SMB Port 445 Risk: What to Check on Router and Firewall

By Katia Belokon

Port 445 needs firewall evidence

Best next step: review router port forwarding, Windows Firewall, SMB service exposure, and remote-access rules. Use a trusted external port checker only for systems you own or administer.

Optional MyIPScan follow-up: open What Is My IP or ASN Lookup to understand the public network context before firewall review. MyIPScan does not scan port 445.

Quick Answer

The SMB port 445 risk is about whether Windows file sharing is reachable from untrusted networks. Check router port forwarding, firewall rules, VPN exposure, and system listening services first.

MyIPScan does not run a port scan and cannot certify whether SMB is internet-reachable. It can provide public IP and network-owner context before you use router logs, OS tools, or a trusted external port checker.

What Makes Port 445 a Security Target

Port 445 is the default TCP port for SMB over IP, used by Windows for file sharing, printer access, and inter-process communication. Unlike port 139, which required NetBIOS over TCP/IP, port 445 allows SMB to run directly over TCP. This simplification made Windows networking faster and more reliable on modern networks, but it also concentrated attack surface into a single well-known port.

Attackers scan port 445 continuously because successful exploitation can grant file system access, credential theft opportunities, and a foothold for ransomware deployment. The WannaCry and NotPetya outbreaks both leveraged SMB vulnerabilities, spreading rapidly across networks where port 445 was reachable and systems were unpatched. Even when the operating system is current, misconfigurations such as weak passwords, guest access, or SMB signing disabled can turn an open port into a practical entry point.

Why Internet Exposure Is Dangerous

SMB was designed for trusted local networks, not for exposure to the public internet. When port 445 is reachable from any IP address, automated scanners probe it within minutes. These scans test for known vulnerabilities, attempt common credentials, and catalog systems for later exploitation. According to Microsoft’s SMB troubleshooting guidance, SMB sharing should remain behind a firewall and never be directly accessible from the internet.

Even outbound SMB connections carry risk. An attacker can craft a malicious link or document that, when opened, causes a Windows machine to attempt an SMB connection to an attacker-controlled server. This can leak NTLM credentials, which can then be cracked offline or relayed to other services. Blocking outbound port 445 at the network perimeter limits this attack vector.

How to Check If Port 445 Is Exposed

Checking for SMB port 445 security risk starts with verifying whether the port is reachable from outside your network. Run a port scan from an external vantage point to see what an attacker would see. Internal scans from the same network will not reveal whether your firewall or router is blocking inbound SMB traffic.

External Port Scan

Use a public port checker to scan your external IP address for open port 445. If the scan reports the port as open or filtered, SMB traffic may be reaching your network perimeter. A closed result means the firewall is blocking the connection attempt, which is the expected and safe configuration for internet-facing networks.

Keep in mind that some ISPs block port 445 at the network level to reduce abuse. A closed result may reflect ISP filtering rather than your own firewall rules. To confirm your local configuration, test from a different network or use a VPN exit point that does not apply SMB filtering.

Internal Network Scan

Scan devices on your local network to identify which machines are listening on port 445. On Windows, the SMB service runs by default, so most Windows devices will show port 445 as listening. The question is whether those devices are protected by a host firewall and whether they are patched against known SMB vulnerabilities.

Use PowerShell or a network scanner to enumerate listening ports. On Windows, run netstat -an | findstr :445 to see active SMB listeners. On Linux or macOS, use lsof -i :445 or netstat -an | grep 445. If a device shows port 445 listening and is reachable from other network segments, verify that SMB signing is enabled and that guest access is disabled.

Common SMB Vulnerabilities and Exploits

Several high-profile vulnerabilities have targeted SMB over the past decade. Understanding these exploits clarifies why the SMB port 445 security risk remains a priority for network administrators and home users alike.

