Рассмотрим как можно закрыть порты 135 и 445 в версиях Windows 2008/2012.
В связи с тем что в начале апреля в сеть были выложены инструменты для обхода защиты Windows, в частности по портам 445 и 135.
Подробнее в новости xakep.ru/2017/04/24/doublepulsar/
Исправление уязвимости доступно установкой обновлений MS17-010, CVE-2017-0146, и CVE-2017
Более подробно по ссылке geektimes.ru/post/288148/
Рассмотрим 2 варианта создания правил в брандмауере, через командную строку и через графический интерфейс.
Инструкция для настройки разрешения подключения только с доверенных адресов находится после Windows 2012
Windows 2008
Первый вариант, через командную строку
1. Через меню «Пуск» находим приложение cmd
2. Вводим или вставляем команду
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135
Нажимаем Enter, ждём сообщения Ok
Вводим или вставляем вторую команду
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"
Нажимаем Enter, ждём сообщения Ok
Второй вариант, через графический интерфейс
1. В меню «Пуск» находим — панель управления
2. Заходим в панель управления, в поиск вводим «брандмауер» и запускаем панель управления брандмауером Windows
3. Входим в «Дополнительные параметры»
4. Выбираем строку «Правила входящих подключений» и нажимаем на «Создать новое правило»
5. Устанавливаем отметку «Для порта», нажимаем далее
6. Выбираем «Протокол TCP» и «определенные локальные порты», вводим в поле 135 и 445 через запятую, нажимаем далее
7. Выбираем блокировать «Блокировать», нажимаем далее
8. Оставляем все отметки, нажимаем далее
9. Вводим имя правила, нажимаем «Готово»
Windows 2012
Шаги по настройке для Windows 2012 не отключаются от 2008, отличия только в интерфейсе.
Отличия при настройке через командную строку
1. Найдем приложение cmd
2. Вводим команду, нажимаем Enter, ждем сообщения Ok
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135,445 name="Block_TCP-135,445"
Отличия при настройке через графический интерфейс
1. Кнопка запуска панели управления находится на стартовом экране, так же Вы можете найти панель управления через поиск на стартовом экране.
Остальные шаги идентичны Windows 2008
Настройка на Windows 2016 идентична Windows 2012
По указанным шагам возможна блокировка любых TCP/UDP портов.
Настройка доступа по портам 135 и 445 только доверенным адресам
1. Отключим системные разрешающие правила для портом 135 и 445
Выберем правила: Управление DFS (входящий трафик SMB) и Управление DFS (входящий трафик DCOM)
Нажимаем «Отключить правило»
2. Создадим новое правило, выберем тип правила «настраиваемое»
3. Выбираем «все программы»
4. Выбираем тип протокола TCP, локальный порт указываем «специальные порты», в поле вводим 135 и 445 через запятую
5. Укажем удаленный доверенный адрес, к примеру это может быть ip адрес Вашего офиса, выбираем «указанные адреса», нажимаем «добавить»
6. Вводим адрес в строку, если у Вас подсеть или диапазон, их требуется вводить в указанном в окне виде
7. Проверяем введенный адрес, нажимаем далее
8. Выбираем «разрешить подключение»
9. Оставляем все отмеченное, нажимаем далее
10. Даём название, нажимаем «готово»
Windows Server version 1909 Windows Server version 1903 Windows Server 2019 Windows 10, version 1809, all editions Windows Server version 1803 Windows 10, version 1803, all editions Windows 10, version 1709, all editions Windows 10, version 1703, all editions Windows Server 2016 Windows 10, version 1607, all editions Windows 10 Windows Server 2012 R2 Datacenter Windows Server 2012 R2 Standard Windows Server 2012 R2 Essentials Windows Server 2012 R2 for Embedded Systems Windows Server 2012 R2 Foundation Windows 8.1 Enterprise Windows 8.1 Pro Windows 8.1 Windows RT 8.1 Windows Server 2012 Datacenter Windows Server 2012 Standard Windows Server 2012 Essentials Windows Server 2012 Foundation Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Standard Windows Server 2008 R2 Web Edition Windows Server 2008 R2 Foundation Windows 7 Service Pack 1 Windows 7 Ultimate Windows 7 Enterprise Windows 7 Professional Windows 7 Home Premium Windows 7 Home Basic Windows 7 Starter Windows Server 2008 Service Pack 2 Windows Server 2008 Datacenter Windows Server 2008 Enterprise Windows Server 2008 Standard Windows Server 2008 Web Edition Windows Server 2008 Foundation Windows Server 2008 for Itanium-Based Systems More…Less
Summary
Server Message Block (SMB) is a network file sharing and data fabric protocol. SMB is used by billions of devices in a diverse set of operating systems, including Windows, MacOS, iOS, Linux, and Android. Clients use SMB to access data on servers. This allows sharing of files, centralized data management, and lowered storage capacity needs for mobile devices. Servers also use SMB as part of the Software-defined Data Center for workloads such as clustering and replication.
