6

Since the NetBIOS vulnerability is quite well-known a long time ago and heavily popularized, patches have been already released. So, is opening this 139 port OK now?

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24

6 Answers6

20

Ports are not vulnerable, they are just ports. Services that listen on particular ports may have remotely exploitable vulnerabilities, or misconfiguration of services that listen on particular ports may lead to unintended consequences. The last remote exploits that targeted NetBIOS/139 were in the Windows NT/2000 day to the best of my recollection.

Port 139 is typically used for file/printer sharing, including directory replication with Active Directory, trusts, remote access of event logs, etc.

So... if you just block port 139 on a Domain Controller just because you read somewhere on the internet that that port is "bad", or because you are following some generic hardening checklist you found on the internet; you will kill AD replication. If you block 139 in a typical business network, you will lose the ability to do much of anything on a remote computer (remotely manage clients/servers, install software, share printers, files...) Not good in a managed environment, unless you like sending a technician onsite anytime you need to do something to a computer. Heck, you could be SUPER secure and just disable network cards altogether, and use floppy disks to move bits around. You could disable port 80 on your Apache Web Server because of the possibility of cross-site-scripting vulnerabilities. You could block port 1433 to reduce instances of SQL injection attacks. (all right, I'll quit now ;)

The key is understanding the purpose and requirements of the services enabled on your network, understand the threats that face them, and understand appropriate mitigations.

Do you want to take your Domain controllers and put them on an internet facing network connection without blocking/filtering access to port 139 (or many other ports)? Do you want to plug a home computer with Windows ME and file/print sharing enabled directly into your cable modem without having a router filtering connections or a firewall enabled on your computer? Of course not.

A great book that covers much of this information (including the "Why's" behind the security decisions you must make) is Protect Your Windows Network: From Perimeter to Data by Steve Riley and Jesper Johansson.

Sean Earp
  • 7,207
  • 3
  • 34
  • 38
6

It might be. The problem is no one can say if something is OK, just that there are no current known exploits. Someone may have found a new one and not reported it. You may be missing a patch on your server. The server may be configured incorrectly and has opened a hole.

This isn't just a NetBIOS problem, it's for anything, be it Apache, BIND, Sendmail, Exchange, anything that's connected to a network. The basic rule of thumb is don't open ports to external connections unless you have to.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
blowdart
  • 206
  • 2
  • 3
3

It rather depends on what you have got listening on 139. The vulnerability of a given port depends entirely on the software that an attacker can reach via that port.

Presumably this question doesn't come out of nowhere, so you must have a reason for wanting to open this port. Somebody wants to use it, right? So you need to find out what software they want to run, find out it's patch level, investigate known vulnerabilities and make a judgement.

If you're talking about a firewall that protects more than one server, you could also look at rules that only allow 139 traffic to a specific server.

Dominic Cronin
  • 670
  • 4
  • 21
  • Ports are not vulnerable. The software that is listening on them could be. See answer by Sean Earp. – Josh Brower Jun 21 '09 at 13:07
  • 1
    Exactly - apart from the fact that when I wrote my answer, I didn't have Sean's answer to refer to. If you read what I said, you'll find that I'm saying exactly the same thing. "The vulnerability of a given port depends entirely on the software that an attacker can reach via that port. " – Dominic Cronin Jul 06 '09 at 21:38
1

"Do you want to take your Domain controllers and put them on an internet facing network connection without blocking/filtering access to port 139 (or many other ports)? Do you want to plug a home computer with Windows ME and file/print sharing enabled directly into your cable modem without having a router filtering connections or a firewall enabled on your computer? Of course not."

The answer would be this:

  • Open the port on local trusted network interface (unless windows file/printer sharing services aren't provided/applicable to your server)
  • Close the port on internet facing interface (even if behind firewall)

That is assuming you are sitting on a windows server domain controller of course, for anything else opening this port up would be ridiculous (for its intended use anyway!).

Note the windows service that uses this port will only listen on port 139 of the default IP address of the enabled NIC, not any of the other assigned IP's.

Ayporos
  • 1
  • 1
1

(This may already be covered. One reference to using NESSUS for checking this.)

Some other references to port 139:

nik
  • 7,040
  • 2
  • 24
  • 30
  • Further, from the SANS data, "These protocols permit a host to manipulate remote files just as if they were local. Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the host." So, its not just MS vulnerabilities that matter. – nik Jun 20 '09 at 07:43
  • sofaq related: Any one know why my user link did not get copied when this post was moved from SO to SF-Community-wiki? – nik Jun 20 '09 at 07:44
0

I would advise against opening port 139 directly to the Internet. We receive dozens of port scans on our firewall every hour looking to see if 139 is responsive. If you must open it on an Internet-facing system, at least block traffic to it by default and only allow hosts you trust, and/or install something like fail2ban to block potential brute-force attacks.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
nedm
  • 5,610
  • 5
  • 30
  • 52