0

I am learning a legacy system where the security team only opened TCP port 139 between web servers and a file server (both Windows 2008 R2) for file access. I have usually used TCP port 445 for such access. Why would the recommend using port 139 only? Are there benefits from using Port 139 over port 445 or vise versa?

Brettski
  • 942
  • 3
  • 20
  • 31

1 Answers1

2

This is explained in Q204279.

In short: earlier Windows versions (pre Windows 2000) used "NetBIOS over TCP/IP" (with 137/udp, 137/tcp, 138/udp and 139/tcp) to offer the SMB protocol. Newer versions can skip the NetBIOS part and can communicate directly with other hosts via 445/tcp and NetBIOS can be disabled.

Oh, and as to why anyone would use one or the other: 139/tcp would be used if older Windows clients are in use that don't know about direct SMB. But in general 445/tcp would be preferable, as it's easier to configure just one port as 4 different port/protocol configurations in e.g. a firewall.

ckujau
  • 642
  • 4
  • 13
  • Just as I was thinking. I appreciate you confirming for me. The strange part is that it seems only TCP 139 is open from web to file server. Using telnet I was unable to connect on 137 or 138. Strange setup. – Brettski Jan 22 '14 at 03:26
  • 1
    In NetBIOS, port 138 is for UDP, so telnet would not be able to connect to that port. Same for port 137, although Q204279.names 137/tcp also, I've never seen port 137 configured for TCP, only UDP. – ckujau Jan 22 '14 at 03:54
  • Found this PowerShell command to check UDP connection. If returns without error it was able to connect. Use at own risk: (New-Object Net.Sockets.UdpClient).Connect("",) – Brettski Jan 22 '14 at 19:31
  • Nice, but it returns w/o error for every UDP connection, because of...well, UDP really. One has to watch the other end if something has actually been sent over the wire. – ckujau Jan 22 '14 at 19:54
  • True, but if the port isn't open, e.g. blocked by firewall, it will error. It's at least a smoke test without having to load software on either side. – Brettski Jan 22 '14 at 20:25
  • Not here, "PS> (New-Object Net.Sockets.UdpClient).Connect("some-host",1234)" always comes back w/o errors, although there's really nothing listening on 1234/udp. For TCP connection, your command works just fine and it errors out when it's unable to connect. – ckujau Jan 22 '14 at 21:07
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/12624/discussion-between-brettski-and-ckujau) – Brettski Jan 22 '14 at 22:18