Re: SUMMARY: Disabling Port 445 (SMB) Entirely

From: Andrew Oman (Andrew.Omanat_private)
Date: Fri Aug 30 2002 - 10:21:34 PDT

Next message: Jason Coombs: "RE: SUMMARY: Disabling Port 445 (SMB) Entirely"

Previous message: Andrew Oman: "Re: SUMMARY: Disabling Port 445 (SMB) Entirely"
Next in thread: Jason Coombs: "RE: SUMMARY: Disabling Port 445 (SMB) Entirely"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I hope this adds a little bit on one more method of diabling/unbinding 
SMB:
( sorry if the cross-post was not appropriate )

http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS11-12.asp


HKLM\System\Controlset001\Services\NetBT\Parameters

Non-Configurable Parameters
The following parameters are created and used internally by the NetBT 
components. They should never be modified using the Registry Editor. They 
are listed here for reference only.

TransportBindName 
Key: Netbt\Parameters
Value Type: REG_SZ - Character string
Valid Range: N/A
Default: \Device\
Description: This parameter is used internally during product development. 
The default value should not be changed.


SMBDeviceEnabled 
Key: Netbt\Parameters 
Value Type: REG_DWORD—Boolean 
Valid Range: 0, 1 (false, true) 
Default: 1 (true) 

Description: Windows 2000 supports a new network transport known as the 
SMB Device, which is enabled by default. This parameter can be used to 
disable the SMB device for troubleshooting purposes. 


Using the SMBDeviceEnabled key removes SMB from binding to 445.

Thanks,

Andrew







"Jason Coombs" <jasoncat_private>
08/29/2002 08:05 PM
Please respond to jasonc
 
        To:     <bugtraqat_private>
        cc: 
        Subject:        SUMMARY: Disabling Port 445 (SMB) Entirely


UPDATE: I double-checked and in fact was able to stop port 445 from 
binding
at all under Windows 2000 using the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

under this key remove the default value "\Device\" from the
TransportBindName REG_SZ value. upon reboot, port 445 is gone completely,
both TCP and UDP.

I tried a while ago to replace \Device\ with the device name of a single
network interface in my multi-homed Windows box and that did not appear to
work, SMB still grabbed port 445 TCP and UDP on 0.0.0.0 rather than the IP
address bound to the network interface whose \Device\ virtual name I 
entered
into the TransportBindName. Perhaps you can only disable port 445/SMB
entirely, there may be no way to disable it selectively.

However, port 1025 is still being bound by SYSTEM ... I have no idea why.

Sincerely,

Jason Coombs
jasoncat_private

-----Original Message-----
From: Jason Coombs [mailto:jasoncat_private]
Sent: Thursday, August 29, 2002 11:52 AM
To: vuln-dev@security-focus.com
Subject: SUMMARY: SMB overflow attacks


SUMMARY: There does not appear to be any way to get Windows 2000 to stop
binding to port 445 at this time. It's possible in Windows NT, but then
again SMB was an after-thought for NT (Service Pack 3 or 4, I don't 
remember
which) and the NT kernel doesn't bind port 445 as aggressively.

<snip>

Next message: Jason Coombs: "RE: SUMMARY: Disabling Port 445 (SMB) Entirely"
Previous message: Andrew Oman: "Re: SUMMARY: Disabling Port 445 (SMB) Entirely"
Next in thread: Jason Coombs: "RE: SUMMARY: Disabling Port 445 (SMB) Entirely"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 30 2002 - 12:54:36 PDT