The SMB protocol enables “inter-process communication,” which is the protocol that allows applications and services on networked computers to talk to each other – you might say SMB is one of the languages that computers use to talk to each other. Microsoft continues to make advancements to SMB for performance and security: SMB2 reduced the overall chattiness of the protocol, while SMB3 included performance enhancements for virtualized environments and support for strong end-to-end encryption. SMB has always been a network file-sharing protocol. As such, SMB requires network ports on a computer or server to enable communication with other systems. SMB uses either IP port 139 or 445.
Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet. Port 445 should be blocked at the firewall level. It can also be disabled by deleting the
HKLM\System\CurrentControlSet\Services\NetBT\Parameters\TransportBindName
(value only) in the Windows Registry. Leaving network ports open to enable applications to function is a security risk. So how do we manage to keep our networks secure and maintain application functionality and uptime.. firewall or endpoint protection to protect these ports from attackers. Most solutions include a blacklist to prevent connections from known attackers' IP addresses. Since you cannot simply do without SMB in Windows domains, firewalls must be used to restrict access. SMB communication to computers on the Internet is usually not necessary, especially if it is initiated from outside. Therefore, port 445 should be closed on perimeter firewalls for incoming and outgoing traffic.
NetBIOS
NetBIOS normally runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having both a NetBIOS name and an IP address corresponding to a (possibly different) hostname. The main reason for using NetBIOS is for two machines to communicate on a local network which rarely is needed except for file and printer sharing on a local network but leaves the door wide open for being hacked. You can remove this risk in two ways and I personally do it both ways.
A firewall should Block ports 135-139 plus 445 in and out. These can be used by hackers to steal your info and take control of your pc and after doing so will use NetBIOS to then use your computer to take over another, etc, etc.. Port 137-139 is for Windows Printers and File Sharing but also creates a security risk if unblocked. But if we share a printer on the network you will have to allow this one but I recommend just going to the pc the printer is hooked up to and using. Port 135 is for RPC service on a remote machine. Port 136 is used for Profile Name Service which I don't even think is used any longer but opens a door for hackers
1 Comments
Really valuable content
ReplyDelete