Re: SUMMARY: Disabling Port 445 (SMB) Entirely

From: Andrew Oman (Andrew.Oman@predictive.com)
Date: 08/30/02


To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
From: "Andrew Oman" <Andrew.Oman@predictive.com>
Date: Fri, 30 Aug 2002 13:21:34 -0400

I hope this adds a little bit on one more method of diabling/unbinding
SMB:
( sorry if the cross-post was not appropriate )

http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS11-12.asp

HKLM\System\Controlset001\Services\NetBT\Parameters

Non-Configurable Parameters
The following parameters are created and used internally by the NetBT
components. They should never be modified using the Registry Editor. They
are listed here for reference only.

TransportBindName
Key: Netbt\Parameters
Value Type: REG_SZ - Character string
Valid Range: N/A
Default: \Device\
Description: This parameter is used internally during product development.
The default value should not be changed.


SMBDeviceEnabled
Key: Netbt\Parameters
Value Type: REG_DWORD—Boolean
Valid Range: 0, 1 (false, true)
Default: 1 (true)

Description: Windows 2000 supports a new network transport known as the
SMB Device, which is enabled by default. This parameter can be used to
disable the SMB device for troubleshooting purposes.


Using the SMBDeviceEnabled key removes SMB from binding to 445.

Thanks,

Andrew







"Jason Coombs" <jasonc@science.org>
08/29/2002 08:05 PM
Please respond to jasonc
 
        To: <bugtraq@securityfocus.com>
        cc:
        Subject: SUMMARY: Disabling Port 445 (SMB) Entirely


UPDATE: I double-checked and in fact was able to stop port 445 from
binding
at all under Windows 2000 using the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

under this key remove the default value "\Device\" from the
TransportBindName REG_SZ value. upon reboot, port 445 is gone completely,
both TCP and UDP.

I tried a while ago to replace \Device\ with the device name of a single
network interface in my multi-homed Windows box and that did not appear to
work, SMB still grabbed port 445 TCP and UDP on 0.0.0.0 rather than the IP
address bound to the network interface whose \Device\ virtual name I
entered
into the TransportBindName. Perhaps you can only disable port 445/SMB
entirely, there may be no way to disable it selectively.

However, port 1025 is still being bound by SYSTEM ... I have no idea why.

Sincerely,

Jason Coombs
jasonc@science.org

-----Original Message-----
From: Jason Coombs [mailto:jasonc@science.org]
Sent: Thursday, August 29, 2002 11:52 AM
To: vuln-dev@security-focus.com
Subject: SUMMARY: SMB overflow attacks


SUMMARY: There does not appear to be any way to get Windows 2000 to stop
binding to port 445 at this time. It's possible in Windows NT, but then
again SMB was an after-thought for NT (Service Pack 3 or 4, I don't
remember
which) and the NT kernel doesn't bind port 445 as aggressively.

<snip>