What is Port 139?
Port 139 is a TCP port in the Windows operating system associated with the NetBIOS Session Service. The official service name for port 139 is ‘netbios-ssn,’ and the port number is registered with the Internet Assigned Numbers Authority (IANA).
The NetBIOS Session Service listens on TCP port 139 and provides the following key functions:
- Facilitates NetBIOS name resolution between nodes on a local area network.
- Establishes sessions for NetBIOS services like file and print sharing.
- Enables communication between NetBIOS applications.
- Supports SMB file sharing, network browsing, RPC services, Windows services, and other network services that rely on NetBIOS.
Key Takeaways
- Port 139 is officially known as the NetBIOS Session Service port and is used for NetBIOS services over TCP/IP.
- It enables NetBIOS name resolution, facilitates communication between nodes on a LAN, and provides file, print, and other vital network services.
- Port 139 is considered a major security vulnerability and, if left unprotected by a firewall, a prime target for cyber attacks.
- Common cyber threats that target port 139 include ransomware, worms, remote access trojans, and man-in-the-middle attacks.
- Proper security measures like firewall rules, patch management, and endpoint protection are essential to secure port 139.
- Disabling or blocking port 139 in Windows networks may disrupt vital network services like file and print sharing. Proper precautions should be taken before blocking the port.
- With the dominance of Active Directory and DNS, continued use of port 139 is diminishing but still relevant in some legacy systems and applications.
A Brief History of NetBIOS and Port 139
NetBIOS stands for Network Basic Input/Output System and was developed in the early 1980s to enable communication and resource sharing between computers on early local area networks.
When TCP/IP networking became more commonplace in the late 1980s and early 1990s, NetBIOS was adapted to run over TCP/IP networks. This is referred to as NetBIOS over TCP/IP or NBT for short.
Port 139 was designated as the standard port for the NetBIOS session service when NetBIOS was adapted for TCP/IP networks. This enabled nodes to establish NetBIOS-based sessions for communication and services.
In Windows networks, the NetBIOS Session Service listens on TCP port 139 and provides vital functionality for Windows networking. It facilitates name resolution, communication, file sharing, print sharing, and other services that rely on NetBIOS.
The Role of Port 139 in Windows Networking
In a Windows network environment, port 139 plays an important role in enabling vital networking services that rely on NetBIOS.
Here are some examples:
File and Printer Sharing
One primary use of port 139 is to allow Windows computers on a LAN to share files and printers. When you share a folder or printer in Windows, clients connect to it using NetBIOS over TCP/IP and port 139.
Windows Authentication
Windows uses NetBIOS for authentication and access control to shared files and printers. When accessing a shared resource, the NetBIOS session service on port 139 transmits credentials and authenticates the user.
SMB Protocol
The SMB protocol heavily relies on NetBIOS and port 139 for Windows file sharing and print sharing. SMB sessions are established over NetBIOS utilizing TCP port 139.
Windows Services
Many Windows services, like Server Message Block (SMB), rely on NetBIOS and use the session service on port 139. Thus, port 139 is critical for vital Windows server functions.
Network Browsing
Windows machines use port 139 for network browsing, i.e., viewing other computers and shared resources on the LAN. The NetBIOS session service resolves names and facilitates browsing.
Remote Administration
Administrators use port 139 for remote management tools that rely on NetBIOS, such as the Windows ADMIN$ share, Remote Desktop, Windows Remote Management (WinRM), and more.
When is Port 139 Used?
Some key situations and network activities rely on TCP port 139 being open:
- Connecting to shared folders or printers: Port 139 allows NetBIOS name resolution so clients can locate and connect to shared folders and printers on Windows servers and workstations. The NetBIOS session established over port 139 also handles authentication.
- Browsing the network: When viewing other computers and shared resources on the LAN, NetBIOS name queries are resolved using port 139.
- Using remote administration tools: Management tools like Remote Desktop, WinRM, and others depend on port 139 being available. The ADMIN$ share used for remote management leverages port 139.
- Running Windows services: Core Windows services like Server Message Block (SMB), which enable file/print sharing, are heavily dependent on NetBIOS sessions over port 139.
- Legacy applications: Older Windows applications designed to run over NetBIOS may require port 139 to be open in order to function properly.
