SMB Ports 139 and 445 Explained with Quick Security Steps

SMB ports 139 and 445 are essential for file and printer sharing across Windows networks. However, these same ports are often exploited by attackers, making it important to understand how they work and how to secure them effectively. This guide explains their differences, how to check their status, and steps to disable or protect them on Windows 11.

All You Need to Know About SMB Ports 139 and 445

What Are SMB Ports 139 and 445

SMB is a network file sharing protocol used by Windows systems to share files, printers, and other resources. Two ports are primarily associated with SMB communication: Port 139 and Port 445.

• Port 139: Used by SMB over NetBIOS in older stacks such as SMBv1.
• Port 445: Used by SMB directly over TCP in modern versions such as SMBv2 and SMBv3.

Learn how to open ports in Windows Server if you need to manage SMB access in a server environment.

---

Why Are SMB Ports 139 and 445 Important

These ports enable file and printer sharing, authentication with Active Directory, and remote administration. They also introduce risk if exposed on public or untrusted networks because they are frequent targets for malware and ransomware.

---

How to Check If SMB Ports 139 and 445 Are Open

1. Using Command Prompt

Use Command Prompt to quickly see if the ports are listening.

1. Press Windows + R, type cmd, and press Enter.
   
2. Type netstat -an | find “139” and press Enter.
3. Type netstat -an | find “445” and press Enter.
4. Look for LISTENING to confirm the port is active.

2. Using PowerShell

PowerShell provides a targeted connectivity test for each port.

1. Open PowerShell as Administrator.
2. Run Test-NetConnection -ComputerName localhost -Port 445
3. Review the output to confirm whether the port is open or blocked.

If the ports appear blocked, check whether Windows Firewall is the cause by following this guide on how to tell if Windows Firewall is blocking a port or program.

---

How to Disable SMB Ports 139 and 445

1. Turn Off SMBv1 for Port 139

Disable SMBv1 to remove legacy exposure.

1. Open Control Panel then select Programs and choose Turn Windows features on or off.
   
2. Uncheck SMB 1.0/CIFS File Sharing Support.
   
3. Click OK and restart the PC.

2. Disable SMBv2 and SMBv3 for Port 445

Use PowerShell to disable modern SMB versions if absolutely necessary.

1. Launch PowerShell as Administrator.
   
2. Run Set-SmbServerConfiguration -EnableSMB2Protocol $false
3. Restart the computer to apply changes.

Note: Disabling SMB can break file sharing and domain authentication. Only proceed if your environment does not rely on SMB.

---

How to Secure SMB Ports Without Disabling Them

If your network depends on SMB, harden the service rather than turning it off. Proper firewall rules and strong authentication significantly reduce risk.

1. Restrict SMB to trusted IP ranges using a firewall.
2. Enable SMB signing to verify message integrity.
3. Keep Windows and SMB protocol components updated.
4. Disable guest access and enforce strong authentication.

For granular control, follow this guide to open firewall ports safely in Windows and configure SMB securely. For clearer visibility into SMB traffic and fast per app blocking, consider Portmaster Firewall to monitor connections and reduce unnecessary exposure.

---

FAQs

---

Final Thoughts

SMB ports 139 and 445 are vital for Windows networking but can expose systems if misconfigured. If you rely on file sharing, secure these ports with tight firewall rules and strong authentication. If you do not need SMB, disabling it is the safest option.