none
Windows explorer attempts to connect port 5985 (remote shell) of file server RRS feed

  • Question

  • We have found a disturbing Windows feature.

    When one asks advanced security properties of a file stored in a remote file server, Windows explorer attempts to connect port 5985 (Windows remote management, used for remote shell for instance). This causes confusion, and makes the administrator think that someone is attempting to break the security of the file server.

    Is there any way to disable this behaviour?

    Wednesday, July 31, 2019 1:40 PM

All replies

  • Not specifically. You would need to block access to port 5985, which would shut down pretty much all remote server management functions, not just examination of advanced security (which, by the way, is essentially a WRM interface to manage specific permissions on the server).
    Wednesday, July 31, 2019 1:53 PM
  • Of course, we have blocked that port. But the logs in the firewall with attempts to access port 5985 create the impression that someone is attempting to break into a server, causing confusion and waste of time. It is not expected that just viewing the detailed permissions of a file one needs to execute a remote command.

    Wednesday, July 31, 2019 2:46 PM
  • From my search, Windows 10 client accessing a SMB3 file share will in some cases use a WinRM connection (TCP/5985).

    This situation is only reproductible on Windows 10 clients talking to servers with SBM3 dialect (3.0.2 and 3.1.1), not present on Windows 10 clients talking SMB2.x dialect.

    To deal with this situation, you must allow clients to access TCP/5985 port. Or maybe (not tested) implement a REJECT rule on the firewall that will reset the TCP socket initiated by the client.

    Also check Installation and Configuration for Windows Remote Management

    https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 1, 2019 2:27 AM
    Moderator
  • Hello Teemo Tang,

    I cannot find a link to that information about TCP/5985 port requirement. There is a post in answers.microsoft.com by a user asking, but no Microsoft documentation.

    Unlike the linked article, I see that behaviour with servers running Windows 2008R2 (SMB2). Blocking Winrm does not block the connection.

    You post a link about setting up Winrm, but the issue is, this network activity causes confusion. It looks like malicious activity. And ignoring it, is taking the risk of real malious activity being ignored.

    Thursday, August 1, 2019 2:33 PM
  • Can someone explain why?

    In order to show/edit the ACL, it should not be necessary to use winrm at all.

    What is the purpose of using Winrm?

    Friday, August 2, 2019 1:30 PM
  • A month passed and we still do not have any answer.
    Tuesday, September 3, 2019 9:13 AM
  • Hi.

    Two things: you have not offered any versions (client, server), builds or details.

    Server build, client build please.

    And you need to disclose how you proceed - what does that mean, "asks advanced security properties".

    If I go about and setup firewall logging on my file server and someone lists the advanced security permissions of some file on it, only 445 is used, never 5985. Add details, maybe I can reproduce this.

    --

    In general, if a logfile reflects that ports that you restricted are being tried, I would not become nervous - they are closed, that is what the firewall is for. I would rather become nervous, if the log stays empty.

    About 5985: it is used by many things, for example many components of RSAT. Could it be that you are using RSAT on that machine?

    Friday, September 6, 2019 4:06 PM
  • Hello Ronald, thanks for asking.

    Client system is Windows 10 build number 17763

    Server system is Windows 2008R2 build number 6.1.7601

    Steps to reproduce:Open procmon.exe from sysinternals and select process name explorer.exe

    In Windows explorer -> select a file or folder stored in a server, right click, properties, Security Tab, click in "Advanced Options".


    • Edited by ti2009 Friday, September 13, 2019 6:57 AM
    Friday, September 13, 2019 6:55 AM
  • I don't need to use procmon to see what traffic is blocked at the server firewall - that's what the firewall logfile is meant for.

    I reproduced it.

    From my workstation, which has RSAT installed, port 5985 is being used when doing like you did.

    From a different machine without RSAT, that port is NOT used when doing like you did.

    So this might be some quirk in RSAT. Definitely, that port is not needed for that operation to succeed.

    Friday, September 13, 2019 7:36 AM
  • I have reproduced the problem in a windows 10 machine without RSAT installed.

    This one is Windows 10 build 16299

    (I prefer to use procmon so that I can see what client program is starting the connection)

    Friday, September 13, 2019 8:30 AM
  • Well, no idea. Retry with a clean installation of 1903. We use 1903, here.

    Friday, September 13, 2019 8:32 AM
  • I have reproduced that Winrm connections are not made from Windows 1903.

    This looks dirty.

    First, Windows connects to Winrm from windows explorer, in a case likely to be launched by a system administrator (advanced windows security properties). Then, silently, in release 1903, they remove the feature, except if the remote server administration tools are installed, that is, the user is likely to be an administrator and have full permissions.

    I cannot think of a honest explanation.

    Friday, September 13, 2019 12:07 PM
  • I would not jump to conclusions, yet.

    No idea why, though.

    Friday, September 13, 2019 12:13 PM