What are Potential Vulnerabilities of Port 139
Despite its necessity in Windows environments, port 139 is considered a security risk if left unprotected by a firewall. Since it allows file sharing and resource access, port 139 can be vulnerable to cyber-attacks.
Some examples of potential threats that target port 139 include:
- Ransomware: Malware that encrypts files can spread rapidly via open file shares on port 139. WannaCry and other ransomware worms scan for open port 139 to propagate.
- Unauthorized access: Attackers can exploit open port 139 to gain unauthorized access to file shares without credentials.
- DDoS attacks: Port 139 can be leveraged to amplify DDoS attacks. By flooding UDP port 139, an attacker can trigger excessive TCP SYN-ACK responses.
- Man-in-the-middle attacks: Unencrypted NetBIOS traffic over port 139 can be intercepted and monitored to steal data and credentials.
- Remote code execution: Bugs in NetBIOS implementations could allow remote code execution attacks via port 139.
What are the Best Practices for Securing Port 139
Here are some best practices for locking down port 139:
- Use a firewall: Configure incoming and outgoing firewall rules to block unauthorized access to port 139. Allow access only from trusted IP addresses or subnets.
- Disable NetBIOS over TCP/IP: If possible, disable NBT completely and rely on DNS/WINS. Otherwise, restrict NBT to authorized interfaces only.
- Virtualize SMB shares: Rather than expose entire SMB shares, grant access only to necessary files/folders.
- Require SMB signing: Enforce SMB packet signing to prevent tampering and man-in-the-middle attacks.
- Limit SMB versions: Only allow the latest SMB version (SMBv3) and disable outdated versions like SMBv1.
- Disable unused services: Identify and disable any unnecessary services dependent on NetBIOS like File and Printer Sharing.
- Apply latest OS and SMB patches: Maintain patched and updated versions of Windows and SMB to eliminate security flaws.
- Use VPNs for remote access: Provide remote workers with VPN access rather than opening NetBIOS ports externally.
- Monitor traffic: Inspect incoming and outgoing connections to port 139 using firewall logs or an IDS/IPS.
What Happens When Port 139 is Blocked?
Since port 139 is so commonly used for vital Windows services, blocking it without caution can cause undesirable effects:
- No file/print sharing: Blocking port 139 completely disables the ability to share folders and printers in Windows environments.
- Network browsing fails: Users will not be able to browse for other computers and shared resources on the LAN.
- Access denied errors: Attempts to connect to normal shared resources will be met with “Access Denied” errors if port 139 is blocked.
- Windows services disrupted: Core services like Server Message Block (SMB) that rely on NetBIOS will fail, causing widespread problems.
- Legacy application failure: Older apps that require NetBIOS may stop working properly if they cannot access port 139.
- No remote management: Blocking port 139 breaks remote admin tools that depend on services like ADMIN$, WMI, and RPC over NetBIOS.
- Troubleshooting difficulties : IT support teams find it more difficult to troubleshoot Windows networking issues when port 139 is blocked.
When is it Acceptable to Block Port 139?
There are a handful of scenarios where it may be acceptable to block access to port 139:
- Securing public cloud virtual machines: Cloud VMs that need to be locked down can block inbound port 139 but allow outbound.
- Isolating test/development resources: Blocking port 139 can help isolate non-production systems but may cause failures.
- On Linux/Unix machines: Since NetBIOS is a Windows technology, Linux/Unix systems can block port 139.
- Non-Windows networks: On networks with no Windows clients, blocking 139 should have minimal impact.
- Non-domain joined systems: Standalone systems may be able to function with port 139 blocked but with limitations.
- When migrating away from NetBIOS: During phased migrations from NetBIOS to DNS/AD, port 139 can be blocked incrementally.
- Containing malware outbreaks: Blocking 139 temporarily could help prevent worm malware from spreading but has tradeoffs.
The risks of blocking port 139 need to be carefully assessed first, with potential service disruptions considered. In most cases, more targeted hardening is preferred over completely blocking the port.
Alternatives to Port 139 for Windows Networking
Modern Windows networks should move away from legacy NetBIOS dependencies whenever possible. Some alternatives include:
- Active Directory: AD relies on DNS and LDAP for name resolution and authentication rather than NetBIOS.
- DNS: Using DNS names for resource location avoids reliance on NetBIOS name service.
