What Is Microsoft-ds Service And Why Is It Important?
| | 2002-Dec-30 half-dozen:52 pm MICROSOFT-DS ...What is this?MICROSOFT-DS is shown listening on UDP, port 445. I am curious what this is and if there is a manner of turning it off in XP or if this is 1 of those MS things that I should only leave the heck lone? I take read the discussion on this port and also accept both a firewall and router, so I am not as well concerned, simply I am curious. Y'all know what I demand? satisfaction! |
| | Just a guess. "Directory Service" ? - FM |
| psloss | to jaykaykay said by jaykaykay: Information technology'south shown listening past what, exactly? "Microsoft-DS" is just the service/protocol name for tcp and udp port 445; accept a look at Robin Keir'southward port listing or consult a favorite: tcp and udp 445 are used by Windows 2000 and XP for Windows File and Print Sharing. Both versions will also work with the NetBIOS ports for backwards compatibility. To turn it off, you can disable the NetBIOS over TCP/IP driver (NetBT.sys). That'south usually a bit too "over the top," so as an alternative, you tin add a Registry value, as per a recent thread hither: and which has been cited a lot; here's another reference that cites that technique: Philip Sloss |
| | to jaykaykay SMB and NetBTWindows file and print sharing uses the SMB protocol, which has historically relied on NetBIOS. NetBIOS, in turn, required NetBIOS over TCP/IP (NetBT) to function on IP networks. NetBT uses TCP port 139 and has a limitation of binding only to the primary IP accost of each NIC. This is explained in Microsoft Noesis Base article Q131641, and can exist seen by using a port scanner to probe TCP port 139 (the "nbsession" port) on an adapter with multiple addresses. This will show that NetBT is listening on TCP port 139 but on the primary address.Windows 2000 and afterwards versions do not require the NetBT layer and use SMB directly on elevation of TCP/IP using port 445 (TCP and UDP). This implementation does not accept the aforementioned bounden limitation and allows clients to establish SMB sessions to any IP address on the server using port 445. In club to be backward compatible with legacy clients and servers, Windows 2000 also supports SMB on NetBT using port 139, which inherits the chief IP address limitation. If NetBT is disabled, a Windows 2000 organization volition use but port 445 for SMB session. |
| | OK. In short, what I have to do is go in and muck with the registry, eh? If I exit the darned thing running is there whatsoever problem? I certain didn't upload that i well! Cheers for making the alter. This is office of what I was trying to show: System 4 0.0.0.0 445 Mind UDP |
| dave | to psloss said past psloss: This seems implausible, since 445/tcp is cipher to do with NETBIOS-over-TCP; information technology's at that place precisely as an alternative to using NETBIOS-over-TCP. Are yous certain? That's certainly not the way I read the Microsoft reference. It's telling yous how to turn off NETBIOS-over-TCP since you don't need NETBIOS when you're using SMB directly over TCP. [text was edited by author 2002-12-thirty 19:52:47] |
| psloss | 2002-Dec-30 8:33 pm said by dave: It is my belief, yes. While NBT and Direct SMB over IP use different ports, the protocol foundation is essentially the aforementioned -- SMBs. (It's tangential to this point, but different "dialects" utilise unlike sets of SMBs, the latest usually being a superset of what has come up before.) I believe that the implementation of Straight SMB is in the NetBT driver -- the Registry value mentioned is in the Parameter subkey off that driver's SCM Registry entries. And so even though there's no NetBIOS in Direct SMB, that which distinguishes SMB over NBT vs. Directly SMB is rather pocket-sized. OK, I'thousand leaving out an of import affair -- name resolution. That is different, though it employs unlike ports (NetBIOS uses its ain proper name resolution, primarily via udp/137; Direct SMB is supposed to use DNS.) Just as far every bit tcp/139 "NetBIOS" sessions vs. tcp/445 Direct SMB sessions, there's not much fundamental departure to me. If you're interested in such things, I saw an article well-nigh this in the latest version of Phrack via a link from SecurityNewsPortal.com... The well-nigh direct way to "verify," though, is to run something like Ethereal and look at a session. Straight SMB has a "pseudo header" that resembles a NetBIOS header (actually, the Phrack "article" discusses how these finish up working about the same from handling standpoint). Philip Sloss |
| | to jaykaykay said by jaykaykay: To close the Direct SMB TCP and UDP ports, that Registry value (the SMBDeviceEnabled ane) volition do information technology. As for whether or not you need to do so, that depends both on whether you use Windows file and/or print sharing and (if and so) how you lot utilise it. A firewall (personal software firewall or hardware device) should protect against outsiders connecting in, just the System would nevertheless exist listening on those ports... Philip Sloss |
| | to jaykaykay jaykayjay, i just followed the instructions given by psloss. And port 445 does not show up as listening any more. |
| | Well, as much as I hate to do so, I guess registry mucking is what I will have to do. Gawd, I hate to play in there, but I really would like to get rid of the affair. Cheers for making it sound so easy. I did copy downwards WCB's fix after psloss posted, but I was hoping that it could be done some other way. Oh, well. |
