Port 445 is opened on a Windows Server when using the Windows Event Collector

Article:TECH88796  |  Created: 2008-01-09  |  Updated: 2011-10-05  |  Article URL http://www.symantec.com/docs/TECH88796
Article Type
Technical Solution


Issue



Why does Symantec Security Information Manager v4.x using the Windows Event Collector (WEC) open up ports 445 and 139?

Symptoms
You are watching ports on the Windows Server that are sending events to Symantec Security Information Manager v4.x through the WEC collector and notice that port 445 and sometimes port 139 are opened.


 


Cause



This will happen if you use a hostname or IP address that is not resolvable in the WEC Sensor settings because the Windows Server is trying to resolve the host name with the IP address.


Solution



You will need to add the hostname to the host file on the machine with the WEC collector or change the Sensor settings to a hostname or IP address that is resolvable and restart both computers to clear this port.

According to Microsoft port 445 is the microsoft-ds (NetBios helper) port and also used for

    SMB Fax Service
    SMB Print Spooler
    SMB Server
    SMB Remote Procedure Call Locator
    SMB Distributed File System
    SMB Net Logon


You will need to change the Sensor settings to a hostname or IP address that is resolvable or add the hostname to the host file on the machine with the WEC collector and restart both computers to clear this port.


References
Microsoft has this document on the ports for Windows:

http://support.microsoft.com/kb/832017


Technical Information
TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions Windows starting with Windows 2000 and Windows XP. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.

Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.


 



Legacy ID



2008010911142854


Article URL http://www.symantec.com/docs/TECH88796


Terms of use for this information are found in Legal Notices