On Windows 2000, XP, and Windows Server 2003 systems, several new ports are used, among which TCP port 445 is utilized for SMB services transmitted via TCP.
SMB (Server Message Block) is used for file sharing purposes. On older Windows NT systems, it operates with NetBT (NetBIOS over TCP/IP), utilizing common ports such as 137, 138 (UDP), and 139 (TCP). On Windows 2000/XP/2003 systems, Microsoft supports the direct operation of SMB over TCP/IP (port 445), eliminating the need for NetBT.
NetBIOS allows for easy file sharing over local area networks (LAN); however, it poses potential risks when the system connects to WAN or the Internet. All network information (such as domain names) and internal network access accounts can be compromised.
Disabling NetBT
To disable NetBT on Windows 2000/XP/2003, follow these steps: Right-click on the My Network Places icon on the Desktop, then select Properties; continue by right-clicking on the Network Card, and select Properties; next, click on Internet Protocol (TCP/IP) and Properties; then click on Advanced and select the WINS tab. Here, choose Disable NetBIOS over TCP/IP, and the changes will take effect immediately without needing to restart the system.
Note that computers running operating systems prior to Windows 2000 will not be able to locate, search for, or establish file and print sharing connections to Windows 2000/XP/2003 computers when NetBT is disabled.
Blocking Port 445
According to reports from SANS.Org, this port has the highest attack frequency (detailed information can be found at http://isc.sans.org/port_details.php?port=445). Port 445 can be blocked by following these steps:
1. Open the Registry Editor: go to Run, type regedit.
2. Navigate to the key HKLMSystemCurrentControlSetServicesNetBTParameters
3. In the right window, select TransportBindName.
4. Double-click (or press Enter) and delete the value of this variable (the Value data field should be left empty).
5. Close the Registry Editor.
6. Restart the computer.
After rebooting and logging into the computer, in Run, type the command cmd and enter the following command:
netstat -an
You will see that the computer is no longer “listening” on port 445.
When do Windows 2000/XP/2003 use port 445 and when do they use 139?
For simplicity, I will use the term “client” to refer to the computer accessing network resources such as drives and shared files on the “server” – the computer that holds the resources.
If the server has NetBT enabled, it will listen on ports 137, 138 (UDP), and on ports 139 and 445 (TCP). If NetBT is disabled, the server will only listen on port 445 (TCP).
If the client has NetBT enabled, it will always try to connect to the server simultaneously on ports 139 and 445. If it receives a response from port 445, it will respond to port 139 and continue the SMB session solely using port 445. If it does not receive a response from port 445, it will continue SMB communication only with port 139 upon receiving a response from this port. If there is no response from either port, the connection will terminate.
When the client has NetBT disabled, it will always connect to the server on port 445. If the server responds on port 445, the connection will be established. If there is no response, the connection will end.
Ho Viet Ha
Network Information Security Vietnam
[email protected]