Vulnerability	CVE	Impact	Mitigation
EternalBlue	CVE-2017-0144	Remote code execution, used by WannaCry and NotPetya	Install MS17-010 patch, block port 445 at perimeter
SMBGhost	CVE-2020-0796	Remote code execution in SMBv3 compression	Apply Windows updates, disable SMBv3 compression if patching is delayed
SMBleed	CVE-2020-1206	Information disclosure, kernel memory leak	Install June 2020 Windows updates
NTLM relay	Multiple	Credential theft and lateral movement	Enable SMB signing, disable NTLM where possible, use Kerberos

Each of these vulnerabilities was patched by Microsoft, but unpatched systems remain vulnerable indefinitely. Automated exploit tools are publicly available, and attackers scan continuously for systems that missed critical updates. Keeping Windows current is the baseline defense, but it must be combined with network segmentation and firewall rules to reduce exposure.

How to Secure SMB Port 445

Securing SMB involves layered controls: blocking unnecessary exposure, hardening the SMB service itself, and monitoring for suspicious activity. No single step eliminates the SMB port 445 security risk, but together these measures reduce the attack surface to a manageable level.

Block Port 445 at the Network Perimeter

Configure your firewall to drop all inbound SMB traffic from the internet. This rule should apply to both TCP port 445 and the legacy port 139. Most home routers block these ports by default, but business firewalls and cloud security groups require explicit rules.

Also block outbound SMB traffic unless your environment requires external SMB connections. Outbound blocking prevents malware from calling home via SMB and stops credential leaks triggered by malicious links. Test the rule carefully to avoid breaking legitimate file sharing with branch offices or cloud storage that uses SMB.

Disable SMBv1

SMBv1 is an outdated protocol with known security weaknesses and no support for modern encryption or signing features. Microsoft disabled SMBv1 by default in recent Windows versions, but older systems and some network-attached storage devices still enable it for compatibility.

Check whether SMBv1 is enabled by running Get-SmbServerConfiguration | Select EnableSMB1Protocol in PowerShell. If the result is True, disable it with Set-SmbServerConfiguration -EnableSMB1Protocol $false. Reboot the system to apply the change. After disabling SMBv1, test file sharing to confirm that clients and servers negotiate SMBv2 or SMBv3 successfully.

Enable SMB Signing

SMB signing adds a cryptographic signature to each SMB packet, preventing man-in-the-middle attacks and NTLM relay exploits. When signing is required, both client and server must support it, and unsigned packets are rejected.

Enable SMB signing on Windows by configuring Group Policy or local security policy. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and set Microsoft network server: Digitally sign communications (always) to Enabled. Repeat for the client-side setting. Performance impact is minimal on modern hardware, and the security benefit is significant.

Disable Guest Access

Guest access allows unauthenticated users to connect to SMB shares, which is rarely necessary and often exploited. Disable guest access by setting Set-SmbServerConfiguration -EnableInsecureGuestLogons $false in PowerShell. Also review share permissions to ensure that only authenticated users with legitimate need can access sensitive files.

Apply Windows Updates Promptly

SMB vulnerabilities are patched regularly, but patches only protect systems that install them. Enable automatic updates where possible, and monitor update status on critical systems. For environments that test updates before deployment, prioritize SMB-related patches and apply them within days of release, not weeks.

When SMB Traffic Is Necessary

Some environments require SMB access between sites, such as branch offices connecting to a central file server or remote workers accessing network shares. In these cases, blocking port 445 entirely is not practical, so the focus shifts to encrypting and authenticating the connection.

Use a VPN for Remote SMB Access

Instead of exposing port 445 to the internet, require remote users to connect via VPN first. The VPN encrypts all traffic, including SMB, and authenticates the user before granting network access. This approach keeps SMB traffic on a trusted network segment and prevents direct internet exposure.

Configure the VPN to assign remote clients an IP address in the same subnet as the file server, or use routing rules to allow SMB traffic only from VPN clients. Test the connection by mapping a network drive from a remote client and verifying that the traffic flows through the VPN tunnel, not directly over the internet.

Consider SMB Over QUIC

Windows Server 2022 introduced SMB over QUIC, which tunnels SMB traffic through HTTPS on port 443. This allows secure file access without a traditional VPN and works well for mobile users and branch offices. SMB over QUIC requires TLS certificates and is not yet widely deployed, but it represents a modern alternative to exposing port 445 directly.

