The use of TCP ports 139 and 445 in Windows

By Arne Vidstrom

May 15, 2019

Microsoft introduced TCP port 445 with Windows 2000, and it's still in use in Windows 10 and Windows Server 2019. I'll explain what this port is for, and how it relates to security in Windows. At the same time, I'll also explain how you can disable the old TCP port 139.

SMB over TCP vs. SMB over NBT

One central task for the SMB (Server Message Block) protocol is file sharing. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports UDP 137 and 138, and TCP 139. With Windows 2000, Microsoft added the option to run SMB directly over TCP/IP, without the extra NBT layer. That's what TCP port 445 is used for.

Enabling and disabling NBT to control ports 137, 138, and 139

In Windows versions since Windows 2000, you have the option to disable NetBIOS over TCP/IP. First, find the appropriate network adapter icon, and then right-click and select Properties. How to find the network adapter icon varies a bit between the Windows versions. Next, click on Internet Protocol (TCP/IP) and Properties. The exact name here also varies slightly between the versions. Now click Advanced, and select the WINS tab. There you can enable or disable NetBIOS over TCP/IP. The changes take effect immediately without rebooting the system.

Disable NBT (NetBIOS over TCP/IP) to close UDP ports 137 and 138, and TCP port 139. Enable NBT to open these ports again.

When Windows uses port 445, and when it uses port 139

From now on, I will refer to "the client" as the computer from where you map drives and other shared resources, and "the "server" as the computer with resources that are shared. For example, the client could be a Windows Server installation, if you connect from it to another computer.

If the client is an older version of Windows, like Windows 2000, and has NBT enabled, it will always try to connect to the server at both port 139 and 445 simultaneously. If there is a response from port 445, it sends a TCP RST (reset) to port 139, and continues its SMB session to port 445 only. If there is no response from port 445, it will continue its SMB session to port 139 only, if it gets a response from there. If there is no response from either of the ports, the session will fail.

If the client has NBT disabled, it will always try to connect to the server at port 445 only. If the server answers on port 445, the session will be established and continue on that port. If it doesn't answer, the session will fail. One such case is when the server runs Windows NT 4.0.

Newer versions of Windows, like Windows 10 and Windows Server 2019, are interesting cases. As clients they will also always try to connect to the server at port 445 only first, but if that fails, they will not try port 139 instead even if they have NBT enabled. The session will simply fail.

If the server has NBT enabled, it listens on UDP ports 137 and 138, and TCP ports 139 and 445. If it has NBT disabled, it listens on TCP port 445 only. All four ports are open as default in all versions of Windows, including Windows 10 and Windows Server 2019.

Null sessions from clients

In the case of Windows NT 4.0, null sessions always used port 139. A tool like Winfo can give you much information on Windows NT 4.0, but how does this work on Windows 2000 and newer versions? The answer is quite simple - it works according to the above description from a client perspective. If you run Winfo from Windows 2000 and have NBT enabled, the port selection will be automatic depending on the target system. If you want Winfo never to use anything but port 445, disable NBT. If you run it from newer versions, like Windows 10 or Windows Server 2019, it will never use anything but port 445 irrespective of the NBT state. Newer versions of Windows are, however, as a default, well protected against null sessions attacks.