Port 445 security in Windows 2000 / XP / 2003

On Windows 2000, XP, and Windows Server 2003 systems, some new ports are used, among them, 445 TCP ports are used for SMB services transmitted over TCP.

SMB (Server Message Block) is used for file sharing purposes. On older Windows NT systems it works with NetBT (NetBIOS over TCP / IP), using common ports like 137, 138 (UDP) and 139 (TCP). On Windows 2000 / XP / 2003 systems, Microsoft supports the ability to directly operate SMB over TCP / IP (port 445), without needing to pass NetBT.

NetBIOS allows simple file sharing over a local area network (LAN), but that is a potential danger when the system connects to the WAN or the Internet. All information about the network (such as your domain name) and your intranet access account can be collected.

NetBT is prohibited

On Windows 2000 / XP / 2003, NetBT is prohibited as follows: Right-click the My Network Places icon on the Desktop and then select Properties; Continue to right-click Network Card, select Properties; Next, click Internet Protocol (TCP / IP) and Properties; then click Advanced and select the WINS tab. Here you choose Disable NetBIOS over TCP / IP, the change takes effect immediately, no need to restart the system.

Note that computers running the operating system before Windows 2000 will not be able to locate, search or establish file and print sharing connections to Windows 2000 / XP / 2003 computers when NetBT is banned.

Gate 445 is prohibited

As reported by SANS.Org, this port has the highest attack frequency (details at http://isc.sans.org/port_details.php?port=445 ). Port 445 can be banned by following these steps:

1. Open Registry Editor : go to Run , type regedit .

2. Find the HKLMSystemCurrentControlSetServicesNetBTParameters key

3. In the right window, select TransportBindName .

4. Double-click (or type Enter) and delete the value of this variable (frame Value data is left blank).

5. Close the Registry editor

6. Restart the computer

After starting and logging into the computer, at Run , type cmd and enter the following command:

netstat -an

You will see that the computer no longer "listens" to port 445.

When does Windows 2000 / XP / 2003 use port 445 and when to use 139?

For simplicity, I use the term "client" to refer to computers accessing network resources such as drives and shared files at "server" - computers with resources.

If the server has NetBT enabled, it will listen on port 137, 138 (UDP) and on port 139, 445 (TCP). If NetBT is banned, the server only listens on port 445 (TCP).

If the client has NetBT enabled, it will always try to connect to the server simultaneously at port 139 and 445. If it receives a response from port 445, it will send a response to port 139 and continue the SMB communication session with the port only. 445. If no response is received from port 445, it will continue the SMB communication with port 139 only, when receiving feedback from this port. If no response is received from the above ports, the connection will end.

When the client has NetBT banned, it will always connect to the server at port 445. If the server answers on port 445, the connection will be established. If no reply is received, the connection ends.

Ho Viet Ha
Network Information Security Vietnam
NetworkSecurity@Nis.com.vn