Because SMB is a remote file system, it requires protection from attacks in which a Windows computer might be tricked into contacting a malicious server that’s running inside a trusted network or to a remote server outside the network perimeter. Firewall best practices and configurations can enhance security and prevent malicious traffic from leaving the computer or its network.
Effect of changes
Blocking connectivity to SMB might prevent various applications or services from functioning. For a list of Windows and Windows Server applications and services that may stop functioning in this situation, see Service overview and network port requirements for Windows
More information
Perimeter firewall approaches
Perimeter hardware and appliance firewalls that are positioned at the edge of the network should block unsolicited communication (from the internet) and outgoing traffic (to the internet) to the following ports.
|
Application protocol |
Protocol |
Port |
|
SMB |
TCP |
445 |
|
NetBIOS Name Resolution |
UDP |
137 |
|
NetBIOS Datagram Service |
UDP |
138 |
|
NetBIOS Session Service |
TCP |
139 |
It is unlikely that any SMB communication originating from the internet or destined for the internet is legitimate. The primary case might be for a cloud-based server or service such as Azure Files. You should create IP address-based restrictions in your perimeter firewall to allow only those specific endpoints. Organizations can allow port 445 access to specific Azure Datacenter and O365 IP ranges to enable hybrid scenarios in which on-premises clients (behind an enterprise firewall) use the SMB port to talk to Azure file storage. You should also allow only SMB 3.x traffic and require SMB AES-128 encryption. See the «References» section for more information.
Note The use of NetBIOS for SMB transport ended in Windows Vista, Windows Server 2008, and in all later Microsoft operating systems when Microsoft introduced SMB 2.02. However, you may have software and devices other than Windows in your environment. You should disable and remove SMB1 if you have not already done so because it still uses NetBIOS. Later versions of Windows Server and Windows no longer install SMB1 by default and will automatically remove it if allowed.
Windows Defender firewall approaches
All supported versions of Windows and Windows Server include the Windows Defender Firewall (previously named the Windows Firewall). This firewall provides additional protection for devices, especially when devices move outside a network or when they run within one.
The Windows Defender Firewall has distinct profiles for certain types of networks: Domain, Private, and Guest/Public. The Guest/Public network typically gets much more restrictive settings by default than the more trustworthy Domain or Private networks. You may find yourself having different SMB restrictions for these networks based on your threat assessment versus operational needs.
Inbound connections to a computer
For Windows clients and servers that do not host SMB shares, you can block all inbound SMB traffic by using the Windows Defender Firewall to prevent remote connections from malicious or compromised devices. In the Windows Defender Firewall, this includes the following inbound rules.
|
Name |
Profile |
Enabled |
|
File and Printer Sharing (SMB-In) |
All |
No |
|
Netlogon Service (NP-In) |
All |
No |
|
Remote Event Log Management (NP-In) |
All |
No |
|
Remote Service Management (NP-In) |
All |
No |
You should also create a new blocking rule to override any other inbound firewall rules. Use the following suggested settings for any Windows clients or servers that do not host SMB Shares:
-
Name: Block all inbound SMB 445
-
Description: Blocks all inbound SMB TCP 445 traffic. Not to be applied to domain controllers or computers that host SMB shares.
