Is port 139 still vulnerable?

security networking netbios

Solution 1:

Ports are not vulnerable, they are just ports. Services that listen on particular ports may have remotely exploitable vulnerabilities, or misconfiguration of services that listen on particular ports may lead to unintended consequences. The last remote exploits that targeted NetBIOS/139 were in the Windows NT/2000 day to the best of my recollection.

Port 139 is typically used for file/printer sharing, including directory replication with Active Directory, trusts, remote access of event logs, etc.

So... if you just block port 139 on a Domain Controller just because you read somewhere on the internet that that port is "bad", or because you are following some generic hardening checklist you found on the internet; you will kill AD replication. If you block 139 in a typical business network, you will lose the ability to do much of anything on a remote computer (remotely manage clients/servers, install software, share printers, files...) Not good in a managed environment, unless you like sending a technician onsite anytime you need to do something to a computer. Heck, you could be SUPER secure and just disable network cards altogether, and use floppy disks to move bits around. You could disable port 80 on your Apache Web Server because of the possibility of cross-site-scripting vulnerabilities. You could block port 1433 to reduce instances of SQL injection attacks. (all right, I'll quit now ;)

The key is understanding the purpose and requirements of the services enabled on your network, understand the threats that face them, and understand appropriate mitigations.

Do you want to take your Domain controllers and put them on an internet facing network connection without blocking/filtering access to port 139 (or many other ports)? Do you want to plug a home computer with Windows ME and file/print sharing enabled directly into your cable modem without having a router filtering connections or a firewall enabled on your computer? Of course not.

A great book that covers much of this information (including the "Why's" behind the security decisions you must make) is Protect Your Windows Network: From Perimeter to Data by Steve Riley and Jesper Johansson.

Solution 2:

It might be. The problem is no one can say if something is OK, just that there are no current known exploits. Someone may have found a new one and not reported it. You may be missing a patch on your server. The server may be configured incorrectly and has opened a hole.

This isn't just a NetBIOS problem, it's for anything, be it Apache, BIND, Sendmail, Exchange, anything that's connected to a network. The basic rule of thumb is don't open ports to external connections unless you have to.

Solution 3:

It rather depends on what you have got listening on 139. The vulnerability of a given port depends entirely on the software that an attacker can reach via that port.

Presumably this question doesn't come out of nowhere, so you must have a reason for wanting to open this port. Somebody wants to use it, right? So you need to find out what software they want to run, find out it's patch level, investigate known vulnerabilities and make a judgement.

If you're talking about a firewall that protects more than one server, you could also look at rules that only allow 139 traffic to a specific server.

Related

How can I prevent that a server admin can see data?
Is Tripp Lite a trusted brand for a UPS? [closed]
Is there a good way to programmatically configure VLANs on a managed switch?
Correct recursive chmod, separate for files & dirs
Which CentOS Version Should I Use?
How does a router get its IP address assigned?
What are the benefits of a self signed certificate on a live site?
What is the safest country to run an IT startup? [closed]
What is a good default IP address?
Will my URL stay secret if I never link to it?
How can I block outside mail FROM [email protected]?
How does a blade server differ from a normal rackmount server?