What’s the difference between using Windows 9x and Windows 2000/XP file sharing? Which port( s) handle( s) file transfers on Windows 2000/XP systems? Does Windows XP use NetBIOS to transfer files? If you disable NetBIOS over TCP/IP on a 2000/XP box, can people still connect to your shares? What happens if you block access to port TCP/139 on an XP machine?
Those should be simple questions for anyone who deals with Windows in an administrator role, but unfortunately, they are not. I ‘d be willing to bet that less than a quarter of Windows admins can confidently answer all five questions. In this short article, I intend to get readers up to speed on the basics of this highly critical area of knowledge. Often, knowing the how and why makes all the difference when it comes to making sound security decisions.
File and Print Sharing
Ok, so what’s File and Print Sharing? File and Print Sharing is little more than a service that enables file/folder and print shares to be made available to clients. Think of it as a daemon that runs on a machine– similar to a web or mail server.
Microsoft SMB Protocol and CIFS Protocol Overview
The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol. The set of message packets that defines a particular version of the protocol is called a dialect. The Common Internet File System (CIFS) Protocol is a dialect of SMB. Both SMB and CIFS are also available on VMS, several versions of Unix, and other operating systems.
The technical reference to CIFS is available from Microsoft Corporation at Common Internet File System (CIFS) File Access Protocol. Its main purpose is file sharing, and additional Microsoft SMB Protocol functionality includes the following:
- Dialect negotiation
- Unicode support
- File and record locking
- Determining other Microsoft SMB Protocol servers on the network, or network browsing
- File, directory, and share access authentication
- File and directory change notification
- Extended file attribute handling
- Printing over a network
- Opportunistic locks
The Port Number of File Sharing Protocol
UDP-137, UDP-138, TCP-139, TCP-445, and possibly TCP port 135, though that may be something to do with something called “RPC”. If the server has NBT enabled, it listens on UDP ports 137, 138, and on TCP ports 139, 445. It listens on TCP port 445 only if it has NBT disabled. In Windows 2000/XP/2003, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this, they use TCP port 445.
The Microsoft SMB Protocol is a client-server implementation and consists of a set of data packets, each containing a request sent by a response or the client sent by the server. Windows clients and servers use the Server Message Block (SMB) protocol for their native file and printer sharing functionality. (Obviously, there are other protocols, too, but “traditional” Windows file and printer sharing uses SMB). Versions of Windows before Windows 2000 encapsulate SMB in the NetBIOS over TCP (NBT) protocol, which uses TCP port 139. Windows 2000 introduced SMB directly over TCP, which uses TCP port 445.
For one reason or another, there is quite a bit of confusion surrounding the technologies that allow File Sharing to take place on a Windows machine. The hodgepodge of terms ranging from NetBIOS, NBT, and SMB serve to confuse not only junior admins but many more experienced professionals. We’ve all been there when a newcomer to IT has asked awkward questions like, “If I disable x, but leave y, will I still be able to do z?” Most times the professional being asked will try and either change the subject or exit the room as quickly as possible to avoid showing their ignorance.
In the OSI networking model, Microsoft SMB Protocol is most often used as an Application layer or a Presentation layer protocol, and it relies on lower-level protocols for transport. The transport layer protocol that Microsoft SMB Protocol is most often used with is NetBIOS over TCP/IP (NBT). Microsoft SMB Protocol can also be used without a separate transport protocol the Microsoft SMB Protocol/NBT combination is generally used for backward compatibility.
Of course, nearly everyone is familiar with one main concept– the widely known and well-worn view that Windows file sharing services are potentially very dangerous. Steve Gibson and his website can be credited mostly for this becoming largely common knowledge. Unfortunately, however, the fact that “it’s bad” is about the extent of most people’s knowledge of the subject. As a friendly test, see if you know the answers to the questions below:
In Windows 9x (Windows 95, 98, and ME), the primary ports for sharing resources were 135, 137, 138, and 139. Below we take a look at each:
TCP/135– RPC: This port is potentially quite dangerous due to what “RPC” actually stands for. Remote procedure calls are requests from one machine to another for service. The RPC service acts as something of a facilitator, or go-between, between the client making the request and the machine being asked for service, i.e. a request is made to this “end-point mapper service”, and then a port is allocated dynamically to the service being requested. This is similar to the RPC functionality found in the Unix world, and although it’s not technically a “file sharing” port, it ties heavily into Windows networking in general.