Solved

Do I need Ports 139 and 445 for workstations opened?

Posted on 2016-10-06
8
126 Views
Last Modified: 2016-10-07
Do I need ports 139/445 open(listening) on the workstations that are Windows 7 machine? I know 139/445 needs to be open on the fileserver/printserver but not sure if it needs to be on the workstations if they are not sharing files or printers from the workstation.
0
Comment
Question by:Larry Kiterling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:huacat
ID: 41832069
We needn't 139 & 445 port if the machine don' share files or printers to other machines.
You can close these ports in firewall.
0
 
LVL 36

Expert Comment

by:Kimputer
ID: 41832087
If you do a lot or remote management, you will still need those ports open. If you're afraid for security reasons, limit these ports to the managing server only (needs to be done in Advanced Settings in the Firewall setttings, with a new custom rule)
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41832113
Agree with Kimputer.

If your environment happens to be very sensitive about security, please take the following into consideration: if you, the admin, wants to use the c$ share or execute remote commands (like psexec), or do other admin stuff, you need those ports accessible from your own workstation only. So what do you do? Do you create a GPO that sets up some rule that will simply allow your IP? That would be unwise.

Anyone with a little insider knowledge will know the IP of the admin's workstation. So for an attack, he will simply wait for the admin to turn off his workstation and give his own computer that IP.
So IP-based firewall rules are insecure as h***.

If you really mean to setup secure rules, you need to establish ipsec firewall rules.
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 

Author Comment

by:Larry Kiterling
ID: 41832268
We do not want to implement the firewall on individual workstations due to the headaches that will come after.
Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?
Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings\Turn on file and print share
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 41832729
"We do not want to implement the firewall on individual workstations due to the headaches that will come after." - There are no headaches. Workstations on the same subnet need local firewalls if you want to use those ports for administration. If not, leave them closed, by default, they are closed (because the local firewalls are on already out of the box).

"Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?" - I don't know why you ask that. You will know if your workstations share files, if they don't and you, as admin, don't need c$ access, of course close file and printer sharing (for what reason was it enabled in the first place?).
0
 

Author Comment

by:Larry Kiterling
ID: 41833979
None of our workstations have local firewall enabled. They were disabled open deployment. I do believe its a good idea to turn it on but thats not our policy at the moment.

I wanted to verify if closing file and print sharing on workstations will effectively cause the workstation to stop listening on 139 and 445.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41833984
Yes, unless no other software that is installed at these machines listens on those ports, they will be closed, if default windows settings are still applied.
0
 

Author Comment

by:Larry Kiterling
ID: 41834029
perfect! thanks brah and have a good weekend!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question