CSA 5.2 Rule TCP 139

Unanswered Question
Jul 17th, 2007
User Badges:

What is the best way to create an exception rule for NetBIOS on the CSAMC? NetBIOS needs to be enabled because of resolving IP's within rules on the CSAMC.

The process 'System' (as user NT AUTHORITY\SYSTEM) attempted to initiate a connection as a client on TCP port 139 to X.X.X.X using interface Wired\Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client). The operation was denied

Any help would be appreciated. i really dont want to create this rule not to see just incase something running over TCP 139.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
tsteger1 Tue, 07/17/2007 - 09:12
User Badges:
  • Red, 2250 points or more

Hi Kerraj,

I don't think the deny rule for a host acting as a client for the NetBIOS session service is normal.

What rule module/policy is triggering it?

Is the system state normal?


kerraj2004 Tue, 07/17/2007 - 09:37
User Badges:

Hey Tom,

Its Rule 290 Network Access Control rule for the CSAMC Security Module.

Its happening on my CSAMC5.2



tsteger1 Tue, 07/17/2007 - 11:09
User Badges:
  • Red, 2250 points or more

Hi Adam,

If you are accessing shared resources on other Windows boxes from the MC, a connection on 139 to that address makes sense.

If it is connecting to random addresses with no action on your part, that is problematic.

Is your MC using DHCP?

I have NetBIOS over TCP/IP enabled with a static IP and the only ports my MC has tried to connect to are 80 for WSUS, 139 and 445 for a drive mapping (one time only) and 123 for time.


kerraj2004 Tue, 07/17/2007 - 12:04
User Badges:

Hey Tom,

Yes my MC does have a static address and its trying to get to my domain controller on 139.

My CSAMC has NetBIOS over TCP/IP enabled but these server both my CSAMC and my remote CSADB is chatty.

Do you have a remote DB and if so did you allow WSUS access to scan this server along with 445?

Thanks for you helpful response

tsteger1 Tue, 07/17/2007 - 13:28
User Badges:
  • Red, 2250 points or more

Hey Adam, I have a local db (I'm setting up a remote one on a VM this week to test).

I allow connections on port 80 to a WSUS server to recieve updates, 139 and 445 to the one Windows server for accessing a file share, and 123 to our time server, but nothing else.

I don't see this as unacceptable risk. I think you could safely allow the traffic to your domain controller or deny and not log it if it doesn't affect function.

Are your MC and DB being chaty to the domain controller or to other hosts as well?

kerraj2004 Wed, 07/18/2007 - 06:07
User Badges:

Hey Tom,

I appreciate your efforts!

My MC is trying to contact another server on TCP 139 which has nothing to do with CSA and runs a different Application.

No the MC and DB are pretty much just being chatty with a domain controller on TCP139 and TCP 389.


tsteger1 Wed, 07/18/2007 - 07:18
User Badges:
  • Red, 2250 points or more

Is the other server on the same subnet?

tsteger1 Wed, 07/18/2007 - 09:34
User Badges:
  • Red, 2250 points or more

Then this sounds like Master Browser election or some other local traffic.

If everything is working OK I'd just filter the events out however you see fit.

A specific block and no log rule should do it.

That way you'll see if something is running on 139 to any other hosts.



This Discussion