Solved

Do I need Ports 139 and 445 for workstations opened?

Posted on 2016-10-06
8
85 Views
Last Modified: 2016-10-07
Do I need ports 139/445 open(listening) on the workstations that are Windows 7 machine? I know 139/445 needs to be open on the fileserver/printserver but not sure if it needs to be on the workstations if they are not sharing files or printers from the workstation.
0
Comment
Question by:Larry Kiterling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:huacat
ID: 41832069
We needn't 139 & 445 port if the machine don' share files or printers to other machines.
You can close these ports in firewall.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 41832087
If you do a lot or remote management, you will still need those ports open. If you're afraid for security reasons, limit these ports to the managing server only (needs to be done in Advanced Settings in the Firewall setttings, with a new custom rule)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41832113
Agree with Kimputer.

If your environment happens to be very sensitive about security, please take the following into consideration: if you, the admin, wants to use the c$ share or execute remote commands (like psexec), or do other admin stuff, you need those ports accessible from your own workstation only. So what do you do? Do you create a GPO that sets up some rule that will simply allow your IP? That would be unwise.

Anyone with a little insider knowledge will know the IP of the admin's workstation. So for an attack, he will simply wait for the admin to turn off his workstation and give his own computer that IP.
So IP-based firewall rules are insecure as h***.

If you really mean to setup secure rules, you need to establish ipsec firewall rules.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:Larry Kiterling
ID: 41832268
We do not want to implement the firewall on individual workstations due to the headaches that will come after.
Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?
Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings\Turn on file and print share
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 41832729
"We do not want to implement the firewall on individual workstations due to the headaches that will come after." - There are no headaches. Workstations on the same subnet need local firewalls if you want to use those ports for administration. If not, leave them closed, by default, they are closed (because the local firewalls are on already out of the box).

"Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?" - I don't know why you ask that. You will know if your workstations share files, if they don't and you, as admin, don't need c$ access, of course close file and printer sharing (for what reason was it enabled in the first place?).
0
 

Author Comment

by:Larry Kiterling
ID: 41833979
None of our workstations have local firewall enabled. They were disabled open deployment. I do believe its a good idea to turn it on but thats not our policy at the moment.

I wanted to verify if closing file and print sharing on workstations will effectively cause the workstation to stop listening on 139 and 445.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41833984
Yes, unless no other software that is installed at these machines listens on those ports, they will be closed, if default windows settings are still applied.
0
 

Author Comment

by:Larry Kiterling
ID: 41834029
perfect! thanks brah and have a good weekend!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

761 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question