RE: Desktops - is disabling TCP/445 or TCP/139 more secure?

["David Gillett" <gillettdavid () fhda edu>]

  CIFS (445) was designed based, at least partly, on experience
with NetBIOS.  As I understood it, part of the motivation for 
using a new port number was to avoid needing to design in backward
compatibility to vulnerabilities in the NetBIOS design.  So if
you're looking to maximize security by only permitting one, 445
should be it.  
  I would also, however:

(a) not permit either protocol past your perimeter, and

(b) require IPSEC for access to this service.

David Gillett
 

> -----Original Message-----
> From: Thor Ryan [mailto:thorman () mac com] 
> Sent: Tuesday, June 20, 2006 12:38 AM
> To: SECURITY-BASICS () securityfocus com
> Subject: Desktops - is disabling TCP/445 or TCP/139 more secure?
>
> This is my first post, please let me know if it's not basic enough.
>
> We have implemented Host Based Intrusion Prevention software 
> (Cisco Security Agent), and a debate is raging - should we 
> deny TCP/445 traffic so SMB traffic defaults to NetBIOS over 
> TCP/IP, should we disable NetBIOS overt TCP/IP and only allow 
> TCP/445 traffic, or just let both exist on the network?
>
> Some admins have said that TCP/445 scans are mounting, and 
> that denying TCP/445 is more secure.  Others say denying 
> NetBIOS over TCP/ IP (TCP/137-139) is more secure.
>
> To me, a socket is a socket, what matters is the service 
> listening on the particular port.  Is TCP/445 more secure 
> than NetBIOS, or the other way around?  I've Googled, but not 
> found anything helpful until I stumbled on this list.  Thanks!
>
> Thor