Q
Problem solve Get help with specific problems with your technologies, process and projects.

How to detect and defend against a TCP port 445 exploit

The WannaCry TCP port 445 exploit returned the spotlight to Microsoft's long-abused networking port. Network security expert Kevin Beaver explains how to detect and defend such attacks.

TCP port 445, used by Microsoft Directory Services, has long been considered the most-attacked network service...

[and it was exploited by the 2017 WannaCry ransomware attacks]. Can you offer some advice for detecting and defending attacks against this specific port?

Many security attacks are a numbers game; that's why the large number of attacks using a TCP port 445 exploit is no surprise.

Along with ports 135, 137 and 139, port 445 is a traditional Microsoft networking port. Specifically, TCP port 445 runs server message block (SMB) over TCP/IP. This is a core means for communication on a Microsoft-based LAN. If you look at practically any modern Windows host on your network -- e.g., netstat -an | more from a command prompt -- you'll see that port 445 is open and available, hence the problem.

Many of the attacks using a port 445 exploit take place via the LANMalware seeking to exploit under-secured Windows systems is a likely source. However, other attacks, like WannaCry, originate outside the network and reach any system for which port 445 has been opened on the firewall -- hopefully that's not the case for you!

How to prevent a TCP port 445 exploit

Enterprises can implement certain security controls to protect Windows systems from attacks using a port 445 exploit. These include enabling Windows Firewall or a similar endpoint protection system. The caveat there is, if you try to completely lock down Windows networking services, especially on domain controllers, you'll end up breaking network communications.

So what's an enterprise to do? This is where layered security controls come into play, such as:

  • current patches for Windows and third-party software;
  • a proven antimalware program -- i.e., not just whatever big vendor software for which you have a license;
  • strong passwords;
  • a proper inventory of what's on your systems;
  • strong permissions to keep sensitive information locked down; and
  • reasonable audit logging and active system monitoring.

Editor's Note: Leaving open the TCP port 445 has long been known to be dangerous. Akamai's fourth-quarter 2013 "State of the Internet" reported that the port, as used by Microsoft Directory Services, was the most-attacked network service, accounting for approximately 30% of all attacks. And users should not have been surprised by that. Months prior to the WannaCry ransomware attack, US-CERT recommended that all users upgrade their systems running SMB v1 because it represented a threat.

The port 445 exploit used in the WannaCry ransomware outbreak prompted a widespread re-evaluation of how enterprises and vendors relied on version 1 of the SMB protocol. Microsoft disabled SMB v1 in Windows 10, and Windows users are urged to block all hosts requesting services through the SMB v1 protocol to avoid falling victim to malware like WannaCry.

Ask the expert:
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)

Next Steps

Is FTP malware a threat to network port security?

Learn how to remove SMB v1 support from Windows systems

Find out why Microsoft patched unsupported Windows versions to protect them from WannaCry infection

Read how WannaCry ransomware exposed enterprise security shortcomings

This was last published in August 2017

Dig Deeper on Network device security: Appliances, firewalls and switches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What actions have you taken to secure your organization against TCP port 445 exploits?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close