windows network file sharing and authentication ports

pts.
Tags:
Firewalls
Forensics
Incident response
Intrusion management
NetBIOS
Network security
TCP
VPN
Wireless
I have a requirement for remote users (non-member windows clients) connected via a MPLS network to connect a network file share. I would like to know which ports I need to open on the firewall for filesharing and active directory authentication? Also I am going to be using the destination ip addresses to control access to specific the file server, which is the destination ip address do I use for AD authentication - or will this go via (proxied) the file server?? Would I need to open dns ports? Information on the web indicates i need to open: 135/tcp rpc 389/tcp/udp ldap - do I really need this? 53/tcp/udp/dns 88/tcp/udp/kerboros 445/tcp smb 137-138/udp netbt 139/tcp nrtbt Microsoft seem to be saying opean ALL TCP/UDP from 135 through to 139, and UDP AND TCP 445. I need to be accurate, can anyone clarify?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Rather than opening up these ports on a constant basis have you considered a vpn solution in which these ports will be mapped through the vpn software/appliance.. Opening these ports to the world is a problem waitng to happen

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Layer9
    Opening those ports is akin to removing your Firewall. I would advise you strongly rethink your needs here. The message "suggesting" you use a VPN is really your only choice here. Network file sharing is a LAN activity, and has NO business being open on the world wide web. If you open those ports, that very same day you can bet your network will be breached. Someone could not only intrude into your network, but downing it would be easy. You need a VPN solution. Most network consulting firms can help you implement a secure remote access solution for a reasonable cost. But understand this. You do NOT want to open NetBIOS file sharing to the world wide web! Chris Weber layer9corp.com
    0 pointsBadges:
    report
  • TechArch32
    Thanks for your response(s). I agree it is not a clever thing to do on the Internet but I am considering this on a private WAN (MPLS) connecting my sites. Any clarification on the precise ports that need to be opened and if the dns port is required would be useful. I want to avoid opening any unnecessary ports. Regards
    0 pointsBadges:
    report
  • Sonyfreek
    If you want to connect to shares, you'll need 135 tcp, 88 udp, 445 tcp, 137 and 138 udp, and 139 tcp. Windows is strange in how it selects it's authentication. At times, it will use 445 and other times wants to use 137/138. You might be able to force it to use 445 only, but it's not a guarantee that it will work. You can also change the order which your systems look up computers (netbios, dns, etc). Search on MS's site for restricting it. You'll never need tcp 53 unless you are doing zone transfers. Finally, you can force Kerberos to use tcp if you want, but by default it uses UDP. Hope this helps, SF
    0 pointsBadges:
    report
  • TechArch32
    SF, further to your respons, I confirm that following firewall configuration worked with respect to microsoft file sharing and authentication port(s): kerberos UDP 88 RPC TCP 135 netbios UDP 137 netbios UDP 138 netbios TCP 139 SMB TCP 445 Many thanks for your help. TechArch32
    0 pointsBadges:
    report
  • TechArch32
    [...] I really need this? 53/tcp/udp/dns 88/tcp/udp/kerboros 445/tcp smb 137-138/udp netbt 139/tcp nrtbthttp://itknowledgeexchange.techtarget.com/itanswers/windows-network-file-sharing-and-authentication-...Lock down remote access to the Windows registryDenying TCP/UDP ports 135, 137, 138, 139, and 445 at [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following