How to Interpret Port Scan Results

Port scan results can be confusing, especially when different tools report different states for the same port. Understanding what each result means helps you assess the actual SMB port 445 security risk rather than reacting to false positives or ignoring real exposure.

Open

An open result means the scanner received a response indicating that a service is listening on port 445. This is the highest-risk state for internet-facing systems. If your external IP shows port 445 as open, SMB traffic is reaching your network, and you should block it immediately at the firewall.

Closed

A closed result means the scanner received a response indicating that no service is listening, typically a TCP reset packet. This is the expected result for a properly configured firewall that actively rejects SMB traffic. A closed port is not exploitable because the connection attempt is refused before reaching any service.

Filtered

A filtered result means the scanner did not receive a response, suggesting that a firewall is silently dropping packets. This is also a safe configuration, though it can make troubleshooting harder because the scanner cannot distinguish between a firewall rule and a network routing issue. Filtered is preferable to open, but closed is slightly better because it provides faster feedback to legitimate connection attempts.

Stealth

Some scanners report a port as stealthed when no response is received. This is functionally the same as filtered. The term “stealth” is marketing language rather than a technical distinction, but it indicates that the port is not reachable from the scanner’s vantage point.

SMB Port 445 Security Risk on Different Network Types

The level of SMB port 445 security risk varies depending on the network environment. A home network, corporate network, and public Wi-Fi each present different threat models and require different controls.

Home Networks

Most home routers block inbound port 445 by default, so the primary risk is from devices on the local network. If one device is compromised, SMB can be used for lateral movement to other Windows machines. Enable SMB signing, disable SMBv1, and apply Windows updates to all devices. Avoid enabling port forwarding for port 445 under any circumstances.

Corporate Networks

Corporate networks often require SMB for file sharing, printer access, and domain services. The risk is managed through network segmentation, endpoint protection, and strict firewall rules. Segment the network so that SMB traffic is restricted to trusted zones, and monitor SMB connections for unusual patterns such as connections from unexpected IP ranges or failed authentication attempts.

Public Wi-Fi

Public Wi-Fi is an untrusted network where other users may attempt to scan or exploit your device. Disable file sharing entirely when connected to public Wi-Fi, or use a VPN to encrypt all traffic and prevent local network access. Windows Firewall includes a public network profile that blocks inbound SMB by default, but verify that the profile is active and that no exceptions have been added.

Monitoring and Detection

Even with strong preventive controls, monitoring SMB traffic helps detect attacks in progress and identify misconfigurations before they are exploited.

Log SMB Connections

Enable SMB logging on Windows to record connection attempts, authentication failures, and file access. Review logs regularly for patterns such as repeated failed logins, connections from unexpected IP addresses, or access to sensitive shares outside normal business hours. Windows Event Logs include SMB-related events under the Security and System logs.

Use Intrusion Detection

Intrusion detection systems can alert on SMB exploit attempts, such as EternalBlue scans or NTLM relay attacks. Configure the IDS to monitor port 445 traffic and flag suspicious patterns. Combine network-based detection with endpoint detection to catch attacks that originate from inside the network.

Review Firewall Logs

Firewall logs show blocked connection attempts, which can reveal scanning activity or misconfigured devices trying to reach SMB services. If you see frequent blocked attempts on port 445 from internet IP addresses, your firewall is doing its job. If you see blocked attempts from internal IP addresses, investigate whether a device is infected or misconfigured.

Common Mistakes When Assessing SMB Risk

Several common mistakes lead to either overconfidence or unnecessary alarm when evaluating the SMB port 445 security risk.

• Assuming a closed port means no risk: A closed port on your external IP does not protect against attacks from inside the network or from devices that bypass the firewall. Internal SMB security still matters.
• Disabling SMB entirely without testing: Disabling the SMB service can break file sharing, printer access, and domain authentication. Test the impact carefully and disable SMB only on devices that do not require it.
• Ignoring SMBv2 and SMBv3 vulnerabilities: Disabling SMBv1 is important, but newer SMB versions also have vulnerabilities. Keep Windows updated to address all SMB-related patches, not just SMBv1 issues.
• Relying on antivirus alone: Antivirus can detect known exploits, but it cannot prevent exploitation of zero-day vulnerabilities or misconfigurations. Combine antivirus with firewall rules, patching, and network segmentation.
• Overlooking DNS leaks: If you use a VPN to access SMB resources, verify that DNS queries are also routed through the VPN. A DNS leak can reveal the names of internal file servers even when SMB traffic is encrypted. Check for leaks using a DNS leak test.

