SMB (Server Message Block) on port 445 is the Windows file-sharing and remote-management protocol. It handles file shares, printer sharing, named pipes for inter-process communication, and Windows administrative protocols. SMB is core to Windows networking — Active Directory, Group Policy, file servers all depend on it. Modern versions are SMB 3 (with SMB 3.1.1 being the current standard); older SMB 1 has been deprecated and should be disabled everywhere.
SMB has produced some of the most consequential security incidents in computing history. EternalBlue (CVE-2017-0144) was a wormable SMB 1 vulnerability leaked from the NSA, used to deploy WannaCry ransomware in 2017 — affected hundreds of thousands of systems globally, caused billions in damages. SMBGhost (CVE-2020-0796) was a similar pattern in SMB 3.1.1 compression. EternalRomance, EternalChampion, EternalSynergy — all NSA-leaked SMB exploits. The pattern: SMB is a complex protocol surface widely exposed, periodically producing severe vulnerabilities.
For defenders, SMB hardening has multiple layers: disable SMB 1 entirely (no legitimate need in 2026), require SMB signing (prevents tampering), require SMB encryption (SMB 3.0+ supports encrypted transport), never expose SMB to the internet (firewall block port 445 inbound from public IPs), and monitor for unusual SMB activity (lateral movement, credential dumping, ransomware deployment all use SMB).
Five real-world scenarios involving port 445
External pentest — checking for internet-exposed SMB
External pentest reconnaissance includes scanning client IP ranges for SMB exposure. Standard tooling: nmap -p 445 --script smb-protocols target, masscan for wide scans, Shodan queries. Internet-exposed SMB is a critical finding — even with patches applied, the attack surface is unjustifiable.
Internal pentest — SMB enumeration and credential dumping
After initial foothold, SMB is the primary lateral-movement protocol. Standard tools: impacket suite (psexec, smbclient, secretsdump), crackmapexec for spraying credentials, responder for capturing NTLM hashes via SMB. Successful SMB-based moves often lead to domain admin within hours.
Most ransomware uses SMB for both lateral movement (spreading from initial host to other systems) and for the actual encryption operation (writing encrypted files to network shares). IR investigation focuses on SMB logs, file-share access patterns, and SMB-related events. Volume of SMB write operations to many shares simultaneously is a strong indicator of active ransomware deployment.
Attack surface reduction — SMB hardening sweep
Periodic audit: scan internal network for SMB-listening hosts, verify SMB 1 is disabled everywhere, verify SMB signing is required, verify SMB encryption is enabled where applicable. Tools: PowerShell Get-SmbServerConfiguration, audit scripts that check Group Policy settings, SIEM queries for SMB-related events.
Compliance — SMB requirements for security frameworks
Most frameworks require SMB 1 disabled, SMB signing required, and SMB exposure restricted. Specific guidance varies but the common thread is "SMB 1 is unacceptable, modern SMB requires hardening". Group Policy enforces these settings at scale; verify with audit tools, document in compliance evidence.
Common mistakes & edge cases
Leaving SMB 1 enabled "for legacy compatibility"
The single biggest SMB mistake. SMB 1 is wormable, well-exploited, and unnecessary. Whatever legacy device requires it (old NAS, old printer, old appliance) should be isolated to its own VLAN with strict firewall rules — not granted SMB 1 access to your production network.
Exposing SMB on port 445 to the public internet
Same pattern as RDP — internet-exposed SMB is indefensible. Wormable CVEs, credential brute force, NTLM-relay attacks all hit it. Block port 445 inbound from public IPs at the perimeter. SMB only between trusted internal hosts, never from internet.
Not requiring SMB signing
SMB without signing allows network attackers to tamper with traffic — substituting requests, capturing credentials via NTLM relay attacks. Group Policy: "Microsoft network server: Digitally sign communications (always)". Modern Windows defaults are improving but legacy environments often have signing optional rather than required.
