Solved

Do I need Ports 139 and 445 for workstations opened?

Posted on 2016-10-06
8
77 Views
Last Modified: 2016-10-07
Do I need ports 139/445 open(listening) on the workstations that are Windows 7 machine? I know 139/445 needs to be open on the fileserver/printserver but not sure if it needs to be on the workstations if they are not sharing files or printers from the workstation.
0
Comment
Question by:Larry Kiterling
8 Comments
 
LVL 6

Expert Comment

by:huacat
ID: 41832069
We needn't 139 & 445 port if the machine don' share files or printers to other machines.
You can close these ports in firewall.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 41832087
If you do a lot or remote management, you will still need those ports open. If you're afraid for security reasons, limit these ports to the managing server only (needs to be done in Advanced Settings in the Firewall setttings, with a new custom rule)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41832113
Agree with Kimputer.

If your environment happens to be very sensitive about security, please take the following into consideration: if you, the admin, wants to use the c$ share or execute remote commands (like psexec), or do other admin stuff, you need those ports accessible from your own workstation only. So what do you do? Do you create a GPO that sets up some rule that will simply allow your IP? That would be unwise.

Anyone with a little insider knowledge will know the IP of the admin's workstation. So for an attack, he will simply wait for the admin to turn off his workstation and give his own computer that IP.
So IP-based firewall rules are insecure as h***.

If you really mean to setup secure rules, you need to establish ipsec firewall rules.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Larry Kiterling
ID: 41832268
We do not want to implement the firewall on individual workstations due to the headaches that will come after.
Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?
Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings\Turn on file and print share
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 41832729
"We do not want to implement the firewall on individual workstations due to the headaches that will come after." - There are no headaches. Workstations on the same subnet need local firewalls if you want to use those ports for administration. If not, leave them closed, by default, they are closed (because the local firewalls are on already out of the box).

"Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?" - I don't know why you ask that. You will know if your workstations share files, if they don't and you, as admin, don't need c$ access, of course close file and printer sharing (for what reason was it enabled in the first place?).
0
 

Author Comment

by:Larry Kiterling
ID: 41833979
None of our workstations have local firewall enabled. They were disabled open deployment. I do believe its a good idea to turn it on but thats not our policy at the moment.

I wanted to verify if closing file and print sharing on workstations will effectively cause the workstation to stop listening on 139 and 445.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41833984
Yes, unless no other software that is installed at these machines listens on those ports, they will be closed, if default windows settings are still applied.
0
 

Author Comment

by:Larry Kiterling
ID: 41834029
perfect! thanks brah and have a good weekend!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question