15

I want to disable file sharing (SMB) on Windows XP and I turned it off in the network properties dialog box, but the system is still listening on port 445. Is there a way to make it stop listening on 445 entirely? Is it still on in stealth mode?

enter image description here

Tyler Durden
  • 6,333

3 Answers3

14

I figured out how to do this from another post.

Add the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

Name: SMBDeviceEnabled Type: DWORD (REG_DWORD) Data: 0

This will completely disable SMB services and shutdown the server that listens on 445. Restart computer to take effect. You can verify that it is off by using netstat -an

undo
  • 6,129
Tyler Durden
  • 6,333
7

Command line method

Assuming the current user is a member of the Administrators group, open a command prompt and enter:

reg add HKLM\System\CurrentControlSet\Services\NetBT\Parameters /V SmbDeviceEnabled /T REG_DWORD /F /D 0

(this adds the required registry setting to disable SMB, and is the CLI equivalent of the OP's answer)

Then enter:

sc stop lanmanserver
sc config lanmanserver start= disabled

(this stops and disables the server service, a.k.a lanmanserver)

Restart your computer:

shutdown -r -t 01

After the restart, open a command prompt and enter the following command to verify that SMB is no longer listening on port 445:

netstat -na | find "LISTENING" | find ":445 "

If no output is returned by this command, you're all good!

Another possible method involving the GUI

...is to uninstall File and Printer Sharing for Microsoft Networks completely:

  1. Go to Start | Control Panel, and double-click the Network Connections applet.
  2. Right-click Local Area Connection (i.e., the Internet-facing connection), and select Properties.
  3. Select File And Printer Sharing For Microsoft Networks, and click the Uninstall button.
  4. Choose Yes when prompted to uninstall the component. Close all dialog boxes and applets.

For those that might benefit from a guide with screenshots, see:
http://ca.huji.ac.il/services/security/sharingXP-uninstall.shtml

Jimadine
  • 1,522
  • 1
  • 11
  • 15
1

As this vulnerability targets SMB and NetBT, it can be removed with cmd (if these services are not required)::

::Disable netbt service
net stop netbt & sc delete netbt
net stop netbios & sc delete netbios

::Disable Workstation Service
sc stop "LanmanWorkstation"
sc config "LanmanWorkstation" start= disabled
sc delete "LanmanWorkstation"

::Disable SMB feature (windows 7 or higher)
DISM /Online /Disable-Feature /FeatureName:SMB1Protocol /Remove /NoRestart
DISM /Online /Disable-Feature /FeatureName:SmbDirect /Remove /NoRestart

::File and Printer Sharing for Microsoft Networks       
netcfg /u ms_server

Run this as administrator and restart PC. These commands will remove the services permanently. You may close the ports in firewall.

Biswapriyo
  • 11,584