John Kristoff wrote:
The problem is that 137-139 are just numbers. The fact that a typically insecure application runs over port 137/139 as opposed to say, 25609, makes no difference. If the logic follows, then block port 21, 111 and maybe even port 80. I'm sure we can find over zealous security experts making claims that those services are inherently insecure as well. Someone will come up with a way of doing file sharing over another port number, over another protocol, over a conforming application (e.g. HTTP) and probably using encryption so you can't tell what it is.
If users are smart enough to switch the port and encrypt their traffic, then obviously there's nothing to worry about. The original suggestion was to protect users that probably don't even realize they have shares open to the world.