Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Open port 445: Server Message Block (SMB)

Author: Government Digital Service

Open port 445: Server Message Block (SMB)

What this means

Server Message Block (SMB) protocol is a client-server communication protocol mainly used to facilitate shared access to the resources on an internal network, such as sharing access to files, printers, serial ports and other resources.

It operates over port 445 (SMBv3, SMBv2) and ports 137-139 (SMBv1 over NetBIOS).

SMB v3.0 and later are more secure than SMB v1 or v2, having introduced a number of protections such as end-to-end data encryption and protection against Man-in-the-Middle (MiM) attacks.

Why this is a problem

When SMB is open to an untrusted network, it becomes a prime target for cyber attacks, allowing remote code execution (RCE), data theft, lateral movement, and malware propagation.

Vulnerabilities like EternalBlue (CVE-2017-0144), which led to the WannaCry ransomware outbreak, exploited open SMB ports and included:

  • unauthorised access to system resources through XSS, CSRF or SQL injection
  • unintended publication of services providing information disclosure
  • denial-of-Service (DoS) attacks by overwhelming the service
  • unauthorised access and exploitation of unpatched services

How to check if the problem is there

Check Open HTTPS Ports

Run the following command to check if SMB ports are open.

Windows (Command Prompt):

netstat -an | find ":445"

Telnet <server ip address> 445

Linux/Mac (Terminal):

sudo netstat -tulnp | grep ":445"

You will need to use the tools from a remote network to determine if SMB is open across the internet. If you use the tools from an internal network they might provide an unreliable result.

How to fix this

To mitigate attacks against an open SMB 445 port, an administrator can take the following steps to block access or reduce the attack surface.

Restrict network access

Restrict network access by carrying out the following:

  • remove any inbound firewall or port forwarding rules allowing port 445
  • configure firewall rules to allow connections only from trusted IP addresses

Disable unnecessary services

If SMB is not required, consider disabling the service on the host.

Patch and update systems

Ensure the operating system is kept up to date and patched in a timely manner.

Use VPN for remote access

If there is a need to access SMB remotely over the internet, consider protecting this by only allowing access over a VPN.

Regularly monitor logs

Regularly monitor your event logs and consider:

  • using SIEM tools to detect anomalies
  • deploying Intrusion Detection Systems (IDS)

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now