Gunnar Assmy - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How to detect and defend against a TCP port 445 exploit and attacks

The WannaCry TCP port 445 exploit returned the spotlight to Microsoft's long-abused networking port. Network security expert Kevin Beaver explains how to detect and defend against such attacks.

TCP port 445, used by Microsoft Directory Services, has long been considered the most attacked network service,...

and it was exploited by the 2017 WannaCry ransomware attacks. Can you offer some advice for detecting and defending attacks against this specific port?

Many security attacks are a numbers game; that's why the large number of attacks using a TCP port 445 exploit is no surprise.

What is port 445, and what is it used for?

Along with ports 135, 137 and 139, port 445 is a traditional Microsoft networking port with tie-ins to the original NetBIOS service found in earlier versions of Windows OSes. Specifically, TCP port 445 runs server message block (SMB) over TCP/IP. This is a core means for communication on a Microsoft-based LAN. If you look at practically any modern Windows host on your network -- e.g., netstat -an | more from a command prompt -- you'll see that port 445 is open and available, hence the widespread challenges with keeping that port secured against known and unknown vulnerabilities.

Many of the attacks using a port 445 exploit take place via the LAN and often start with TCP port scanning attacks. Malware seeking to exploit undersecured Windows systems is a likely source. However, other attacks, like WannaCry, originate outside the network and reach any system for which port 445 has been opened on the firewall.

What are TCP port scanning attacks?

TCP port scanning is performed via network scanner tools, such as the popular and free Nmap scanner and Metasploit, as well as commercial scanners, such as NetScanTools Pro and Metasploit Pro. Network vulnerability scanners, such as Nessus and Qualys, also incorporate TCP port scanning. Such scans are performed in order to identify live systems and services running via TCP, as well as identify certain known vulnerabilities, such as a missing patch or a shared folder on the network that may be susceptible to exploitation. Some TCP scans are considered attacks and can be detected and blocked by modern security control, such as antimalware software, security incident and event management systems, and intrusion prevention systems. TCP port scanning is an integral step in the vulnerability and penetration testing process.

How to defend against a TCP port 445 exploit

Enterprises can implement certain security controls to protect Windows systems from attacks via a port 445 exploit. These include the following:

  • Enabling Windows Firewall or endpoint detection and response (EDR). The caveat there is, if you try to completely lock down Windows networking services, especially on domain controllers, you'll end up breaking network communications and taking certain Windows services offline.
  • Disabling or blocking port 445 or SMB version 2 or later on Windows systems. This is not recommended without in-depth testing of how it might impact the systems and programs running on them.

How to protect against a port 445 vulnerability

So, what's an enterprise to do? This is where layered security controls come into play, such as the following:

  • block TCP port 445 at the network perimeter;
  • ensure Windows patches are kept current on a periodic and consistent basis;
  • disable SMB version 1;
  • utilize a proven antimalware program or EDR technology -- i.e., not just whatever big vendor software for which you have a license;
  • enforce strong passwords across the Active Directory domain and for local Windows accounts;
  • maintain a proper inventory of the services and applications running on your systems;
  • enable strong file and share permissions to keep sensitive information locked down; and
  • perform proactive system monitoring and alerting, especially for critical Windows systems.

Editor's note: Months prior to the WannaCry ransomware attack, the US Computer Emergency Readiness Team recommended that all users disable their systems from running SMB v1 because it represented a threat.

The port 445 exploit used in the WannaCry ransomware outbreak prompted a widespread reevaluation of how enterprises and vendors relied on version 1 of the SMB protocol. Microsoft disabled SMB v1 in Windows 10, and Windows users are urged to block all hosts requesting services through the SMB v1 protocol to avoid falling victim to malware like WannaCry.

Next Steps

Is FTP malware a threat to network port security?

Learn how to remove SMB v1 support from Windows systems

Find out why Microsoft patched unsupported Windows versions to protect them from WannaCry infection

Read how WannaCry ransomware exposed enterprise security shortcomings

This was last published in August 2019

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)