SMB sharing is not accessible when TCP port 445 is listening in Windows Server

Vrijedi za: Windows Server Standard 2016Windows Server 2008 Datacenter without Hyper-VWindows Server 2008 Enterprise Više

Symptoms


You can't access a Server Message Block (SMB) shared resource even when the shared resource is enabled on the target Windows Server. When you run the netstat command to show the network connections, the results show that TCP port 445 is listening. However, network traces show that communication on TCP port 445 is failing as follows:

Source Destination Protocol Description
Client SERVER TCP TCP:Flags=......S., SrcPort=62535, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=4085616235, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
Client SERVER TCP TCP:[SynReTransmit #600]Flags=......S., SrcPort=62535, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=4085616235, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
Client SERVER TCP TCP:[SynReTransmit #600]Flags=......S., SrcPort=62535, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=4085616235, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192


After you enable the auditing of Filtering Platform Policy Change events by using the following command, you may experience some events (such as event ID 5152) that indicate blocking.

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable

Example of event ID 5152:

Event log

Event source

Event ID

Message text

Security

Microsoft-Windows-Security-Auditing

5152

Description:
The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: 192.168.88.50
Source Port: 52017
Destination Address: 192.168.88.53
Destination Port: 445
Protocol: 6

Filter Information:
Filter Run-Time ID: 67017
Layer Name: Transport
Layer Run-Time ID: 12

Cause


This issue occurs because the Adylkuzz malware that leverages the same SMBv1 vulnerability as Wannacrypt adds an IPSec policy that's named NETBC that blocks incoming traffic on the SMB server that's using TCP port 445. Some Adylkuzz-cleanup tools can remove the malware but fail to delete the IPSec policy. For details, see Win32/Adylkuzz.B.

Resolution


To fix this issue, follow these steps:

  1. Install the security update MS17-010 version appropriate to the operating system.
  2. Follow the steps on the "What to do now tab" of Win32/Adylkuzz.B.
  3. Run a scan by using the Microsoft Security Scanner.
  4. Check whether the IPSec policy blocks the TCP port 445 by using the following commands (and see the cited results for examples).

    netsh ipsec static show policy all

    Policy Name : netbc
    Description: NONE
    Last Modified: 5/24/2017 4:33:45 AM
    Assigned : YES
    Master PFS: NO
    Polling Interval: 180 minutes

    netsh ipsec static show filterlist all level=verbose

    FilterList Name: block
    Description: NONE
    Store: Local Store <WIN>
    Last Modified: 5/24/2017 4:32:18 AM
    GUID: {ID}
    No. of Filters: 1
    Filter(s)
    ---------
    Description: 445
    Mirrored: YES
    Source IP Address: <IP Address>
    Source Mask: 0.0.0.0
    Source DNS Name: <IP Address>
    Destination IP Address: <IP Address>
    Destination DNS Name: <IP Address>
    Protocol: TCP
    Source Port: ANY
    Destination Port : 445

    Note When you run the commands on an uninfected server, there is no policy.

  5. If the IPSec policy exists, delete it by using one of the following methods.
    • Run the following command:

      netsh ipsec static delete policy name=netbc

    • Group Policy Editor (GPEdit.msc):

      Local Group Policy Editor/Computer Configuration/Windows Settings/Security Settings/IPSec Security

More information


Since October 2016, Microsoft has been using a new servicing model for the supported versions of Windows Server updates. This new servicing model for distributing updates simplifies the way that security and reliability issues are addressed. Microsoft recommends keeping your systems up-to-date to make sure that they are protected and have the latest fixes applied.

This threat can run the following commands:

netsh ipsec static add policy name=netbc
netsh ipsec static add filterlist name=block
netsh ipsec static add filteraction name=block action=block
netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
netsh ipsec static set policy name=netbc assign=y

It can also add firewall rules to allow connections by using these commands:

netsh advfirewall firewall add rule name="Chrome" dir=in program="C:\Program Files (x86)\Google\Chrome\Application\chrome.txt" action=allow
netsh advfirewall firewall add rule name="Windriver" dir=in program="C:\Program Files (x86)\Hardware Driver Management\windriver.exe" action=allow