SMB Port 445 Security: WannaCry, EternalBlue, and Why It Must Never Be Exposed

What is SMB and port 445?

Server Message Block (SMB) is a network protocol used primarily for file sharing, printer access, and inter-process communication on Windows networks. Port 445 is the default port for SMB over TCP/IP (direct hosting), replacing the older NetBIOS-based approach on ports 137-139.

SMB is fundamental to how Windows networks operate. Active Directory, file servers, shared drives, and many internal applications depend on it. But SMB was designed for trusted internal networks -- not the internet.

Why SMB is infamous: WannaCry and EternalBlue

Port 445 is arguably the most dangerous port in computing history due to several devastating exploits:

EternalBlue (CVE-2017-0144)

EternalBlue is an exploit targeting a vulnerability in Microsoft's implementation of SMBv1. It was developed by the NSA and leaked by the Shadow Brokers group in April 2017. The exploit allows remote code execution -- an attacker can take complete control of a vulnerable system by sending crafted packets to port 445.

WannaCry (May 2017)

WannaCry used EternalBlue to spread as ransomware across networks worldwide. It infected over 200,000 systems in 150 countries within days, causing an estimated $4--8 billion in damages. The UK's National Health Service was severely impacted, with hospitals forced to turn away patients.

NotPetya (June 2017)

NotPetya also leveraged EternalBlue but was a destructive wiper disguised as ransomware. It caused over $10 billion in damages globally, with Maersk, Merck, and FedEx among the hardest-hit organisations.

Ongoing threats

New SMB vulnerabilities continue to emerge. SMBGhost (CVE-2020-0796) affected SMBv3.1.1 compression and allowed remote code execution. SMBleed (CVE-2020-1206) enabled memory disclosure. Any system with SMB exposed to the internet is a target for both known and future exploits.

Why SMB must NEVER be exposed to the internet

There is no valid reason to expose port 445 to the public internet. None. If your security scan shows port 445 open on a public IP, it is a critical finding requiring immediate action.

The risks:

• Remote code execution -- EternalBlue and its successors allow complete system takeover without authentication
• Wormable -- SMB exploits spread automatically from one vulnerable system to the next
• Credential theft -- exposed SMB can be used to capture NTLMv2 hashes for offline cracking
• Ransomware deployment -- the primary vector for the most damaging ransomware campaigns in history
• Data exfiltration -- if file shares are accessible, attackers can download everything

How to check if port 445 is exposed

Using nmap

# Check your public IP for SMB exposure
nmap -p 445 your-public-ip

# Check a range
nmap -p 445 --open your-ip-range/24

# Get more detail about the SMB service
nmap -p 445 --script smb-protocols,smb-security-mode your-public-ip

Using Shodan

Search Shodan for your IP range:

port:445 net:your-ip-range/24

From the machine itself

# Windows: check if SMB is listening
netstat -an | findstr ":445"

# Linux: check if Samba is listening on all interfaces
sudo ss -tlnp | grep :445

If it shows 0.0.0.0:445, the service is accessible from every network interface.

How to close port 445

Windows Firewall

# Block inbound SMB from the internet
New-NetFirewallRule -DisplayName "Block SMB Inbound" -Direction Inbound -Protocol TCP -LocalPort 445 -RemoteAddress Internet -Action Block

# Verify the rule
Get-NetFirewallRule -DisplayName "Block SMB Inbound" | Format-List

If SMB is only needed on the internal network, restrict it to your private subnet:

# Allow SMB only from internal network
New-NetFirewallRule -DisplayName "Allow SMB Internal" -Direction Inbound -Protocol TCP -LocalPort 445 -RemoteAddress 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -Action Allow

Linux (UFW)

# Block SMB from everywhere
sudo ufw deny 445/tcp

# Or allow only from internal network
sudo ufw allow from 10.0.0.0/8 to any port 445 proto tcp
sudo ufw deny 445/tcp

Linux (iptables)

# Allow SMB only from internal network
sudo iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 445 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 445 -j DROP

# Save rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Cloud security groups

In AWS, Azure, or GCP, check your security groups and network security groups for rules allowing inbound TCP 445 from 0.0.0.0/0. Remove them.

This is the same principle as securing RDP and database ports -- management and internal service ports have no business being internet-accessible.

Router/gateway level

If possible, block port 445 at the network edge (firewall, router) as a belt-and-suspenders measure. Even if individual servers have host-based firewalls, a network-level block prevents accidental exposure from new or misconfigured systems.

Disable SMBv1 completely

Even if port 445 is firewalled, SMBv1 should be disabled entirely. It is a legacy protocol with no modern use case and is the specific version targeted by EternalBlue.

Windows Server (PowerShell)

# Check if SMBv1 is enabled
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol

# Disable SMBv1
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

# Verify
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol

Windows 10/11

# Disable SMBv1 client and server via Windows Features
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

# Or via DISM
dism /online /Disable-Feature /FeatureName:SMB1Protocol

Linux (Samba)

Edit /etc/samba/smb.conf:

[global]
    # Minimum SMB protocol version (disable SMBv1)
    server min protocol = SMB2_10
    client min protocol = SMB2_10

Restart Samba:

sudo systemctl restart smbd

If you need file sharing: use alternatives

If your use case is sharing files with remote users, there are far safer options than exposing SMB:

• VPN -- connect to the corporate network via WireGuard or OpenVPN, then access SMB shares over the VPN tunnel
• SFTP -- secure file transfer over SSH, no additional ports needed if SSH is properly secured
• Cloud storage -- SharePoint, Google Drive, Dropbox Business, or similar services designed for remote access
• HTTPS-based file sharing -- tools like Nextcloud provide a web interface with proper authentication
• Azure Files with SMB over QUIC -- if you must use SMB remotely, Azure Files supports SMB over port 443 (QUIC), which is a much safer approach than exposing port 445

Verify the fix

After blocking port 445 and disabling SMBv1:

# From outside your network -- should show "filtered" or "closed"
nmap -p 445 your-public-ip

# Verify SMBv1 is disabled (from the server)
# Windows:
Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
# Should return False

Check Shodan for your IP -- it may take a few days to update, but port 445 should disappear from your listing.

For a comprehensive view of all your exposed ports, see our guide on open ports security.

How SurfaceScan helps

SurfaceScan scans your entire external attack surface for exposed SMB services on port 445 and the legacy NetBIOS ports (137-139). An exposed SMB finding is flagged as critical severity due to the direct link to wormable exploits like EternalBlue. SurfaceScan also detects the SMB protocol version in use, so you know if SMBv1 is still active. Findings appear in the Network Security section with step-by-step remediation guidance, and continuous monitoring ensures you are alerted if SMB is accidentally re-exposed after a network change.