Microsoft introduced TCP port 445 in Windows 2000 , and it is still in use in Windows 10 and Windows Server 2019 . I will explain the role of this port and its relationship with Windows security. At the same time, I will also explain how to disable the old TCP port 139 .
TCP on the SMB and NBT on SMB
A central task of the SMB (Server Message Block) protocol is file sharing. In Windows NT , which runs NBT ( TCP / IP on a NetBIOS above), which uses the well-known port UDP 137 and 138 , as well as TCP139 . In Windows 2000 , Microsoft added the option to run SMB directly on TCP/IP without using an additional NBT layer. This is the purpose of TCP port 445 .
Enable and disable NBT to control ports 137 , 138 and 139
In Windows 2000 after the Windows version, you can choose to disable TCP / IP on the NetBIOS . First, find the appropriate network adapter icon, then right-click and select " Properties " . In Windows between versions, how to find the network adapter icon is different. Next, click "Internet Protocol ( TCP/IP ) " and " Properties " . The exact name varies slightly between the various versions. Now, click on " Advanced " and then select the "WINS" tab. There you can enable or disable NetBIOS via TCP/IP . The changes made will take effect immediately without restarting the system.
Disabling the NBT ( TCP / the IP on the NetBIOS ) to close the UDP port 137 and 138 , and TCP port 139 . Enable NBT to open these ports again.
When Windows uses port 445 and when port 139 is used
From now on, I will refer to the " client " as a computer with mapped drives and other shared resources, and the " server " as a computer with shared resources. For example, the client can be a Windows Server . Installation (if connecting to another computer from this computer).
If the client is Windows older versions (such as Windows 2000 ) and enabled NBT , it will always try while in port 139 and 445 connect to the server. If there is a response from port 445 , it sends a TCP RST (reset) to port 139 and only continues its SMB session to port 445 . If there is no response from port 445 , it will continue its SMB session to port 139 as long as it gets a response from there . If neither port responds, the session will fail.
If the client has NBT disabled , it will always try to connect to the server only through port 445 . If the server answers on port 445 , the session will be established and continue on that port. If there is no answer, the session will fail. This is one of the situations when the server is running Windows NT 4.0 .
Newer versions of Windows such as Windows 10 and Windows Server 2019 are interesting situations. As clients, they will also always try to connect to the server only on port 445 first, but if it fails, they will not try to use port 139 even if NBT is enabled . The session will fail completely.
If the server has NBT enabled , it will listen on UDP ports 137 and 138 , and TCP ports 139 and 445 . If the server disables NBT , it will only listen on TCP port 445 . All four ports in Windows are turned on by default in all versions, including Windows 10 and Windows Server 2019 .
Empty conversation from client
In Windows NT 4.0 , a null session always uses port 139 . Tools like Winfo can provide you with a lot of information about Windows NT 4.0 , but how does it work on Windows 2000 and higher? The answer is very simple - from the customer's point of view, it can work according to the above description. If you run Winfo from Windows 2000 and enable NBT , the port selection will be automatic according to the target system. If you want Winfo not to use any other functions except port 445 , please disable NBT . If you run it from a newer version such as Windows 10 or Windows Server 2019 , it will not use any port other than port 445 regardless of the NBT status . However, by default, newer versions of Windows can well protect it from null session attacks.