-
Action: Block the connection
-
Programs: All
-
Remote Computers: Any
-
Protocol Type: TCP
-
Local Port: 445
-
Remote Port: Any
-
Profiles: All
-
Scope (Local IP Address): Any
-
Scope (Remote IP Address): Any
-
Edge Traversal: Block edge traversal
You must not globally block inbound SMB traffic to domain controllers or file servers. However, you can restrict access to them from trusted IP ranges and devices to lower their attack surface. They should also be restricted to Domain or Private firewall profiles and not allow Guest/Public traffic.
Note The Windows Firewall has blocked all inbound SMB communications by default since Windows XP SP2 and Windows Server 2003 SP1. Windows devices will allow inbound SMB communication only if an administrator creates an SMB share or alters the firewall default settings. You should not trust the default out-of-box experience to still be in-place on devices, regardless. Always verify and actively manage the settings and their desired state by using Group Policy or other management tools.
For more information, see Designing a Windows Defender Firewall with Advanced Security Strategy and Windows Defender Firewall with Advanced Security Deployment Guide
Outbound connections from a computer
Windows clients and servers require outbound SMB connections in order to apply group policy from domain controllers and for users and applications to access data on file servers, so care must be taken when creating firewall rules to prevent malicious lateral or internet connections. By default, there are no outbound blocks on a Windows client or server connecting to SMB shares, so you will have to create new blocking rules.
You should also create a new blocking rule to override any other inbound firewall rules. Use the following suggested settings for any Windows clients or servers that do not host SMB Shares.
Guest/Public (untrusted) networks
-
Name: Block outbound Guest/Public SMB 445
-
Description: Blocks all outbound SMB TCP 445 traffic when on an untrusted network
-
Action: Block the connection
-
Programs: All
-
Remote Computers: Any
-
Protocol Type: TCP
-
Local Port: Any
-
Remote Port: 445
-
Profiles: Guest/Public
-
Scope (Local IP Address): Any
-
Scope (Remote IP Address): Any
-
Edge Traversal: Block edge traversal
Note Small office and home office users, or mobile users who work in corporate trusted networks and then connect to their home networks, should use caution before they block the public outbound network. Doing this may prevent access to their local NAS devices or certain printers.
Private/Domain (trusted) networks
-
Name: Allow outbound Domain/Private SMB 445
-
Description: Allows outbound SMB TCP 445 traffic to only DCs and file servers when on a trusted network
-
Action: Allow the connection if it is secure
-
Customize Allow if Secure Settings: pick one of the options, set Override block rules = ON
-
Programs: All
-
Protocol Type: TCP
-
Local Port: Any
-
Remote Port: 445
-
Profiles: Private/Domain
-
Scope (Local IP Address): Any
-
Scope (Remote IP Address): <list of domain controller and file server IP addresses>
-
Edge Traversal: Block edge traversal
Note You can also use the Remote Computers instead of Scope remote IP addresses, if the secured connection uses authentication that carries the computer’s identity. Review the Defender Firewall documentation for more information about “Allow the connection if is secure” and the Remote Computer options.
-
Name: Block outbound Domain/Private SMB 445
-
Description: Blocks outbound SMB TCP 445 traffic. Override by using the “Allow outbound Domain/Private SMB 445” rule
-
Action: Block the connection
-
Programs: All
-
Remote Computers: N/A
-
Protocol Type: TCP
-
Local Port: Any
-
Remote Port: 445
-
Profiles: Private/Domain
-
Scope (Local IP Address): Any
-
Scope (Remote IP Address): N/A
-
Edge Traversal: Block edge traversal
You must not globally block outbound SMB traffic from computers to domain controllers or file servers. However, you can restrict access to them from trusted IP ranges and devices to lower their attack surface.
For more information, see Designing a Windows Defender Firewall with Advanced Security Strategy and Windows Defender Firewall with Advanced Security Deployment Guide
Security connection rules
You must use a security connection rule to implement the outbound firewall rule exceptions for the «Allow the connection if it is secure» and «Allow the connection to use null encapsulation» settings. If you do not set this rule on all Windows-based and Windows Server-based computers, authentication will fail, and SMB will be blocked outbound.