- LDAP: For identity management and authentication, LDAP is more secure than cleartext NetBIOS.
- SMB over Direct TCP: SMB can be configured to use TCP port 445 directly rather than port 139.
- Virtually hosted file shares: Use virtual SMB shares through tools like DFS rather than exposing entire volumes.
- Encrypting traffic: Require SMB encryption via SMBv3 rather than passing data in cleartext over NetBIOS.
- Non-Windows protocols: Samba on Linux can replace insecure NetBIOS SMB with standard CIFS file sharing.
Migrating to more modern technologies like Active Directory and DNS can provide alternatives to risky NetBIOS dependencies in enterprise environments. But port 139 still serves a purpose for legacy systems.
What is the Future of Port 139
With the widespread adoption of Active Directory, there has been diminishing reliance on NetBIOS and port 139 in modern Windows networking. But it remains relevant for:
- Legacy systems: running older OS versions that still require NetBIOS. Windows XP/2003 are common examples.
- Backward compatibility: Newer Windows versions still support NetBIOS services for backward compatibility with legacy systems.
- Non-domain systems: Standalone systems and workgroups still leverage NetBIOS for local file/print sharing.
- Small business networks: Small businesses may still utilize port 139 heavily in non-domain environments.
So, while port 139 usage is declining, Microsoft still maintains support for NetBIOS over TCP/IP, even in the latest Windows versions. It has yet to be fully obsolete.
Microsoft recommends moving to more modern technologies like Active Directory and DNS whenever possible. But realistically, port 139 and NetBIOS are still entrenched in many IT environments for the foreseeable future due to legacy compatibility needs. It remains a relevant Windows networking port today.
Final Thoughts
Port 139 is an integral component of Windows networking that enables vital services like file/print sharing by providing NetBIOS name resolution and session establishment over TCP/IP networks.
While its usage is declining in modern environments, legacy compatibility necessitates continued support for port 139 and NetBIOS in many organizations. Given its inherent vulnerabilities, securing port 139 with firewalls and other precautions is crucial.
A measured, risk-based approach is required when considering blocking port 139, as completely disabling it can cause major disruptions. Migrating to more secure protocols like Active Directory and modern SMB is ideal, but many networks still leverage port 139 and will continue doing so for the foreseeable future.
Frequently Asked Questions About Port 139
Here are some common questions about port 139 and NetBIOS:
What is NetBIOS, and what does it have to do with port 139?
NetBIOS (Network Basic Input/Output System) is a legacy networking protocol developed by IBM to enable communication and resource sharing between computers on a local area network. In the 1990s, when NetBIOS was adapted to run over TCP/IP networks, port 139 was designated as the standard port for NetBIOS session services. Port 139 provides name resolution, session establishment, and transport for NetBIOS-based services like Windows file/print sharing.
Is port 139 TCP or UDP?
Port 139 uses TCP (Transmission Control Protocol). The NetBIOS Session Service listens for incoming session requests using TCP on port 139. UDP (User Datagram Protocol) was originally used for NetBIOS name resolution but this was later replaced by port 137 UDP for NetBIOS Name Service.
What port replaced NetBIOS?
There is no direct 1:1 replacement for NetBIOS functionality. Modern Windows networks use several technologies that provide alternatives:
- Active Directory and DNS for name resolution and domain services.
- SMB directly over TCP 445 for file/print sharing traffic.
- LDAP for authentication and identity management.
Should port 139 be open or closed?
It depends on your specific networking needs. Port 139 is commonly left open in Windows networks to allow vital functionality like file sharing. However, if unprotected, it can pose security risks. A secure firewall policy that selectively allows and denies access based on business needs is recommended over fully blocking or opening the port.
What uses port 139?
The primary uses of port 139 include:
- NetBIOS name resolution
- Establishing sessions for Windows services like file/print sharing
- SMB traffic for Windows file sharing
- Enabling network browsing and resource discovery
- Remote administration tools that rely on services like ADMIN$
What happens if port 139 is closed?
Some major impacts if port 139 is fully closed include:
- No file or printer sharing between Windows systems
- Failure of Windows services like Server Message Block
- Inability to browse the network or discover shared resources
- Legacy applications unable to utilize NetBIOS may fail
- Remote management tools like ADMIN$ share will stop working
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
