asked on
How do I block port 445 on a Windows Server 2008R2 web server?
Hello... I am using a Windows Server 2008R2 as a web server. We were contacted by our security people that I need to close Port 445. Port 445 have been tied to RansomWare attacks. I used the firewall in the server to create a block for port 445. But when I use the "netstat -na" command, port 445 is still open. And the security people also confirmed port 445 is still open. There was another method to close port 445 by using regedit to disable features within the server. I am not sure if the regedit method will affect the active server. Obviously I do not want to disturb the active web server. Anyway, is the regedit method a viable solution or is there another way to block port 445 from being open. Thank you in advance for your help.
ASKER
Thank you gentlemen for your input.
Mr. McKnife, your solution re-enforces the "regedit solution" I found earlier. Its the "Lanman server" that we need to shut down. I was not sure about that "regedit" fix until I read your solution. I tried your solution on another computer and it worked. So I will install this fix in the active web server tonight when we have the lowest login activity.
Once again, thank you gentlemen for your time.
in your firewall blocks did you block both incoming and outgoing?
You are fighting ransomware using symptoms and not the cause. Like using Tylenol for a toothache
And as @David Johnson mentioned, if you're using File Sharing then killing/disabling the listener may cause other problems.
You mentioned, "We were contacted by our security people that I need to close Port 445. Port 445 have been tied to RansomWare attacks", which requires clarification to know what is meant by this statement.
For example...
1) Is the scanner software running latest version, to rule out many false positives... well... hopefully rule them out...
2) Is there a known scanner bug, slated to be fixed in a future release, that matches the problem reported.
3) What scanner was used + what's the exact diagnostic report generated.
4) Is #3 of concern or a bogus false positive. Remember scanners justify their existing by spewing problems...
Whether a given scanner's spew is useful or truthful, requires you analyze #3... rather than just accepting some message as a real problem to be fixed... or even considered...
5) Also of consideration is Windows Server 2008R2, which is very old.
So ensure all patches/updates are installed.
6) https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-server-eos-faq/end-of-support-windows-server-2008-2008r2 shows EOL (End of Life) for Windows Server 2008R2 shows to be 1/14/2020.
This means any File Sharing software could have a known exploit/backdoor/hack... that will never be fixed...
If this is the case your only choices are.
a) Add firewall rules to only allow access between certain machines for File Sharing.
b) ACL your machine so only certain other machines can access File Sharing (similar to #1).
c) Best option, upgrade to latest Windows Server which will close any File Sharing exploits, either as soon as code is installed or in some future patch.
7) Also as @David Johnson mentioned, "You are fighting ransomware using symptoms and not the cause. Like using Tylenol for a toothache".
If ransomware is somehow using port 445 (You'll refer to #4 above to determine if this is true/false), then the real problem is you've allowed ransomware onto the machine. Cleanse steps will be...
a) Nuke the machine, doing a fresh install.
b) Restore machine from offsite backup.
c) Close whatever security hole that allowed ransomware on your machine.
d) Never allow ransomware to be installed again.
Have you configured the block on the correct network profile?