| TDS3_User | to jaykaykay JKK: I don't know if this help if you don't want to muck around in registry. I simply "Denied" permission in my firewall [Kerio] I also don't know if this is a solution, Dave, nameGame could say. edit: I had previously given Vampirefo a movie of my firewall settings to take a look at [he uses Kerio] and I specifically asked him about that particular entry and he told me it was OK. And so I left it, merely upon reading this thread, thought why not just 'Deny Permission'. Everything is working fine. Win2K PRO SP3, Standalone no filesharing. |
| | to jaykaykay Judge has practiced graphic at that place..but if you want screen shots how to exercise this and step-by-step instructions get to this site...fantabulous write up Close port 445 TCP/UDP past disabling NetBT in Device Manager »www.uksecurityonline.com ··· e445.htm and exercise non stop there if yous want to secure the remainder of that Bone. »www.uksecurityonline.com ··· xpp2.php |
| | to TDS3_User Thanks but fifty-fifty if it is, it's too late. I already did my mucking! |
| TDS3_User | to jaykaykay NameGame, first-class site. So simple 1 could 'virtually' do it blindfolded. |
| | to Name Game said by Proper noun Game: Thanks, NG. I am getting in that location, bit by bit. My Agile Port scan just came upwards with the following which looks appreciably better to me than earlier. Unknown 0 192.168.1.two 1052 216.254.0.193 110 TIME_WAIT TCP I am still unsure about a lot of what I am seeing and will become to reading the material on that site, too chip past flake, to run into what more I can do. If y'all or anyone has any suggestions, please don't hesitate to atomic number 82 me in the correct direction. |
| | to Name Game said by Proper name Game: Name Game. I disabled information technology port 445 services, by post-obit WildCatBoys instructions in this thread. Am i wrong doing that style. »Re: mNW Warning: 'IraqWorm' propagating via tcp/445 |
| | 2002-December-30 x:11 pm No I think that is fine...do it WCB's way. |
| psloss | to Hutchy said by Hutchy: Proper noun Game. I disabled it port 445 services, by following WildCatBoys instructions in this thread. Am i incorrect doing that style. In my opinion, no. I believe it'due south better to set the SMBDeviceEnabled value than to mess up the TransportBindName value; I'll just refer to a previous post: I oasis't tried the TransportBindName value change for a while -- guess it's time to go examination it -- but if I think correctly, it causes a trouble during the NetBT driver initialization which has the side effect of never opening the IP ports. An consequence is written to the Organization log...I'll get test that report the event... Philip Sloss |
| | to jaykaykay I have never had any problem doing information technology as described at that site for WinXP...but I am not here to buck city hall. I merely know what works for me. |
| | to Hutchy said past Hutchy: Every bit did I, of course. Btw., the following is what I seem to have a lot more showing up than y'all. Are you running XP too? Proto Local Address Strange Address State PID This was the result when doing a netstat -ano, which I presume is the way to do it. I had finally figured out '98, and by the time I become XP hog tied, MS will come out with a new OS. |
| psloss | 2002-Dec-xxx 10:33 pm said past psloss: OK, if I screw up the TransportBindName value (I changed information technology from "\Device\" to "\Device1\", the outcome that'south written to the System event log is ID 4311 from the NetBT source: "Initialization failed because the driver device could not be created." Using the SMBDeviceEnabled value doesn't cause any errors to be reported to the System issue log. Caveat emptor. Philip Sloss |
| | to jaykaykay said by Phil: OK, if I screw up the TransportBindName value (I changed it from "\Device\" to "\Device1\", Now why would you want to practice something like that...did you read the instructions? |
| | said by Name Game: That wasn't my annotate. I did it the style WCB suggested with the DWord value added/SMBDeviceEnabled |
| psloss | to Name Game said by Proper noun Game: Making the value blank has the aforementioned effect. The "\Device\" syntax is office of the NT object namespace (similar "\Device\Tcp", "\Device\Udp", etc.) The driver appears to be looking for an exact string (mayhap case insensitive) -- so any change other than a case modify would intermission it. A blank cord, adding a space, prepending a space would also cause the aforementioned trouble and achieve the result of keeping the commuter from opening those ports. That modify does keep the ports closed and I haven't seen whatever reports of any other side effects...but I suspect that the ports staying closed is also a side effect... ...which is why I wrote "caveat emptor." Philip Sloss |
| | to jaykaykay Yup..that was made past Phil..and I hit the incorrect thingie. |
| | Y'all are forgiven! |
| | to jaykaykay Was that bulletin for me..it appears your post was not addressed to anyone |
| | to jaykaykay BTW Jaykaykay..I did hitting the correct buttons...they simply did not annals correctly. |
| | That'south OK. I volition still forgive your clumsy fingers, no affair what you profess actually occurred. |
| to jaykaykay So... I added the SMBDeviceEnabled entry, only the next fourth dimension I started WINXP my Kerio 2.14 firewall wouldn't work. Anyone else here experiencing this? | |
The entries no longer evidence when running Active Ports. Thanks, Psloss and WCB and Judgedredd, etc. And thank you to you as well for trying to think of a unlike way. I use ZA+ and don't know if it could have been washed that hands through it as Kerio, but I would bet it might have. merely if it could, information technology will have to be done by someone else. 
Source: https://www.dslreports.com/forum/r5486656-MICROSOFT-DS-What-is-this
Posted by: martinezboused.blogspot.com
0 Response to "What Is Microsoft-ds Service And Why Is It Important?"
Post a Comment