I want to disable file sharing (SMB) on Windows XP and I turned it off in the network properties dialog box, but the system is still listening on port 445. Is there a way to make it stop listening on 445 entirely? Is it still on in stealth mode?
Asked
Active
Viewed 3.5k times
14
-
7Just install the patch for Windows XP that fixes the SMB exploit – Ramhound May 14 '17 at 02:28
-
7@Ramhound Even with a fix for the current vulnerability, SMB is still a pretty large attack surface. – CodesInChaos May 14 '17 at 10:43
-
1You can always use the built-in firewall, block everything except what you need to listen. – Sam May 14 '17 at 11:59
-
1@Sam Good idea, block buggy software I don't use with... more buggy software I don't use. I have a better idea: turn the buggy software off. – Tyler Durden May 14 '17 at 13:54
-
The current answers don't actually disable SMBv1, this [article](https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012) explains how to do that – Ramhound May 14 '17 at 18:22
-
@Ramhound Don't follow your point about SMBv1. The current answers disable all versions of SMB, as per the question. Your linked article disables specific SMB versions for Vista+, not XP. – Jimadine May 17 '17 at 21:02
-
@Jimadine - The answers have been updated since I made that comment..... – Ramhound May 17 '17 at 21:51
3 Answers
14
I figured out how to do this from another post.
Add the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Name: SMBDeviceEnabled Type: DWORD (REG_DWORD) Data: 0
This will completely disable SMB services and shutdown the server that listens on 445. Restart computer to take effect. You can verify that it is off by using netstat -an
undo
- 5,961
- 8
- 41
- 61
Tyler Durden
- 6,011
- 19
- 57
- 99
-
4
-
5The correct action is to flag your question as a duplicate, not answer it without even attributing to the source Q&A. – AStopher May 14 '17 at 17:11
-
-
1
-
After adding the key, the command: netstat -na | find "LISTENING" | find ":445", returns empty - so nobody listening on 445 – Lucio M. Tato May 15 '17 at 22:33
-
Seems like [this 2013 answer](https://superuser.com/a/630592) is a likely source for this post, which in turn relies on this [forum post from 2010](http://ssj100.fullsubject.com/t181-how-to-disable-ports-135-137-139-445-windows-xp#1210). – duozmo May 23 '17 at 23:36
7
Command line method
Assuming the current user is a member of the Administrators group, open a command prompt and enter:
reg add HKLM\System\CurrentControlSet\Services\NetBT\Parameters /V SmbDeviceEnabled /T REG_DWORD /F /D 0
(this adds the required registry setting to disable SMB, and is the CLI equivalent of the OP's answer)
Then enter:
sc stop lanmanserver
sc config lanmanserver start= disabled
(this stops and disables the server service, a.k.a lanmanserver)
Restart your computer:
shutdown -r -t 01
After the restart, open a command prompt and enter the following command to verify that SMB is no longer listening on port 445:
netstat -na | find "LISTENING" | find ":445 "
If no output is returned by this command, you're all good!
Another possible method involving the GUI
...is to uninstall File and Printer Sharing for Microsoft Networks completely:
- Go to
Start|Control Panel, and double-click theNetwork Connectionsapplet. - Right-click
Local Area Connection(i.e., the Internet-facing connection), and selectProperties. - Select
File And Printer Sharing For Microsoft Networks, and click theUninstallbutton. - Choose
Yeswhen prompted to uninstall the component. Close all dialog boxes and applets.
For those that might benefit from a guide with screenshots, see:
http://ca.huji.ac.il/services/security/sharingXP-uninstall.shtml
Jimadine
- 1,282
- 1
- 10
- 13
-
2I already had Server turned off. It was still listening on 445. The port is owned by PID 4, which is basically the kernel, it is not a service. The service portion is, I think, just some kind of front end. The actual server itself is not actually in the "Server" service, so turning off Server, does not turn off the 445 listener. – Tyler Durden May 14 '17 at 14:01
-
I've updated my answer based on your experience - belt n braces probably best! I'm seeing mixed results with regard whether you need to modify both registry setting & service state. On an XP box I tested, modifying the reg was enough, and on my own 7 box, stopping the service was enough. Possibly the order of modifications makes a difference. – Jimadine May 17 '17 at 20:16
1
As this vulnerability targets SMB and NetBT, it can be removed with cmd (if these services are not required)::
::Disable netbt service
net stop netbt & sc delete netbt
net stop netbios & sc delete netbios
::Disable Workstation Service
sc stop "LanmanWorkstation"
sc config "LanmanWorkstation" start= disabled
sc delete "LanmanWorkstation"
::Disable SMB feature (windows 7 or higher)
DISM /Online /Disable-Feature /FeatureName:SMB1Protocol /Remove /NoRestart
DISM /Online /Disable-Feature /FeatureName:SmbDirect /Remove /NoRestart
::File and Printer Sharing for Microsoft Networks
netcfg /u ms_server
Run this as administrator and restart PC. These commands will remove the services permanently. You may close the ports in firewall.
Biswapriyo
- 10,831
- 10
- 47
- 78
-
1As this question is tagged windows-XP, are you sure DISM comes with XP? – Jimadine May 14 '17 at 16:49
-
-
Hence I edit the post. See more about [Serverfault:: Optional feature on Windows XP](https://serverfault.com/questions/765920/get-a-list-of-installed-optional-features-on-windows-xp) – Biswapriyo May 14 '17 at 18:47
-
@Biswa Only the netcfg line in your commands is relevant to the parameters of OP's question i.e. disable SMB 445 in Win XP. But even netcfg is doubtful given it isn't a standard XP console util (https://arstechnica.com/civis/viewtopic.php?f=17&t=627079). – Jimadine May 17 '17 at 20:57