North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Port 445 issues (was: Port 80 Issues)

  • From: james
  • Date: Sun Mar 09 17:53:24 2003

> Other operators opinions about blocking port 445 before this thing starts
> spreading faster than it already is?

We are an ISP, and we just decided to.

Extended IP access list 199 (Compiled)
  deny tcp any any eq 445 (66574 matches)

Last configuration change at 14:49:44 MST Sun Mar 9 2003
It is 15:35 now. ~ 1305 packets/min. Since we leave ports 135-139 open, the
effects
"should" be none on the users by blocking 445.

Here is part of a conversation Jake Bates and I have been having:

<James responds>
You read my mind, this was the very issue running around my mind ! I am a
router admin for the ISP cybermesa.com
and I was trying to sort out this question so I could consider asking to
block this port.
What I know is the port 445 is a port XP and 2000 can run SMB on, much like
what happens on 135-139 (Netbios, Client for MS networks, Print and File
Sharing).

So if the users use these services (on port 445) across the
internet, blocking
will effect them. My experience is that if the users do SMB, they do it on
135-139. So, my working theory
is that blocking 445 will have no effect on them. If you block 135-139
already as part of policy (i.e., no Netbios),
blocking 445 would also be part of the policy. Only XP and 2000 use 445, but
can use 135-139; whichever
is open. Cyber Mesa does not block 135-139 as legacy MS Messenger used those
ports and it causes
a "big deal" if they are blocked. So in my case I am really leaning to block
port 445.

Do you block ports 135-139 and what effect did it have on the users ?


<Jack answers>
> I'm with you, though. Blocking 445 may work well with 135-139 still open.
> I'll presume that XP/2000 tries 445 and upon a set timeout reverts to the
> older method.
>
> -Jack

<James answers>
Yep. I think actually 135.-139 is the default and it falls back to 445.

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
windows2000/techinfo/reskit/en-us/cnet/cnbc_imp_wcug.asp
In Windows 2000, it is also possible to use direct hosting to establish
redirector or server connections between Windows 2000 computers without the
use of NetBIOS. By default, Windows 2000 attempts to make connections using
both methods so that it can support connections to older versions of Windows
computers. However, in Windows 2000-only environments, you can disable
NetBIOS over TCP/IP as described in the "NetBIOS Over TCP/IP Sessions"
following in this chapter.

James Edwards
[email protected]
Routing and Security Administrator