Q
The WannaCry TCP port 445 exploit returned the spotlight to Microsoft’s long-abused networking port. Network security expert Kevin Beaver explains how to detect and defend against such attacks.
TCP port 445, used by Microsoft Directory Services, has long been considered the most-attacked network service…
}
});
/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);
/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}
/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}
/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});
Many security attacks are a numbers game; that’s why the large number of attacks using a TCP port 445 exploit is no surprise.
Along with ports 135, 137 and 139, port 445 is a traditional Microsoft networking port. Specifically, TCP port 445 runs server message block (SMB) over TCP/IP. This is a core means for communication on a Microsoft-based LAN. If you look at practically any modern Windows host on your network — e.g., netstat -an | more from a command prompt — you’ll see that port 445 is open and available, hence the problem.
Many of the attacks using a port 445 exploit take place via the LAN. Malware seeking to exploit under-secured Windows systems is a likely source. However, other attacks, like WannaCry, originate outside the network and reach any system for which port 445 has been opened on the firewall — hopefully that’s not the case for you!
How to prevent a TCP port 445 exploit
Enterprises can implement certain security controls to protect Windows systems from attacks using a port 445 exploit. These include enabling Windows Firewall or a similar endpoint protection system. The caveat there is, if you try to completely lock down Windows networking services, especially on domain controllers, you’ll end up breaking network communications.
So what’s an enterprise to do? This is where layered security controls come into play, such as:
- current patches for Windows and third-party software;
- a proven antimalware program — i.e., not just whatever big vendor software for which you have a license;
- strong passwords;
- a proper inventory of what’s on your systems;
- strong permissions to keep sensitive information locked down; and
- reasonable audit logging and active system monitoring.
Editor’s Note: Leaving open the TCP port 445 has long been known to be dangerous. Akamai’s fourth-quarter 2013 “State of the Internet” reported that the port, as used by Microsoft Directory Services, was the most-attacked network service, accounting for approximately 30% of all attacks. And users should not have been surprised by that. Months prior to the WannaCry ransomware attack, US-CERT recommended that all users upgrade their systems running SMB v1 because it represented a threat.
The port 445 exploit used in the WannaCry ransomware outbreak prompted a widespread re-evaluation of how enterprises and vendors relied on version 1 of the SMB protocol. Microsoft disabled SMB v1 in Windows 10, and Windows users are urged to block all hosts requesting services through the SMB v1 protocol to avoid falling victim to malware like WannaCry.
Ask the expert:
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Network device security: Appliances, firewalls and switches
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever’s puzzling you.
Source link
Add Comment