Security

How to detect and defend against a TCP port 445 exploit and attacks

August 16, 2019
891 Views
5 Min Read



Q

Problem solve
Get help with specific problems with your technologies, process and projects.





The WannaCry TCP port 445 exploit returned the spotlight to Microsoft’s long-abused networking port. Network security expert Kevin Beaver explains how to detect and defend against such attacks.


  • Kevin Beaver

TCP port 445, used by Microsoft Directory Services, has long been considered the most-attacked network service…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

[and it was exploited by the 2017 WannaCry ransomware attacks]. Can you offer some advice for detecting and defending attacks against this specific port?

Many security attacks are a numbers game; that’s why the large number of attacks using a TCP port 445 exploit is no surprise.

Along with ports 135, 137 and 139, port 445 is a traditional Microsoft networking port. Specifically, TCP port 445 runs server message block (SMB) over TCP/IP. This is a core means for communication on a Microsoft-based LAN. If you look at practically any modern Windows host on your network — e.g., netstat -an | more from a command prompt — you’ll see that port 445 is open and available, hence the problem.

Many of the attacks using a port 445 exploit take place via the LANMalware seeking to exploit under-secured Windows systems is a likely source. However, other attacks, like WannaCry, originate outside the network and reach any system for which port 445 has been opened on the firewall — hopefully that’s not the case for you!

How to prevent a TCP port 445 exploit

Enterprises can implement certain security controls to protect Windows systems from attacks using a port 445 exploit. These include enabling Windows Firewall or a similar endpoint protection system. The caveat there is, if you try to completely lock down Windows networking services, especially on domain controllers, you’ll end up breaking network communications.

So what’s an enterprise to do? This is where layered security controls come into play, such as:

  • current patches for Windows and third-party software;
  • a proven antimalware program — i.e., not just whatever big vendor software for which you have a license;
  • strong passwords;
  • a proper inventory of what’s on your systems;
  • strong permissions to keep sensitive information locked down; and
  • reasonable audit logging and active system monitoring.

Editor’s Note: Leaving open the TCP port 445 has long been known to be dangerous. Akamai’s fourth-quarter 2013 “State of the Internet” reported that the port, as used by Microsoft Directory Services, was the most-attacked network service, accounting for approximately 30% of all attacks. And users should not have been surprised by that. Months prior to the WannaCry ransomware attack, US-CERT recommended that all users upgrade their systems running SMB v1 because it represented a threat.

The port 445 exploit used in the WannaCry ransomware outbreak prompted a widespread re-evaluation of how enterprises and vendors relied on version 1 of the SMB protocol. Microsoft disabled SMB v1 in Windows 10, and Windows users are urged to block all hosts requesting services through the SMB v1 protocol to avoid falling victim to malware like WannaCry.

Ask the expert:
Want to ask Kevin Beaver a question about network security? Submit your questions now via email! (All questions are anonymous.)




Next Steps

Is FTP malware a threat to network port security?

Learn how to remove SMB v1 support from Windows systems

Find out why Microsoft patched unsupported Windows versions to protect them from WannaCry infection

Read how WannaCry ransomware exposed enterprise security shortcomings




Dig Deeper on Network device security: Appliances, firewalls and switches


Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.






Source link

Tags

About the author

View All Posts

GG

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *

Gadget Greed