Port 445 rule advice requested

The reason for this query is dialup ISP connectivity issues I've been experiencing (XP Pro).
I've been having issues with unwanted disconnects / inability to re-connect (until re-boot).
Examination of my FW log seems to indicate disconnects (or inability to re-connect) are subsequent to denial of access to port 445.
The IP that attempted access belongs to Level 3 Communications (my ISP's provider).
Does the provider require access through port 445? As I understand while its closure is possible, other dependent services such as DHCP (dynamic host configuration protocol) which is frequently used for automatically obtaining an IP address from the DHCP servers used by many ISPs, will stop functioning.
I understand also that leaving 445 unsecure could lead to dire consequences.
Any advice appreciated.

Regards all

 

According to this, port 445 is the last thing you want open to the internet:

http://www.grc.com/port_445.htm

 

Hi Kerodo

I know. That's where I found the text pasted above.
It suggests that "port 445.. closure....DHCP.... will stop functioning.".
Which has me concerned/curious as how to securely deal with it.

Regards

 

Hi Bob D

What's TCP port 445 used for in Windows 2000/XP?

If you don't need this port, his listening state may be disabled this way:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

Create a new key: DWORD SmbDeviceEnabled value 0. Reboot.

 

Hello Bob D,

First, I would e-mail your ISP and ask if a need of "unsolicited inbound to port 445 is needed" by them. I would be surprised if it was.

While you wait for a reply from your ISP:-

It as been quite a while since I have used/setup on dialup (win3.1), so please excuse my need to ask some questions.

Have you disabled any of the windows services from the default installation (the main one I am looking at, at this point, is the "locator service", which if disabled completely (via such tools as WWDC (windows worm door closer)) can cause problems for DHCP).

Which firewall are you using?

Do you have ISP software installed (the software for dialup~ that you would of installed to create your account?)

When you connect, are you given a "time out" for lease?(~ start menu~ run~ type "CMD" ok, in the popup (command) window type ipconfig /all you will then be shown your IP etc, this should include a "lease" time, do you lose internet connection before this expires?

Have you just started having this problem (or is this a new account with that ISP), if you could connect before without this problem, then what as changed on your system (new firewall or network related application)

 

If for some reason you should need to open 445 to your ISP, you can always create a rule in your firewall to do this for your ISP's specific address only. That would probably be safe enough, but as Stem says, it seems rather unlikely that your ISP really needs this.

 

Hi Kerodo,

This would certainly be the direction to take if this inbound was needed,.. but,.. I would then expect the ISP to filter this port from WAN inbound.

comment
I see many inbound attempts from my own ISP, which thay claim are "purely and simply" scans/attempts for security/exploit possibilities (I did/do have some fun with my ISP, as I setup an "Honypot" with (password)HTTP server, and one time my ISP spent 3 hours trying to crack the password, lol, I now repeat this every couple of weeks).

 

Now that's service!

 

(with ref to my comment)It is how some ISP`s work.
__________________________________
For me, any unsolicited inbound attempt from your ISP is "Invasion", and should not be needed (and I base this as an attack). If some form of "Stay alive" connection is needed, then this should be put forward by the ISP, and software made avalible that only requires an outbound "Alive" function.

There sould be no need for ANY inbound port to be left open simply to have your internet connection left alive.

 

Yep, I agree 100%. One should be able to block ALL unsolicited inbound without any ill results.. I am on cable here and have never seen anything like that.

 

Hi Kerodo,

Hopefully "Bob D" will supply more details, so we can look at this.
If such a provider is requiring this inbound, well, I have doubts to user protection under that provider.

 

By default windows machines listen on port 445. Under a typical firewall rule set, this port would be available for unsolicited traffic on the local network where all traffic is designated as safe (192.168.1.0-192.168.1.255 or whatever) but blocked unless soliciting traffic otherwise.

Do we need something else?

 

I see various from firewall to firewall, some give "allow all" for such service, as at most times this is controlled via svchost (or should I say indirect/redirect access) as with "locator"

We certainly need more direct info on such events, if in fact this user is being "dropped" from access due to blocking inbound to this port.

 

I too would be surprised, but I will query.

No

Filseclab

No

No "lease time" is displayed.

No. Problem has been ongoing / sporatic.
Have done reinstalls of TCP/IP, winsock repair, etc.
Problem even continued after recent reformat.
I may totally be off-base assuming relation between dialup woes and port 445 issue, but I figured this is the place to ask.
Phone lines here are not optimal, but the occassional necessity to reboot (after connection dropped) is rather annoying.

Tks Kerodo, Stem, et al for your suggections.

Regards all

 

Do you have ICMP echo reply enabled? Some ISPs use it to see if the connection is being used, especially if yours is a dynamic or floating IP. If your system doesn't reply to their ping, they assume you're not connected and give the IP to another customer.
Something to check into.
Rick

 

Thanx for that interesting tidbit Rick, had not considered it.
Echo reply here is blocked.
Don't remember ICMP log entries when I've encountered problems, but I'll keep an eye out.
Some consider echo replies as a security flaw, others claim it's fairly innocuous.
I'd welcome comments on this.

 

I say we nuke it. {alt-n}

 

I have seen a need for a "stay alive" signal being required, but I normally have seen this as outbound from the ISP software. Any sort of unsolicited inbound should not really be needed/used. But, this can only be fully confirmed by your ISP.

Please clear out your firewall logs, then re-boot, when you lose connection, copy and post the log, maybe something in the log (blocked) may give us some insight into what is happening.

 

It's only a flaw if you consider being stealthed a necessity. "Stealthed" roughly translates that your PC/network does not reveal its existence by responding to unsolicited packets. The only real advantage stealth offers is that it makes your PC a bit harder to find with random port scans, and then only if your system has no open ports. When your existence or IP is known, stealthed ports offer no advantage over closed ports. It's far more important that your ports are closed and for ones that need to be open to be limited to accepting connections from only the necessary IPs.
Rick

 

Thanx Stem, Herbalist for the replies.
Currently running Windows FW, allowing incoming echo requests, with the hope of identifying the problem.
GRC'd it, and all is stealthed, with the (expected) exception of reply to ICMP Echo requests.

Regards all