445/tcp&udp ============ Windows 2000 uses NetBIOS over TCP/IP to communicate with prior versions of Windows NT and other clients, such as Windows 95. However, the Windows 2000 redirector and server components now support direct hosting for communicating with other computers running Windows 2000. With direct hosting, NetBIOS is not used for name resolution. DNS is used for name resolution and the Microsoft networking communication is sent directly over TCP without a NetBIOS header. Direct hosting over TCP/IP uses TCP port 445 instead of the NetBIOS session TCP port 139. One Windows 2000 host can logon to another Windows 2000 host (net use * \\ipaddr\share password /user:username) over tcp/udp 445. One NT4, this process was done over tcp139. Most things that were done over tcp 139 in NT4 can now be done over tcp/udp 445 in Windows 2000. When locking down a Windows 2000 host, it's important to block tcp 139 and tcp/udp 445, as either port can be used to remotely login to the host (using either a username or the null session account) There are several ways to do this - some of which appear to work but don't, others which work. The best way to shut down both tcp139 and tcp/udp 445 is to disable File and Print Sharing for the selected NIC. In NT4 it was enough to disable WINS Client (TCP/IP) in the bindings tab. The similar sounding feature in Windows 2000 is to Disable NetBIOS over TCP/IP in the WINS tab. Unfortunately, this only shuts down tcp 139 and leaves tcp/udp open for business. If you block inbound tcp/udp 445 and tcp 139 on you're workstation, you can prevent others from loggin on to your system or conencting to your fileshares. If you shut down these ports on a Windows 2000 server, you could hose it up pretty good however, this port has nothing to do with Active Directory and/or the mode (mixed or native) the domain is running in. Try fport.exe from foundstone to determine what other ports may be listening on your system, and what executables are responsible for opening those ports. |