For example, the following settings are required:
-
Rule type: Isolation
-
Requirements: Request authentication for inbound and outbound connections
-
Authentication method: Computer and user (Kerberos V5)
-
Profile: Domain, Private, Public
-
Name: Isolation ESP Authentication for SMB overrides
For more information about security connection rules, see the following articles:
-
Designing a Windows Defender Firewall with Advanced Security Strategy
-
Checklist: Configuring Rules for an Isolated Server Zone
Windows Workstation and Server Service
For consumer or highly isolated, managed computers that do not require SMB at all, you can disable the Server or Workstation services. You can do this manually by using the “Services” snap-in (Services.msc) and the PowerShell Set-Service cmdlet, or by using Group Policy Preferences. When you stop and disable these services, SMB can no longer make outbound connections or receive inbound connections.
You must not disable the Server service on domain controllers or file servers or no clients will be able to apply group policy or connect to their data anymore. You must not disable the Workstation service on computers that are members of an Active Directory domain or they will no longer apply group policy.
References
Designing a Windows Defender Firewall with Advanced Security Strategy
Windows Defender Firewall with Advanced Security Deployment Guide
Azure remote apps
Azure datacenter IP addresses
Microsoft O365 IP addresses
Need more help?
Following is just quotation of two different sources which I used to successfully disable port 445 on Windows XP machines. I was closing port 445 and 135, 137 — 139, so I followed all instruction in the article and it worked for me.
General information about port 445 (archive link)
Among the new ports used by Windows 2000 is TCP port 445 which is used
for SMB over TCP. The SMB (Server Message Block) protocol is used
among other things for file sharing in Windows NT/2000/XP. In Windows
NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous
ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP, Microsoft
added the possibility to run SMB directly over TCP/IP, without the
extra layer of NetBT. For this they use TCP port 445.At its simplest NetBIOS on your LAN may just be a necessary evil for
legacy software. NetBIOS on your WAN or over the Internet, however, is
an enormous (read foolish…) security risk. All sorts of information,
such as your domain, workgroup and system names, as well as account
information is obtainable via NetBIOS. It really is in your best
interests to ensure that NetBIOS never leaves your network.If you are using a multi-homed machine i.e. more than 1 network
card, then you should disable NetBIOS on every network card, or
Dial-Up Connection under the TCP/IP properties, that is not part of
your local network.
How to disable port 445
To disable Port 445:
Add the following registry key:
Key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters
Name: SMBDeviceEnabled Type: DWORD (REG_DWORD) Data: 0Don’t forget to restart your computer after disabling the above ports
for effect. Also, to check that those ports are disabled, you can open
a command prompt and type netstat -an to confirm that your computer is
no longer listening to those ports.
(the registry keys are different for Windows 7 onwards, see this Microsoft article)
I needed to block port 135 and 445 on Window Server 2008 R2 due to WannaCry . Having done it, workstations could not access the shared folders on the server. Is it possible to configure the file share management with another port? So users can still access the shared folder even the two ports have been blocked.
asked May 16, 2017 at 15:21
6
Band-Aids don’t fix security vulnerabilities
The real problem here is that your computers have a serious security vulnerability. Blocking ports 135 and 445 serves as a Band-Aid to the problem. While doing this may be a viable temporary solution to do damage control, the proper solution is to install the patch throughout your environment.
Blocking ports 135 and 445 has the effect of disabling SMB file-sharing on your Windows Server. If your boss is asking you to do this to «fix» the threat posed by WannaCry, then you should make your boss aware that this is the equivalent of deleting your e-mail address in order to avoid getting spam messages.
Suppose you don’t need file sharing enabled. Fine. But by leaving this vulnerability unpatched you arm an explosive land-mine that will make a fantastic mess of your organization the day someone comes along and re-enables file sharing. Don’t do this.
Always install security patches, even if you don’t currently use the patched service.
answered May 16, 2017 at 18:18
As mentioned in Twisty’s answer, this idea of your «senior» colleague’s like deleting your email address to prevent spam. Yeah, that would prevent spam, but it also prevents legitimate use of the service.
In actuality, there are three mitigations to this particular piece of malware.
- Apply the relevant patch on your systems.
- Disable SMB v1, which is the protocol that the EternalBlue vulnerability exploits.
- This is actually pretty easy, and for most use-cases, SMB v1 shouldn’t be used anyway. The newer versions of the protocol are [much] faster and more secure.
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
- Block the ports that SMB uses.
- This prevents the malware from spreading by disabling the file sharing vector it uses to spread, which means it also prevents legitimate uses of Windows file sharing.
