• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 176
  • Last Modified:

Do I need Ports 139 and 445 for workstations opened?

Do I need ports 139/445 open(listening) on the workstations that are Windows 7 machine? I know 139/445 needs to be open on the fileserver/printserver but not sure if it needs to be on the workstations if they are not sharing files or printers from the workstation.
0
Larry Kiterling
Asked:
Larry Kiterling
1 Solution
 
huacatCommented:
We needn't 139 & 445 port if the machine don' share files or printers to other machines.
You can close these ports in firewall.
0
 
KimputerCommented:
If you do a lot or remote management, you will still need those ports open. If you're afraid for security reasons, limit these ports to the managing server only (needs to be done in Advanced Settings in the Firewall setttings, with a new custom rule)
0
 
McKnifeCommented:
Agree with Kimputer.

If your environment happens to be very sensitive about security, please take the following into consideration: if you, the admin, wants to use the c$ share or execute remote commands (like psexec), or do other admin stuff, you need those ports accessible from your own workstation only. So what do you do? Do you create a GPO that sets up some rule that will simply allow your IP? That would be unwise.

Anyone with a little insider knowledge will know the IP of the admin's workstation. So for an attack, he will simply wait for the admin to turn off his workstation and give his own computer that IP.
So IP-based firewall rules are insecure as h***.

If you really mean to setup secure rules, you need to establish ipsec firewall rules.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Larry KiterlingAuthor Commented:
We do not want to implement the firewall on individual workstations due to the headaches that will come after.
Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?
Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings\Turn on file and print share
0
 
McKnifeCommented:
"We do not want to implement the firewall on individual workstations due to the headaches that will come after." - There are no headaches. Workstations on the same subnet need local firewalls if you want to use those ports for administration. If not, leave them closed, by default, they are closed (because the local firewalls are on already out of the box).

"Should I remove/disable/turn off the service that causes the workstations to listen on those ports?
Is the following correct to turn these services off on the workstation?" - I don't know why you ask that. You will know if your workstations share files, if they don't and you, as admin, don't need c$ access, of course close file and printer sharing (for what reason was it enabled in the first place?).
0
 
Larry KiterlingAuthor Commented:
None of our workstations have local firewall enabled. They were disabled open deployment. I do believe its a good idea to turn it on but thats not our policy at the moment.

I wanted to verify if closing file and print sharing on workstations will effectively cause the workstation to stop listening on 139 and 445.
0
 
McKnifeCommented:
Yes, unless no other software that is installed at these machines listens on those ports, they will be closed, if default windows settings are still applied.
0
 
Larry KiterlingAuthor Commented:
perfect! thanks brah and have a good weekend!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now