, reduce unnecessary services, and validate the controls that are supposed to protect them.
Note
Don’t stop at “Port 135 is blocked.” Confirm that the dependent dynamic RPC ports are also controlled, especially on servers that support remote administration or legacy enterprise applications.
Cisco CCNA v1.1 (200-301)
Learn essential networking skills and gain hands-on experience in configuring, verifying, and troubleshooting real networks to advance your IT career.
Get this course on Udemy at the lowest price →Conclusion
Port 135 is important to Windows functionality, but it becomes a real security problem when it is exposed too broadly. It helps RPC services announce themselves, and that makes it useful for administration and equally useful for attackers looking for Windows hosts to probe, enumerate, and move through.
The safest approach is simple: block Port 135 by default, allow only tightly controlled exceptions, and verify both host and perimeter defenses. If the port must stay open, restrict source IPs, require strong authentication, segment the network, and monitor the traffic closely. That combination reduces risk without breaking legitimate operations.
Review the exposure regularly. Check the Windows host, check the firewall, check the cloud security group, and check the internal segmentation rules. If you are learning the networking and troubleshooting fundamentals behind these decisions, the Cisco CCNA v1.1 (200-301) course context is a good fit because it reinforces exactly the kind of access control and verification discipline this issue demands. For broader Windows security posture, keep the official vendor and framework guidance close at hand: Microsoft Learn, NIST, and CISA.
Microsoft®, Cisco®, AWS®, and CompTIA® are trademarks of their respective owners.