- Note that changing the default port doesn’t really solve the problem — this malware uses SMB v1 to spread. If you just change the port for your SMB traffic without patching or disabling SMB v1, you’re still exposed to the EternalBlue vulnerability that this malware uses. This particular piece of malware may or may not be stopped by changing the port, but the underlying vulnerability would still be exposed.
answered May 17, 2017 at 14:33
HopelessN00bHopelessN00b
53.6k32 gold badges134 silver badges208 bronze badges
5
SMB (Server Message Block) is a network protocol that provides communication between server and client for many years. It is mostly used for accessing shares, network connections or printer connections. Every port that you do not use and is open to the outside is exposed to brute force attacks by malicious people, and your system may infiltrate when a vulnerability occurs.
Especially the SMB port, which came to the fore with Wannacry Cyber Attacks, is exposed to a lot of brute force attacks these days. If you are using Windows Hosting and Windows Server Server, it would be useful to disable this port’s external access.
How to close port 445 on Windows?
To close port 445 in Windows operating systems, you can first turn off port 445 from the firewall. Second, you can turn it off from your personal computer. To do this operation, you must have “Administrator” user or “Administrator” authority.
After logging in, let’s open Regedit with “CTRL + R” keys or by saying “start> run“.
Then, we expand the statements such as “HKEY_LOCAL_MACHINE> System> CurrentControlSet> Services” on the screen that opens.
Under the Services tab, we open the “NetBT” and “Parameters” values.
We click and open the “TransportBindName” value in the Parameters section.
Here, we delete the “Device” data and save it with the “OK” button.
Then we restart our operating system and our port 445 is now closed.
В мире чуть ли не каждый день десятки компьютеров заражаются опасными вирусами, и всё больше пользователей начинают искать способы повышения безопасности своего персонального компьютера.
Наиболее часто заражаются ПК под управлением операционной системы Windows. Связано это с тем, что большинство вирусов проникают в ОС через определенные входящие подключения, так называемые «порты», которые, к сожалению, являются включёнными по умолчанию.
Несколько упрощая, понятие «порт» можно определить как номер входящего подключения внешних программ (в том числе и вирусов) к вашему компьютеру через IP-сеть. Каждому порту присваивается уникальный номер для определения единственно возможного получателя данных в операционной системе.
Проникнув в компьютер, вирусы начинают заражать данные пользователя и открывают все ранее закрытые порты Виндовс для более быстрого распространения по системе. Чтобы этого не произошло, необходимо блокировать самые уязвимые порты, тем самым предотвратив возможность заражения и подняв безопасность Windows на уровень выше.
Самые уязвимые порты Windows 7 – 10
Исследование самых крупных вирусных взломов показывает, что 80% паразитного трафика проходит через 4 порта, используемые для обмена данными между разными версиями ОС Виндовс. Наиболее уязвимыми открытыми портами Windows считаются:
TCP порт 445 (он используется для обмена файлами)
TCP порт 139 (предназначен для удаленного подключения к компьютеру)
UDP порт 137 (служит для поиска информации на других компьютерах)
TCP порт 135 (через него выполняются задания команд)
Как проверить, какие порты открыты
Чтобы узнать, есть ли на вашем устройстве отрытые уязвимые порты, воспользуйтесь сканером портов от Whoer.net. Определив ваш IP-адрес и используя nmap, сервис проверки открытых портов покажет, какие порты открыты на вашем устройстве и какие программы их используют. Вы получите взгляд извне, чтобы ясно представлять, насколько ваше устройство уязвимо и открыто опасностям большого Интернета.
Как закрыть порты с 135 по 139 и 445 в Windows?
Есть множество вариантов закрытия портов Виндовс, но в статье мы рассмотрим самые простые способы это сделать.
Способ 1 – использование командной строки
Командная строка Windows используется для задания значений тем настройкам системы, у которых нет графического интерфейса. К таковым функциям и относятся рассматриваемые открытые порты подключений.
