Essential TCP/IP Ports for SMB/CIFS File Sharing: Minimal Firewall Configuration for Windows Network Drives (XP and Later)


29 views

Modern Windows systems (XP SP2 and later) primarily use SMB over TCP port 445 (Direct Hosting). While legacy systems relied on ports 137-139 (NetBIOS over TCP/IP), these are generally unnecessary for current Windows environments. The protocol transition timeline:

  • Windows NT 4.0: NetBIOS (ports 137-139) required
  • Windows 2000: Introduced Direct Hosting (port 445)
  • Windows XP SP2+: Defaults to port 445

For Windows XP and later systems, you only need to open:

# Windows Firewall rule (PowerShell)
New-NetFirewallRule -DisplayName "SMB-In-TCP" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Allow

The legacy ports (137-139) are only required if:

# Registry check for NetBIOS over TCP/IP (cmd)
reg query HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters /v SmbDeviceEnabled

Verify connectivity with these commands:

# Test SMB over port 445
Test-NetConnection -ComputerName server01 -Port 445

# Legacy NetBIOS test (usually unnecessary)
nbtstat -A 192.168.1.100

For domain environments, you might need additional ports:

# AD-integrated file share minimum ports
$ports = @(445, 88, 389, 636)
$ports | ForEach-Object {
    New-NetFirewallRule -DisplayName "AD-FileShare-$_" -Direction Inbound -Protocol TCP -LocalPort $_ -Action Allow
}

If connections fail despite open ports:

# Check SMB version compatibility
Get-SmbConnection | Select-Object ServerName, Dialect

# Force SMB3 on modern systems
Set-SmbServerConfiguration -EncryptData $true -Force

When opening SMB ports:

# Restrict access to specific IP ranges
New-NetFirewallRule -DisplayName "Restricted-SMB" -Direction Inbound -Protocol TCP -LocalPort 445 -RemoteAddress 192.168.1.0/24 -Action Allow

# Disable SMBv1 (vulnerable)
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

For modern Windows networks (XP and later), you actually only need port 445 TCP for basic SMB file sharing functionality. The older NetBIOS ports (137-139 UDP/TCP) were primarily used in Windows NT/9x era and are no longer strictly necessary in pure Windows XP+ environments where NetBIOS over TCP/IP is disabled.

Windows XP and later versions implement SMB (Server Message Block) directly over TCP/IP using port 445, without requiring the older NetBIOS session layer. This is sometimes referred to as "Direct Hosting" of SMB over TCP/IP.

You can check if your Windows machines are properly configured to use port 445 exclusively:

# PowerShell command to check SMB configuration
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

If you're scripting firewall rules, here's how to configure them programmatically:

# Windows Firewall rule for SMB (PowerShell)
New-NetFirewallRule -DisplayName "Allow SMB (TCP 445)" 
                    -Direction Inbound 
                    -LocalPort 445 
                    -Protocol TCP 
                    -Action Allow

While port 445 is sufficient for basic file sharing, there are scenarios where additional ports become necessary:

  • Name resolution when DNS isn't available (137 UDP)
  • NetBIOS datagram service (138 UDP)
  • NetBIOS session service (139 TCP)

Here's a simple Python script to verify SMB connectivity:

import socket

def test_smb_connection(host, port=445, timeout=3):
    try:
        with socket.create_connection((host, port), timeout):
            return True
    except (socket.timeout, ConnectionRefusedError):
        return False

if test_smb_connection("target-pc"):
    print("SMB port 445 is accessible")
else:
    print("Connection failed - check firewall rules")

When opening SMB ports, always:

  • Restrict access to specific IP ranges when possible
  • Disable SMBv1 (security vulnerabilities)
  • Enable SMB signing for enhanced security