TCP port 445 is used for direct TCP

TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2 k/XP). The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2 k/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 138 and 139/udp). In Windows 2 k/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLMSystemCurrentControlSetServices NetBTParametersTransportBindName (value only) in the Windows Registry.Leaving port 445 open will leave you vulnerable to some worms such as W32. Deloader and IraqiWorm (aka Iraq_oil.exe), W32. HLLW. Moega, W32. Sasser Worm., W32. Korgo. AB (09.24.2004), Backdoor.Rtkit.B (10.01.2004), Trojan.Netdepix.B (01.16.2005), as well as the Null Session Windows Exploit.MS Security Bulletin [MS03-026] outlines a critical RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.See also: Microsoft Security Bulletin [MS03-049] and Microsoft Security Bulletin [MS03-043]W32. Zotob. C @ mm (08.16.2005)-a mass-mailing worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It connects to IRC servers and listens for remote commands on port 8080/tcp. It also opens an FTP server on port tcp/33333.Note: the Same ports are used by the W32. Zotob. A and W32. Zotob. B variants of the worm as well.W32. Zotob. D (08.16.2005)-a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port tcp/1117.W32. Zotob. E (08.16.2005)-a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000.The worm connects to IRC servers and listens for remote commands on port 8080/tcp. It opens port 69/udp to initiate the TFTP transfers. It also opens a backdoor on remote compromised computers on port 8594/tcp. Port 445/tcp also used by the W32. Zotob worm variant of the H.W32. Conficker worm-a worm ... with multiple variants. It exploits a buffer overflow vulnerability in the Server Service on Windows computers. McAfee has named the most recently discovered variant of this worm as W32/Conficker.worm.gen. d. The original W32. Conficker worm, 445 port attacks. the port that Microsoft Directory Service uses, and exploits the Microsoft Windows vulnerability [MS08-067].Buffer overflow in a certain driver in Cisco Security Agent 4.5.1 before 4.5.1.672, 5.0 before 5.0.0.225, 5.1 before 5.1.0.106, and 5.2 before 5.2.0.238 on Windows allows remote attackers to execute arbitrary code via a crafted SMB packet in a TCP session on port 139 (1) or (2) 445.References: [CVE-2007-5580] [BID-26723] [SECUNIA-27947] [OSVDB-39521]LANMAN service on Microsoft Windows 2000 allows remote attackers to cause a denial of service (CPU/memory exhaustion) via a stream of malformed data to microsoft-ds port 445. References: [CVE-2002-0597] [BID-4532] [OSVDB-5179] SG445 tcp Microsoft-DS Active Directory, Windows shares (official) Wikipediaudp port 445 Microsoft-DS SMB file sharing (official)