Командная строка запускается в несколько этапов:
Нажмите сочетание клавиш Win+R
В появившемся окне выполнения команд наберите CMD
Нажмите «ОК»
Перед вами появится окно с черным фоном. По очереди скопируйте в него представленные ниже строчки и нажмите клавишу ввода:
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=135 name=“Block1_TCP-135”
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=137 name=“Block1_TCP-137”
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=138 name=“Block1_TCP-138”
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=139 name=“Block_TCP-139” (команда помогает закрыть порт 139)
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=445 name=“Block_TCP-445” (команда помогает закрыть порт 445)
netsh advfirewall firewall add rule dir=in action=block protocol=tcp localport=5000 name=“Block_TCP-5000”
Эти шесть команд закрывают 4 перечисленных выше самых опасных открытых порта Windows, а также порт 5000, отвечающий за обнаружение открытых сервисов, и UDP порт 138 разрешения имен NetBIOS.
Способ 2 – использование сторонних программ
Чтобы не использовать ручную работу с командной строкой, можно использовать стороннее программное обеспечение. Суть его работы сводится к такой же правке реестра, как в способе выше, только в визуальном отображении.
Рекомендуем к использованию Windows Doors Cleaner, которая легко может закрыть порты на компьютере (в Windows 10 – 7: старые версии ОС данная программа не поддерживает).
Инструкция по работе с программой, закрывающей порты
- Скачайте и установите программу
- Установленную программу необходимо запустить с правами администратора
- В появившемся окне при нажатии кнопок «Сlose» или «Disable» отключаются и закрываются все уязвимые порты Windows
- После внесения необходимых изменений, перезагрузите Windows
Важно отметить, что с помощью этой программы можно не только закрыть, но и открыть порты.
Заключение
Помимо закрытия самых опасных сетевых портов компьютера необходимо не забывать, что этими действиями не достигается максимальная безопасность для операционной системы.
На вашей Windows необходимо устанавливать присылаемые Microsoft критические пакеты обновлений, антивирусные программы, безопасные браузеры и другое ПО, повышающее безопасность и анонимность.
Предлагаем обсудить в комментариях тему защиты сетевых портов и делиться полезными методами повышения конфиденциальности. Не забудьте отправить ссылку на эту статью вашим друзьям, чтобы они тоже знали, как закрыть открытые порты Windows.
Посмотрите также наше видео, где мы более подробно рассказываем о том, как закрыть уязвимые порты:
-
-
May 13 2017, 17:41
- IT
- Компьютеры
- Лытдыбр
- Cancel
Самый надёжный способ — не ждать милостей
от природы
микрософт сделать всё самому:
Касается практически всех windows-систем (но на windows server методика чуть отличается)
Закрытие портов 135 и 445 вручную
135 и 445 необходимо закрыть — это серьёзные дырки. Если фаером не получается а это бывает то надо делать следущее:
1. Закрываем порт 135 (Disabling Distributed COM (DCOM)).
Способ 1.
Пуск -> Выполнить и вводим
Dcomcnfg.exe
Что бы выключить DCOM, открываем панель «Свойства по умолчанию» и убираем галочку «Разрешить использовать DCOM на этом компьютере».
Перезагружаемся.
Способ 2.
В ключе регистра HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle
у параметра «EnableDCOM» , имеющего значение «Y» изменить это значение на «N»
«EnableDCOM»=»N»
Перезагружаемся.
2. Закрываем порт 445 TCP/UDP (NetBT).
Способ 1.
Открываем панель упровления -> Система -> Оборудование -> Диспетчер устройств. В меню «Вид» выбираем «Показывать скрытые устройства».
В списке устройств появятся «Драйверы устройств не Plug and Play».
Открвыаем этот пункт, и в появившемся списке открываем «NetBios через TCP/IP» -> Драйвер -> и в Автозагрузка -> Тип ставим «Отключено».
Перезагружаемся.
Способ 2.
В ключе регистра
у параметра TransportBindName (можно найти поиском по реестру), имеющего значение Device ,
удаляем это значение.
Перезагружаемся.
If you have come across the term port 445 or 135, then you are probably a hardcore techie. But if you are reading this article thinking that it is something about USB ports then turn back now.
In this article, we will go over some basic terms concerning all ports in general. Then we will take a deeper look at port 445 and also look at its vulnerabilities and ways to deal with the port.
Contents
- 1 What Exactly is a port?
- 1.1 TCP and UDP
- 2 What is Port 445?
