Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment

Applies to: Windows 10Windows 10, version 1511Windows 10, version 1607


Malicious users can use the Server Message Block (SMB) protocol for malicious purposes. 

Firewall best practices and firewall configurations can enhance network security by helping to prevent potentially malicious traffic from crossing the enterprise perimeter. 

Enterprise perimeter firewalls should block unsolicited communication (from the Internet) and outgoing traffic (to the Internet) to the following SMB-associated ports:


More Information

These ports can be used to initiate a connection with a potentially malicious Internet-based SMB server. SMB traffic should be restricted to private networks or virtual private networks (VPNs). 


Blocking these ports at the enterprise edge or perimeter firewall helps protect systems that are behind that firewall from attempts to leverage SMB for malicious purposes. Organizations can allow port 445 access to specific Azure Datacenter IP ranges (see the following reference) to enable hybrid scenarios where on-premises clients (behind an enterprise firewall) use the SMB port to talk to Azure file storage.


Perimeter firewalls typically use “Block listing” or “Approved listing” rule methodologies, or both. 

Block listing 
Allow traffic unless a deny (block listed) rule prevents it. 

Example 1
Allow all
Deny 137 name services
Deny 138 datagram services
Deny 139 session service
Deny 445 session service

Approved listing 
Deny traffic unless an allow rule allows it. 

To help prevent attacks that may use other ports, we recommend that you block all unsolicited communication from the Internet. We suggest a blanket deny, with allow rule exceptions (approved listing). 

Note The approved listing method in this section blocks NetBIOS and SMB traffic implicitly by not including an allow rule. 

Example 2
Deny all
Allow 53 DNS
Allow 21 FTP
Allow 80 HTTP
Allow 443 HTTPS
Allow 143 IMAP
Allow 123 NTP
Allow 110 POP3
Allow 25 SMTP

The list of allow ports is not exhaustive. Depending on corporate needs, additional firewall entries may be needed.

Impact of workaround

Several Windows services use the affected ports. Blocking connectivity to the ports may prevent various applications or services from functioning. Some of the applications or services that could be affected include the following:
  • Applications that use SMB (CIFS)
  • Applications that use mailslots or named pipes (RPC over SMB)
  • Server (file and print sharing) 
  • Group Policy
  • Net Logon
  • Distributed File System (DFS)
  • Terminal server licensing 
  • Print spooler 
  • Computer browser 
  • Remote procedure call locator 
  • Fax service 
  • Indexing service 
  • Performance logs and alerts 
  • Systems Management Server
  • License logging service 

How to undo the workaround

Unblock the ports at the firewall. For more information about ports, see TCP and UDP port assignments.


Azure remote apps

Azure datacenter IPs

Microsoft Office