Practical Checklist for SMB Security

Use this checklist to verify that your SMB configuration reduces the SMB port 445 security risk to an acceptable level.

• Run an external port scan to confirm port 445 is not reachable from the internet.
• Block inbound and outbound SMB traffic at the network firewall unless explicitly required.
• Disable SMBv1 on all Windows devices and verify that SMBv2 or SMBv3 is in use.
• Enable SMB signing on both clients and servers.
• Disable guest access and insecure guest logons.
• Apply all available Windows updates, prioritizing SMB-related patches.
• Review SMB share permissions and remove unnecessary access.
• Enable SMB logging and review logs for suspicious activity.
• Use a VPN for remote SMB access instead of exposing port 445 to the internet.
• Test file sharing after making changes to confirm that legitimate access still works.

FAQ

Is port 445 always dangerous?

Port 445 is not inherently dangerous when used on a trusted local network with proper security controls. The risk comes from exposing it to untrusted networks, running outdated SMB versions, or leaving known vulnerabilities unpatched. On a properly configured internal network with SMB signing enabled, updated systems, and firewall protection, port 445 serves a legitimate purpose for file sharing and network services.

Should I block port 445 on my home network?

You should block inbound port 445 at your router to prevent internet-based attacks, but you typically do not need to block it between devices on your home network if you use Windows file sharing or printers. The key is to ensure that port 445 is not reachable from outside your network and that all devices on your home network are kept up to date with security patches.

How do I know if port 445 is open on my computer?

Run netstat -an | findstr :445 in a Windows command prompt to see if any process is listening on port 445. If you see a line showing 0.0.0.0:445 or IPv6 any-address listener on port 445 in the LISTENING state, the SMB service is active. To check if the port is reachable from the internet, use an external port scanner from a different network or a public scanning service.

Can a VPN protect me from SMB attacks?

A VPN encrypts your traffic and hides your real IP address, which can protect against some network-based attacks when you are on untrusted networks like public Wi-Fi. Still, a VPN does not patch SMB vulnerabilities on your device or prevent attacks from other devices on the same local network. Use a VPN as one layer of defense, but also apply Windows updates, enable SMB signing, and configure your firewall properly.

What is the difference between port 139 and port 445?

Port 139 is used for SMB over NetBIOS, an older method that required NetBIOS over TCP/IP as a transport layer. Port 445 allows SMB to run directly over TCP without NetBIOS, which is faster and more efficient. Modern Windows systems prefer port 445, but some older systems and devices still use port 139 for compatibility. Both ports should be blocked at the internet-facing firewall to reduce attack surface.

Does disabling SMBv1 break anything important?

Disabling SMBv1 can break compatibility with very old devices such as network printers, NAS units, or Windows XP systems that do not support SMBv2 or later. Before disabling SMBv1, inventory your network devices and test file sharing to identify any dependencies. Most modern devices support SMBv2 or SMBv3, so the compatibility impact is usually minimal. If you find a device that requires SMBv1, consider upgrading the device firmware or replacing it rather than leaving SMBv1 enabled.

When to Seek Professional Help

If you manage a business network, handle sensitive data, or have already experienced a security incident involving SMB, consider consulting a network security professional. Professional assessments can identify misconfigurations, test for vulnerabilities, and design network segmentation strategies that reduce risk without breaking necessary file sharing. Penetration testing can simulate real attacks and reveal weaknesses that automated scans miss.

For home users, the built-in Windows Firewall and regular updates are usually sufficient when combined with the checklist above. If you see repeated blocked attempts on port 445 in your firewall logs, or if a port scan shows port 445 as open when it should be closed, investigate immediately and verify that your router and firewall rules are configured correctly.