Bugtraq mailing list archives

Re: SUMMARY: Disabling Port 445 (SMB) Entirely

From: "Andrew Oman" <Andrew.Oman () predictive com>
Date: Fri, 30 Aug 2002 13:21:34 -0400

I hope this adds a little bit on one more method of diabling/unbinding 
SMB:
( sorry if the cross-post was not appropriate )

http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS11-12.asp

HKLM\System\Controlset001\Services\NetBT\Parameters

Non-Configurable Parameters
The following parameters are created and used internally by the NetBT 
components. They should never be modified using the Registry Editor. They 
are listed here for reference only.

TransportBindName 
Key: Netbt\Parameters
Value Type: REG_SZ - Character string
Valid Range: N/A
Default: \Device\
Description: This parameter is used internally during product development. 
The default value should not be changed.


SMBDeviceEnabled 
Key: Netbt\Parameters 
Value Type: REG_DWORD—Boolean 
Valid Range: 0, 1 (false, true) 
Default: 1 (true) 

Description: Windows 2000 supports a new network transport known as the 
SMB Device, which is enabled by default. This parameter can be used to 
disable the SMB device for troubleshooting purposes. 


Using the SMBDeviceEnabled key removes SMB from binding to 445.

Thanks,

Andrew







"Jason Coombs" <jasonc () science org>
08/29/2002 08:05 PM
Please respond to jasonc
 
        To:     <bugtraq () securityfocus com>
        cc: 
        Subject:        SUMMARY: Disabling Port 445 (SMB) Entirely


UPDATE: I double-checked and in fact was able to stop port 445 from 
binding
at all under Windows 2000 using the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

under this key remove the default value "\Device\" from the
TransportBindName REG_SZ value. upon reboot, port 445 is gone completely,
both TCP and UDP.

I tried a while ago to replace \Device\ with the device name of a single
network interface in my multi-homed Windows box and that did not appear to
work, SMB still grabbed port 445 TCP and UDP on 0.0.0.0 rather than the IP
address bound to the network interface whose \Device\ virtual name I 
entered
into the TransportBindName. Perhaps you can only disable port 445/SMB
entirely, there may be no way to disable it selectively.

However, port 1025 is still being bound by SYSTEM ... I have no idea why.

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org]
Sent: Thursday, August 29, 2002 11:52 AM
To: vuln-dev () security-focus com
Subject: SUMMARY: SMB overflow attacks


SUMMARY: There does not appear to be any way to get Windows 2000 to stop
binding to port 445 at this time. It's possible in Windows NT, but then
again SMB was an after-thought for NT (Service Pack 3 or 4, I don't 
remember
which) and the NT kernel doesn't bind port 445 as aggressively.

<snip>

Current thread:

SUMMARY: Disabling Port 445 (SMB) Entirely Jason Coombs (Aug 30)
- <Possible follow-ups>
- Re: SUMMARY: Disabling Port 445 (SMB) Entirely Andrew Oman (Aug 30)