Essential TCP/IP Ports for SMB/CIFS File Sharing: Minimal Firewall Configuration for Windows Network Drives (XP and Later)


2 views

Modern Windows systems (XP SP2 and later) primarily use SMB over TCP port 445 (Direct Hosting). While legacy systems relied on ports 137-139 (NetBIOS over TCP/IP), these are generally unnecessary for current Windows environments. The protocol transition timeline:

  • Windows NT 4.0: NetBIOS (ports 137-139) required
  • Windows 2000: Introduced Direct Hosting (port 445)
  • Windows XP SP2+: Defaults to port 445

For Windows XP and later systems, you only need to open:

# Windows Firewall rule (PowerShell)
New-NetFirewallRule -DisplayName "SMB-In-TCP" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Allow

The legacy ports (137-139) are only required if:

# Registry check for NetBIOS over TCP/IP (cmd)
reg query HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters /v SmbDeviceEnabled

Verify connectivity with these commands:

# Test SMB over port 445
Test-NetConnection -ComputerName server01 -Port 445

# Legacy NetBIOS test (usually unnecessary)
nbtstat -A 192.168.1.100

For domain environments, you might need additional ports:

# AD-integrated file share minimum ports
$ports = @(445, 88, 389, 636)
$ports | ForEach-Object {
    New-NetFirewallRule -DisplayName "AD-FileShare-$_" -Direction Inbound -Protocol TCP -LocalPort $_ -Action Allow
}

If connections fail despite open ports:

# Check SMB version compatibility
Get-SmbConnection | Select-Object ServerName, Dialect

# Force SMB3 on modern systems
Set-SmbServerConfiguration -EncryptData $true -Force

When opening SMB ports:

# Restrict access to specific IP ranges
New-NetFirewallRule -DisplayName "Restricted-SMB" -Direction Inbound -Protocol TCP -LocalPort 445 -RemoteAddress 192.168.1.0/24 -Action Allow

# Disable SMBv1 (vulnerable)
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

For modern Windows networks (XP and later), you actually only need port 445 TCP for basic SMB file sharing functionality. The older NetBIOS ports (137-139 UDP/TCP) were primarily used in Windows NT/9x era and are no longer strictly necessary in pure Windows XP+ environments where NetBIOS over TCP/IP is disabled.

Windows XP and later versions implement SMB (Server Message Block) directly over TCP/IP using port 445, without requiring the older NetBIOS session layer. This is sometimes referred to as "Direct Hosting" of SMB over TCP/IP.

You can check if your Windows machines are properly configured to use port 445 exclusively:

# PowerShell command to check SMB configuration
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

If you're scripting firewall rules, here's how to configure them programmatically:

# Windows Firewall rule for SMB (PowerShell)
New-NetFirewallRule -DisplayName "Allow SMB (TCP 445)" 
                    -Direction Inbound 
                    -LocalPort 445 
                    -Protocol TCP 
                    -Action Allow

While port 445 is sufficient for basic file sharing, there are scenarios where additional ports become necessary:

  • Name resolution when DNS isn't available (137 UDP)
  • NetBIOS datagram service (138 UDP)
  • NetBIOS session service (139 TCP)

Here's a simple Python script to verify SMB connectivity:

import socket

def test_smb_connection(host, port=445, timeout=3):
    try:
        with socket.create_connection((host, port), timeout):
            return True
    except (socket.timeout, ConnectionRefusedError):
        return False

if test_smb_connection("target-pc"):
    print("SMB port 445 is accessible")
else:
    print("Connection failed - check firewall rules")

When opening SMB ports, always:

  • Restrict access to specific IP ranges when possible
  • Disable SMBv1 (security vulnerabilities)
  • Enable SMB signing for enhanced security