- 2.1 SMB Port 445
- 2.2 Threats against port 445
- 3 How to check if port 445 is enabled?
- 4 How to disable port 445 Windows?
- 4.1 Method 1: Using Windows Firewall
- 4.2 Method 2: Using Command Prompt
- 4.3 Method 3: Using Registry Editor
What Exactly is a port?
The subject of the article is not probably the first thing that comes to your mind when you hear the term ‘Port’. As most of us are only familiar with it from a hardware perspective. In such a case, a port refers to a hole that allows you to connect it to other devices with the help of data cables or chords.
It can be used to access printers, projectors or such, or to hook your PC to a bigger network. On the other hand, ports mean a different thing when it comes to the software side. But they do somewhat share the same meaning.
The ports that we are talking about are logical constructs within an OS that help to recognize a particular process or network. In simpler words, it is a location to which information can be sent to. It can also identify the information that it receives and takes necessary actions.
TCP and UDP
You will see these two terms pop up a lot if you are reading about any kind of port. Hence, it is pretty useful to just go over them. Both of these are used for sending pieces of data otherwise called packets. And these packets that they sent go on to reach a specific IP address. The packets cover the journey from your computer to the router to its destination.
TCP stands for Transmission Control Protocol. This one is working behind most of the things you do with the internet. When you use your browser to enter a page, TCP sends these packets to that server’s address. And if it receives the data, the server returns a stream of data back to the port. This is then rearranged to present the webpage to you. If the other side does not respond, TCP sends the packets again. Furthermore, there is a provision to check for errors as well.
In contrast, a datagram is used in UDP which stands for User Datagram Protocol. The datagram is much similar to the packets of information mentioned above. However, the key difference between TCP and UDP is that it does not check if the other party receives the data or not. It does not account for errors either. Hence it is a lot quicker than TCP. But at the same time, you can say that TCP is more responsible.
What is Port 445?
Port 445 is one of several Microsoft Networking ports that are used today as well as in the older versions of Windows. They were used well with the NetBIOS services in the older versions. Whereas in the newer versions it is used for direct TCP/IP without the help of NetBIOS.
NetBIOS stands for Network Basic Input/Output System. Basically, it is a program that helps all the computers in a LAN or local area network to communicate with each other. It is also a file sharing port 445.
Speaking about the port in the discussion, it is used for running Server Message Block (SMB) over TCP/IP in several versions. In any case, the main function of the port is that it serves as a key way of communicating across a Microsoft-based LAN.
SMB Port 445
As mentioned above SMB stands for Service Message Block. This protocol basically lets computers within a network to share information. It is used for a client-server type of communication where the client is the one who asks for the information and the server provides access to it. Such as someone trying to get on a web page and getting access.
Threats against port 445
Though ports are very useful, there exist port 445 vulnerabilities and they are essentially holes in your firewall and security protocols. So open ports mean that there are ways for an outsider to access or corrupt important files in your system. Hackers can use them for spreading malware or to exploit vulnerabilities in services or applications.
Port 445 faces several scanning attacks via LAN. And the port is pretty vulnerable and has many weak points. Examples of threats include the appearance of NetBIOS worms and attacks like Wanna Cry.
How to check if port 445 is enabled?
Normally the port is kept open by windows, but you do have to check it on your host. This can be done easily with the help of Command Prompt. Additionally, the Command Prompt can be used for blocking or closing the same port but we will discuss that in the next section.
Follow the steps below to find out if port 445 is enabled or not
- Press the Windows key + R key on your keyboard.
- The run dialogue box opens. In the space provided, type in cmd and then hit Enter or choose OK.
- You can also use the Windows search bar to look for cmd or Command prompt.
- Type the following command and hit Enter: netstat -na
This command does the job of scanning all the ports that are connected. The scan is quite quick and soon the results will show up on your screen. Now look for 445 under the local address column. If its state is shown as “LISTENING” then the port is open.
How to disable port 445 Windows?
Method 1: Using Windows Firewall
This is the simplest out of the three that we are going to discuss down here. Don’t be alarmed by the number of steps though. Because most of them just include a click here and a tap there.
- Go to the Windows Search bar.
- Type in Control Panel and hit Enter.
- Open the app from the search results.
- Out of all the options in this window, choose the System and Security option.
