TCP port 445, used by Microsoft Directory Services, has long been considered the most-attacked network service...
[and it was exploited by the 2017 WannaCry ransomware attacks]. Can you offer some advice for detecting and defending attacks against this specific port?
Many security attacks are a numbers game; that's why the large number of attacks using a TCP port 445 exploit is no surprise.
Along with ports 135, 137 and 139, port 445 is a traditional Microsoft networking port. Specifically, TCP port 445 runs server message block (SMB) over TCP/IP. This is a core means for communication on a Microsoft-based LAN. If you look at practically any modern Windows host on your network -- e.g., netstat -an | more from a command prompt -- you'll see that port 445 is open and available, hence the problem.
Many of the attacks using a port 445 exploit take place via the LAN. Malware seeking to exploit under-secured Windows systems is a likely source. However, other attacks, like WannaCry, originate outside the network and reach any system for which port 445 has been opened on the firewall -- hopefully that's not the case for you!
How to prevent a TCP port 445 exploit
Enterprises can implement certain security controls to protect Windows systems from attacks using a port 445 exploit. These include enabling Windows Firewall or a similar endpoint protection system. The caveat there is, if you try to completely lock down Windows networking services, especially on domain controllers, you'll end up breaking network communications.
So what's an enterprise to do? This is where layered security controls come into play, such as:
- current patches for Windows and third-party software;
- a proven antimalware program -- i.e., not just whatever big vendor software for which you have a license;
- strong passwords;
- a proper inventory of what's on your systems;
- strong permissions to keep sensitive information locked down; and
- reasonable audit logging and active system monitoring.
Editor's Note: Leaving open the TCP port 445 has long been known to be dangerous. Akamai's fourth-quarter 2013 "State of the Internet" reported that the port, as used by Microsoft Directory Services, was the most-attacked network service, accounting for approximately 30% of all attacks. And users should not have been surprised by that. Months prior to the WannaCry ransomware attack, US-CERT recommended that all users upgrade their systems running SMB v1 because it represented a threat.
The port 445 exploit used in the WannaCry ransomware outbreak prompted a widespread re-evaluation of how enterprises and vendors relied on version 1 of the SMB protocol. Microsoft disabled SMB v1 in Windows 10, and Windows users are urged to block all hosts requesting services through the SMB v1 protocol to avoid falling victim to malware like WannaCry.
Ask the expert:
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)
Is FTP malware a threat to network port security?
Learn how to remove SMB v1 support from Windows systems
Find out why Microsoft patched unsupported Windows versions to protect them from WannaCry infection
Read how WannaCry ransomware exposed enterprise security shortcomings
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.