Alex - stock.adobe.com
How to protect port 139 from SMB attacks
Keeping port 139 open is perfectly normal -- but only for good reason. Without the proper protections, it can present a major security risk.
Open ports enable data to be sent to and from a network. They are essential for users to communicate and share resources. Left unprotected and unpatched, however, they can become security risks.
Dedicated ports for Server Message Block (SMB), a client-server communication protocol for resource sharing, came under scrutiny following the 2017 EternalBlue zero-day attacks. The exploit, which targets vulnerable legacy versions of the SMB protocol, was used in the infamous WannaCry ransomware attacks.
Another SMB port, 139, is also often under scrutiny. Let's take a closer look at ports and port 139 in particular, including its security risks and how to protect it from attacks.
What is a port?
Computer ports are software-defined values that identify a network communication endpoint. They play an integral role in intercomputer communications.
All connections made on a network, such as the internet and a local network, use source and destination IP addresses to uniquely identify the sender and receiver and source and destination ports to find the service the message is intended for.
A port is open when it is listening for incoming requests. If a port rejects connection requests or ignores all packets, it is closed.
What are port numbers?
Port numbers uniquely identify each port. Commonly used port numbers for well-known internet services are numbered 0 through 1023. They include the following:
- Web servers listen on port 443.
- DNS servers listen on port 53.
- Email servers need ports 25 and 110 open for SMTP and Post Office Protocol messages.
Each communication packet includes the destination and source ports. A client can, therefore, communicate with multiple services on the same server because the port numbers ensure each session remains independent.
What is port 139?
Port 139 is the dedicated port for SMB over NetBIOS. It is primarily used to enable applications and devices to access shared resources, such as files and printers residing on other networked devices, across a Windows-based LAN.
Versions of SMB post-Windows 2000 use port 445 and TCP so SMB can work over the internet.
What are the security risks of open port 139?
Open ports, if not correctly configured and protected, provide a doorway into a device and the network it's on.
An open port 139 that allows inbound traffic from all external IP addresses is extremely dangerous. Any shared resources are exposed to the public internet. An attacker could also run the NetBIOS diagnostic tool Nbtstat to obtain information to help them start footprinting a system they want to attack.
How to protect port 139 from attacks
To find listening ports on a computer, run the netstat -aon command on a Windows machine or netstat -tunpl on a Linux variant. Free port scanning tools, such as Nmap and Netcat, can also detect open ports.
It is perfectly normal to have port 139 open in order to enable that protocol on Windows-based networks running NetBIOS, or port 445 on Windows 2000 onward.
If, however, an organization is not using NetBIOS or doesn't need file and printer sharing functionality, there is no reason to have ports 139 and 445 open. Either disable the service so it is no longer listening, or create a firewall rule to drop any inbound connections to a specific port number that is not specifically authorized. The steps for completing these tasks depend on the OS running on the computer. Also, keep the following in mind:
- Networks that use NetBIOS and connect to the internet should have a firewall that blocks unknown incoming traffic on ports 139 and 445. This ensures all NetBIOS traffic originates from within the organization's own network or from known and trusted internet devices.
- Microsoft Defender has built-in firewall and antivirus features that automatically protect the device from external attacks.
- Routers supplied by ISPs have firewall or endpoint protection to safeguard open ports from attackers.
Be sure to completely understand the impact of these actions before implementing them. Note, there is usually no need to change the default settings of these security controls. IT teams should only do so if they are sure of the consequences.
If an organization's system is a server and it needs to close ports, those directions are specific to the kind of system in use. If ports do need to be open so employees and third parties can access shared resources, protect them with firewalls and access control lists that can block unwanted connection attempts.
Also, follow other security best practices, such as keeping computers patched and protected with up-to-date antivirus software, to avoid exploitation of known vulnerabilities and cyberattacks. Additionally, regularly back up important files to secure cloud storage.
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.
