I hope this adds a little bit on one more method of diabling/unbinding SMB: ( sorry if the cross-post was not appropriate ) http://www.microsoft.com/ntserver/techresources/commnet/WINS/WINSwp98/WINS11-12.asp HKLM\System\Controlset001\Services\NetBT\Parameters Non-Configurable Parameters The following parameters are created and used internally by the NetBT components. They should never be modified using the Registry Editor. They are listed here for reference only. TransportBindName Key: Netbt\Parameters Value Type: REG_SZ - Character string Valid Range: N/A Default: \Device\ Description: This parameter is used internally during product development. The default value should not be changed. SMBDeviceEnabled Key: Netbt\Parameters Value Type: REG_DWORD—Boolean Valid Range: 0, 1 (false, true) Default: 1 (true) Description: Windows 2000 supports a new network transport known as the SMB Device, which is enabled by default. This parameter can be used to disable the SMB device for troubleshooting purposes. Using the SMBDeviceEnabled key removes SMB from binding to 445. Thanks, Andrew "Jason Coombs" <jasonc@science.org> 08/29/2002 08:05 PM Please respond to jasonc To: <bugtraq@securityfocus.com> cc: Subject: SUMMARY: Disabling Port 445 (SMB) Entirely UPDATE: I double-checked and in fact was able to stop port 445 from binding at all under Windows 2000 using the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters under this key remove the default value "\Device\" from the TransportBindName REG_SZ value. upon reboot, port 445 is gone completely, both TCP and UDP. I tried a while ago to replace \Device\ with the device name of a single network interface in my multi-homed Windows box and that did not appear to work, SMB still grabbed port 445 TCP and UDP on 0.0.0.0 rather than the IP address bound to the network interface whose \Device\ virtual name I entered into the TransportBindName. Perhaps you can only disable port 445/SMB entirely, there may be no way to disable it selectively. However, port 1025 is still being bound by SYSTEM ... I have no idea why. Sincerely, Jason Coombs jasonc@science.org -----Original Message----- From: Jason Coombs [mailto:jasonc@science.org] Sent: Thursday, August 29, 2002 11:52 AM To: vuln-dev@security-focus.com Subject: SUMMARY: SMB overflow attacks SUMMARY: There does not appear to be any way to get Windows 2000 to stop binding to port 445 at this time. It's possible in Windows NT, but then again SMB was an after-thought for NT (Service Pack 3 or 4, I don't remember which) and the NT kernel doesn't bind port 445 as aggressively. <snip>