- Choose the Windows Defender Firewall option.
- Now select the Advanced settings option from the left pane.
- On the left side of the new window, you will see several tiles. One of them being Inbound Rules. Click it.
- Next, click the New Rule option on the right side.
- A pop window will appear. On that Window, choose the Port option and click on Next.
- Select TCP out of the two options of the former question.
- Choose the specific local ports option for the later and in the space provided type in 445. Then click on Next.
- Things are much simpler on the next page. Just go for the Block the connection option and then hit Next.
- Tick the three against the three checkboxes and move to the next page yet again.
- Fill in the name and description according to your wish and click on Finish.
- To check the rule you just set up, open its properties.
- Choose the Protocols and Ports tab.
- Check under Local Port.
Method 2: Using Command Prompt
People who have a good handle on using command prompt will find this method more to their liking. The command prompt is a pretty good tool that can be used to run commands on Windows OS.
- Press the Windows key + R key on your keyboard.
- In the run dialogue box type in cmd and click OK.
- Choose to run it as an administrator.
- Alternatively, you can use the windows search bar to look for cmd or Command prompt. Then you can right-click the search result to run it as an administrator.
- Type the following command below and click Enter: Netsh advfirewall set all profile state on
- After that, enter the following command and press Enter yet again.
Netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name=”Block_TCP-445”
Method 3: Using Registry Editor
The Registry is a database for system files and installed applications. So be careful while messing around with it. If you happen to delete any important files you will be in a bit of trouble for sure.
- Once again open the Run dialogue box by pressing the Windows key + R key on the keyboard.
- Type in Regedit in the space provided and press OK.
- Alternatively, you can use the windows search bar to look for the Registry editor or Regedit. Then you can open it from the search results.
- On the navigation pane on the left side choose open HKEY_LOCAL_MACHINE by double-clicking it.
- Similarly, open the SYSTEM option under it. It is probably going to be near to the end of all the expanded files.
- Continue the process along the path as follows: CurrentControlSetservicesNetBTParameters
- Now right-click anywhere on the blank area on the right pane and choose New.
- Choose DWORD (32-bit) Value or QWORD (62-bit) value according to your system (32 bit or 64 bit).
- Set the name of the new value to SMBDeviceEnabled.
- Now right click it and choose the option Modify.
- In the window that appears, change its Value data from 1 to 0.
- Hit OK and you are done.
Wrapping up,
We have discussed a good deal about port 445. By now you probably got a good handle on what the port is, how it is vulnerable and how to close it. Do keep in mind to know what you are dealing with while you work with ports.
Following is just quotation of two different sources which I used to successfully disable port 445 on Windows XP machines. I was closing port 445 and 135, 137 — 139, so I followed all instruction in the article and it worked for me.
General information about port 445 (archive link)
Among the new ports used by Windows 2000 is TCP port 445 which is used
for SMB over TCP. The SMB (Server Message Block) protocol is used
among other things for file sharing in Windows NT/2000/XP. In Windows
NT it ran on top of NetBT (NetBIOS over TCP/IP), which used the famous
ports 137, 138 (UDP) and 139 (TCP). In Windows 2000/XP, Microsoft
added the possibility to run SMB directly over TCP/IP, without the
extra layer of NetBT. For this they use TCP port 445.At its simplest NetBIOS on your LAN may just be a necessary evil for
legacy software. NetBIOS on your WAN or over the Internet, however, is
an enormous (read foolish…) security risk. All sorts of information,
such as your domain, workgroup and system names, as well as account
information is obtainable via NetBIOS. It really is in your best
interests to ensure that NetBIOS never leaves your network.If you are using a multi-homed machine i.e. more than 1 network
card, then you should disable NetBIOS on every network card, or
Dial-Up Connection under the TCP/IP properties, that is not part of
your local network.
How to disable port 445
To disable Port 445:
Add the following registry key:
Key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters
Name: SMBDeviceEnabled Type: DWORD (REG_DWORD) Data: 0Don’t forget to restart your computer after disabling the above ports
for effect. Also, to check that those ports are disabled, you can open
a command prompt and type netstat -an to confirm that your computer is
no longer listening to those ports.
(the registry keys are different for Windows 7 onwards, see this Microsoft article)