Why does Symantec Security Information Manager v4.x using the Windows Event Collector (WEC) open up ports 445 and 139?

Symptoms
You are watching ports on the Windows Server that are sending events to Symantec Security Information Manager v4.x through the WEC collector and notice that port 445 and sometimes port 139 are opened.

This will happen if you use a hostname or IP address that is not resolvable in the WEC Sensor settings because the Windows Server is trying to resolve the host name with the IP address.

You will need to add the hostname to the host file on the machine with the WEC collector or change the Sensor settings to a hostname or IP address that is resolvable and restart both computers to clear this port.

According to Microsoft port 445 is the microsoft-ds (NetBios helper) port and also used for

SMB Fax Service
SMB Print Spooler
SMB Server
SMB Remote Procedure Call Locator
SMB Distributed File System
SMB Net Logon

You will need to change the Sensor settings to a hostname or IP address that is resolvable or add the hostname to the host file on the machine with the WEC collector and restart both computers to clear this port.


References
Microsoft has this document on the ports for Windows:

http://support.microsoft.com/kb/832017


Technical Information
TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer. This service is only implemented in the more recent verions Windows starting with Windows 2000 and Windows XP. The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT/2K/XP. In Windows NT it ran on top of NetBT (NetBIOS over TCP/IP, ports 137, 139 and 138/udp). In Windows 2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.

Port 445 should be blocked at the firewall level. It can also be disabled by deleting the HKLM\System\CurrentControlSet\Services \NetBT\Parameters\TransportBindName (value only) in the Windows Registry.