How Much do You Actually Know About SMB Port Security?

What are SMB ports  

SMB (Server Message Block) is a communication protocol responsible for enabling shared access between systems part of a network. This includes computers and devices that are connected to a local network which for example, could be a small business within the same office or an international enterprise with offices that can be located globally which are connected together. SMB protocols function as a request-response format between users and devices within a given network. 

At a higher level, SMB is a collection of rules implemented for sharing files and printed in a given network. Open ports enable connections once a request is received however, as expected closed ports do not.  

SMB protocol variations  

Similar to languages, computer programs have been programmed to use different methods for communicating with each other depending on the reason for use. For example, CIFS (Specific Common File Systems) is an application that is used specifically for file sharing. 

Essential SMB variations include: 

• CIFS: A commonly used file sharing protocol that can be used by Windows servers and suitable NAS devices. 
• Samba: Open-source implementation of Microsoft Active Dictionary that enables transmissions between non-Windows machines and Windows machines.  
• NQ: A portable, file sharing SMB developed by Visuality Systems. 
• MoSMB: An SMB variation developed by Ryussi Technologies. 
• Tuxera SMB: Operates in kernel or user space. 
• Likewise: A multi-protocol file sharing network.  

Ports used by SMB Protocol 

To enable file sharing and request-response communications between devices and printers within a network, SMB uses a range of various ports.   

The following ports are classified as SMB v2/v3:  

• TCP 445 – SMB over TCP (does not need NetBIOS). 
• UDP 137 – SMB over UDP regarding Name Services. 
• UDP 138 – SMB over UDP regarding Datagram. 
• TCP 139 – SMB over TCP regarding Session Service.  

The SMB ports 139 and 445 

Port 139 

Port 139 is used by NetBIOS session service. Prior to the release of pre-windows 2000, operating systems commonly used port TCP 139 with SMB running on top of NetBIOS. NetBIOS which stands for Network Basic Input/Output System, administers services on the session layer of the OSI model, enabling applications to communicate with each other in a LAN (Local Area Network). This includes any users on the internet and therefore, it is not a recommended option due to security concerns. 

Port 445 

Port 445 is used by Windows to share files across the network. From Windows 2000, Microsoft made a change to use SMB over port 445 and now, the port is often used by Microsoft directory services, known as Microsoft-DS. 

In more detail, Microsoft active directory and domain services uses Port 445 for file replication, user and computer authentication, group policy and trusts and the port is used by both TCP and UDP protocols. Frequent traffic that passes this port include SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR and SrvSrc protocols and services.  

Is SMB secure?  

Although different versions of SMBs are equipped with different layers of security and protection, a vulnerability was detected in SMBv1 which could be used by hackers to administer their malicious code, unbeknownst to the user. This flaw was discovered in 2017 by National Security Agency.  

Port 139 which is used by NetBIOS over the internet or WAN presents a high risk. This is the same case for Port 445.  

SMB ports function in a similar manner to worms and if exploited, a chain reaction occurs in which an infection exploits the next connected device and further on. An example of an SMB protocol exploit is the WannaCry ransomware attack which was committed as a zero-day exploit and the name of the exploit is EternalBlue.  

The WannaCry ransomware is designed with worming capacities enabling it to spread itself and regarding EternalBlue, the ransomware successfully exploited an older version of an SMB protocol (SMBv1). In response to the attack, the first action taken was to disable SMBv1 and in cases where this was not possible, Ports UDP 137 and 138 and Ports TCP 139 and 445 were added, providing blocking capabilities on network devices and host-based firewalls.    

Threat actors may often use scripts, bots, scanners and other services in an attempt to detect for open 139 and 445 ports and if successful, access to the targeted company’s internal network becomes established. 

Keeping SMB ports secure 

Unprotected SMB ports on Windows servers are an easy target for hackers to exploit to gain further entry to your internal network.   

Therefore, it is important for your company to implement the following procedures to help keep your SMB ports safe. 

Port Exposure 

Do not expose SMB ports on the internet. 

Firewalls 

Applying firewall protection and endpoint protection offers protection to your network against threat actors looking to intrude into your system. Inbound and outbound SMB traffic should be blocked. 

Many firewalls or endpoint protection come with a blacklist which blocks connections from IP addresses known for attacking systems.  

VPN 

Using a VPN (Virtual Private Network) to redirect your internet traffic through a secure tunnel and encrypt your data whilst outside the office is recommended. 

Installing patches  

Ensuring that your system is installed with patches as soon as possible will help protect your system against threat attempts. Regular patching will reduce the vulnerability of your system.  

VLANs 

Using VLANs (Virtual Local Area Network) for business networks will help isolate internal traffic depending on the basis of recognition. This is an effective method for limiting the spread attacks that move laterally. 

MAC address filtering  

This feature enables you to disable access to unrecognised systems attempting to connect to your network. This feature allows you to filter suspicious network and connection attempts.  

About Securiwiser 

We aim to provide our clients advice concerning implementation of various specific cyber security methods, some of which will be more suitable than others depending on the business type to help ensure the cyber health of our client’s system.   

We advise our clients (whether they are individual users or business owners) regarding various cyber threats that their businesses and operating systems may face. This includes increasing trends of certain threats and prevention methods that are cost effective and time saving.   

Furthermore, business owners, employees and general users may forget to conduct regular scans to monitor the health of their operating system, which criminals can take advantage of to gain unauthorised access by exploiting unrecognised, underlying vulnerabilities.  

Securiwiser can conduct regular scans for your system and provide a detailed cybersecurity risk assessment and a cybersecurity vulnerability assessment. We can further explain detected vulnerabilities and risks in detail to our clients and provide the best course of action that will save your business time and money.