Solved

Do I need Ports 139 and 445 for workstations opened?

Posted on 2016-10-06
8
70 Views
Last Modified: 2016-10-07
Do I need ports 139/445 open(listening) on the workstations that are Windows 7 machine? I know 139/445 needs to be open on the fileserver/printserver but not sure if it needs to be on the workstations if they are not sharing files or printers from the workstation.
0
Comment
Question by:Larry Kiterling
8 Comments
 
LVL 6

Expert Comment

by:huacat
ID: 41832069
We needn't 139 & 445 port if the machine don' share files or printers to other machines.
You can close these ports in firewall.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 41832087
If you do a lot or remote management, you will still need those ports open. If you're afraid for security reasons, limit these ports to the managing server only (needs to be done in Advanced Settings in the Firewall setttings, with a new custom rule)
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41832113
Agree with Kimputer.

If your environment happens to be very sensitive about security, please take the following into consideration: if you, the admin, wants to use the c$ share or execute remote commands (like psexec), or do other admin stuff, you need those ports accessible from your own workstation only. So what do you do? Do you create a GPO that sets up some rule that will simply allow your IP? That would be unwise.

Anyone with a little insider knowledge will know the IP of the admin's workstation. So for an attack, he will simply wait for the admin to turn off his workstation and give his own computer that IP.
So IP-based firewall rules are insecure as h***.

If you really mean to setup secure rules, you need to establish ipsec firewall rules.
0
 

Author Comment

by:Larry Kiterling
ID: 41832268
We do not want to implement the firewall on individual workstations due to the headaches that will come after.
Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?
Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings\Turn on file and print share
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 41832729
"We do not want to implement the firewall on individual workstations due to the headaches that will come after." - There are no headaches. Workstations on the same subnet need local firewalls if you want to use those ports for administration. If not, leave them closed, by default, they are closed (because the local firewalls are on already out of the box).

"Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?" - I don't know why you ask that. You will know if your workstations share files, if they don't and you, as admin, don't need c$ access, of course close file and printer sharing (for what reason was it enabled in the first place?).
0
 

Author Comment

by:Larry Kiterling
ID: 41833979
None of our workstations have local firewall enabled. They were disabled open deployment. I do believe its a good idea to turn it on but thats not our policy at the moment.

I wanted to verify if closing file and print sharing on workstations will effectively cause the workstation to stop listening on 139 and 445.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41833984
Yes, unless no other software that is installed at these machines listens on those ports, they will be closed, if default windows settings are still applied.
0
 

Author Comment

by:Larry Kiterling
ID: 41834029
perfect! thanks brah and have a good weekend!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now