Granting "Everyone" or "Authenticated Users" full control on file shares
Wide-open share permissions amplify the impact of any credential compromise. Apply the principle of least privilege: shares granted to specific groups based on need, write permissions limited to those who actually need them, sensitive data on shares with restrictive ACLs. Audit existing share permissions; tighten before incidents force the issue.
Storing sensitive data on shares without encryption
SMB 3.0+ supports encrypted transport. Enable encryption on shares containing sensitive data (Group Policy or per-share configuration). Encryption is in addition to access controls — encryption protects data in transit; ACLs control who can access. Both layers needed for proper protection.
No monitoring of unusual SMB activity
Lateral movement and ransomware deployment look different from normal SMB activity — sudden access to many shares, write operations across many systems, off-hours connections. Without SIEM correlation rules looking for these patterns, attacks proceed undetected. Microsoft Defender for Identity (formerly Azure ATP) detects many SMB-based attack patterns automatically.
Frequently Asked Questions about port 445
Server Message Block — Windows file-sharing and remote-management protocol. Handles file shares, printer sharing, named pipes for IPC, Windows administrative protocols. Core to Windows networking. Default port 445 in modern versions; SMB 1 also used 139 (NetBIOS).
SMB 1 (deprecated, should be disabled), SMB 2.0/2.1 (Windows Vista era), SMB 3.0/3.0.2/3.1.1 (Windows 8 / Server 2012+, current). SMB 3.1.1 is the modern standard with strong encryption and integrity. Disable SMB 1 everywhere; require minimum SMB 3.0 ideally.
CVE-2017-0144 — a wormable SMB 1 remote-code-execution vulnerability leaked from the NSA in 2017. Used by WannaCry ransomware to spread automatically across networks, infecting hundreds of thousands of systems globally. The defining example of why SMB 1 must not exist on modern networks. Microsoft patched it in MS17-010 but unpatched systems remained vulnerable for years afterward.
PowerShell: Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol — State will be Enabled or Disabled. Check across many systems via PowerShell remoting or Group Policy reporting. Disable with: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -Remove (the -Remove flag prevents reinstallation via Windows Update).
Cryptographic signing of SMB packets to detect tampering. Required signing prevents NTLM relay attacks where a network attacker captures authentication and replays it elsewhere. Group Policy: "Microsoft network server: Digitally sign communications (always)" + corresponding client setting. Enable both server and client signing requirements.
SMB 3.0+ feature for encrypting share contents in transit. Enable per-share or globally via Group Policy. Encryption is in addition to access control — protects data on the wire even if network attackers can capture traffic. Performance overhead is minor on modern hardware. Enable for shares containing sensitive data.
SMB authentication can use NTLM (legacy) or Kerberos (preferred). NTLM has well-known vulnerabilities (relay attacks, hash capture). Disable NTLM where possible; require Kerberos. Modern Windows environments using Active Directory should default to Kerberos for SMB authentication; legacy environments may still use NTLM extensively.
Yes — Windows Security event logs capture SMB-related events. Sysmon adds richer logging. Microsoft Defender for Identity specifically detects SMB-based attack patterns (lateral movement, credential dumping, ransomware deployment). SIEM correlation rules looking for unusual SMB write patterns across multiple systems are particularly effective at detecting active ransomware.
Old SMB feature allowing unauthenticated connections — historically used to enumerate users, groups, shares, and other information from Windows systems. Disabled by default in modern Windows. Verify with: net use \\target\IPC$ "" /user:"" — should fail. Group Policy controls (RestrictAnonymous, RestrictAnonymousSAM) enforce this. Enable maximum restrictions; null sessions provide pure attacker reconnaissance value with no legitimate use.
NFS (Network File System) is the equivalent for Unix/Linux file sharing — port 2049. Different protocols, similar role. SMB has historically had more security issues due to greater complexity and wider Windows attack surface. NFS has its own issues (NFSv2/v3 weak authentication, NFSv4 better but still requires careful configuration). Cross-platform environments use SAMBA (Linux SMB implementation) for SMB-style access from Linux to Windows shares and vice versa.