Windows Fundamentals · beginner · ~11 min
Explain the two protocols that dominate Windows networks and their security pitfalls.
SMB (445) is Windows file sharing + inter-host comms (shares, NTLM/Kerberos auth; SMBv1 is dangerous). RDP (3389) is graphical remote access (a top ransomware vector when internet-exposed). Both are primary lateral-movement channels.
SMB enumeration surfaces shares, files, and credentials on internal networks, and SMB auth underlies pass-the-hash/relay; RDP is a leading external entry point. Spotting 445/3389 shapes internal testing and lateral movement.
SMB (445). Shares, NTLM/Kerberos auth; disable SMBv1 (EternalBlue). RDP (3389). Interactive access; keep off the internet, require MFA (BlueKeep). Lateral movement. Both channels carry it once you hold creds. Enumeration. SMB shares are a credential/data goldmine.
Two protocols carry most Windows network activity — and most Windows attacks.
Server Message Block is Windows file/printer sharing and inter-machine communication. Over SMB you find shares, authenticate, and (with rights) run remote commands.
Remote Desktop Protocol gives a graphical interactive session.
On an internal test, SMB enumeration finds data and footholds, and RDP/SMB are the main lateral movement channels once you have credentials. Recognising 445/3389 in a scan immediately shapes the plan.
SMB and RDP dominate Windows networks: SMB for sharing and authentication (and relay/pass-the-hash), RDP for remote sessions (and external exposure risk). Both are central to internal enumeration and lateral movement.