Other operators opinions about blocking port 445 before this thing starts spreading faster than it already is?
We are an ISP, and we just decided to. Extended IP access list 199 (Compiled) deny tcp any any eq 445 (66574 matches) Last configuration change at 14:49:44 MST Sun Mar 9 2003 It is 15:35 now. ~ 1305 packets/min. Since we leave ports 135-139 open, the effects "should" be none on the users by blocking 445. Here is part of a conversation Jake Bates and I have been having: <James responds> You read my mind, this was the very issue running around my mind ! I am a router admin for the ISP cybermesa.com and I was trying to sort out this question so I could consider asking to block this port. What I know is the port 445 is a port XP and 2000 can run SMB on, much like what happens on 135-139 (Netbios, Client for MS networks, Print and File Sharing). So if the users use these services (on port 445) across the internet, blocking will effect them. My experience is that if the users do SMB, they do it on 135-139. So, my working theory is that blocking 445 will have no effect on them. If you block 135-139 already as part of policy (i.e., no Netbios), blocking 445 would also be part of the policy. Only XP and 2000 use 445, but can use 135-139; whichever is open. Cyber Mesa does not block 135-139 as legacy MS Messenger used those ports and it causes a "big deal" if they are blocked. So in my case I am really leaning to block port 445. Do you block ports 135-139 and what effect did it have on the users ? <Jack answers>
I'm with you, though. Blocking 445 may work well with 135-139 still open. I'll presume that XP/2000 tries 445 and upon a set timeout reverts to the older method.
-Jack
<James answers> Yep. I think actually 135.-139 is the default and it falls back to 445. http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/ windows2000/techinfo/reskit/en-us/cnet/cnbc_imp_wcug.asp In Windows 2000, it is also possible to use direct hosting to establish redirector or server connections between Windows 2000 computers without the use of NetBIOS. By default, Windows 2000 attempts to make connections using both methods so that it can support connections to older versions of Windows computers. However, in Windows 2000-only environments, you can disable NetBIOS over TCP/IP as described in the "NetBIOS Over TCP/IP Sessions" following in this chapter. James Edwards jamesh@cybermesa.com Routing and Security Administrator