Firewall best practices and firewall configurations can enhance network security by helping to prevent potentially malicious traffic from crossing the enterprise perimeter.
Enterprise perimeter firewalls should block unsolicited communication (from the Internet) and outgoing traffic (to the Internet) to the following SMB-associated ports:
SuggestionBlocking these ports at the enterprise edge or perimeter firewall helps protect systems that are behind that firewall from attempts to leverage SMB for malicious purposes. Organizations can allow port 445 access to specific Azure Datacenter IP ranges (see the following reference) to enable hybrid scenarios where on-premises clients (behind an enterprise firewall) use the SMB port to talk to Azure file storage.
ApproachesPerimeter firewalls typically use “Block listing” or “Approved listing” rule methodologies, or both.
Allow traffic unless a deny (block listed) rule prevents it.
Deny 137 name services
Deny 138 datagram services
Deny 139 session service
Deny 445 session service
Deny traffic unless an allow rule allows it.
To help prevent attacks that may use other ports, we recommend that you block all unsolicited communication from the Internet. We suggest a blanket deny, with allow rule exceptions (approved listing).
Note The approved listing method in this section blocks NetBIOS and SMB traffic implicitly by not including an allow rule.
Allow 53 DNS
Allow 21 FTP
Allow 80 HTTP
Allow 443 HTTPS
Allow 143 IMAP
Allow 123 NTP
Allow 110 POP3
Allow 25 SMTP
The list of allow ports is not exhaustive. Depending on corporate needs, additional firewall entries may be needed.
Impact of workaroundSeveral Windows services use the affected ports. Blocking connectivity to the ports may prevent various applications or services from functioning. Some of the applications or services that could be affected include the following:
- Applications that use SMB (CIFS)
- Applications that use mailslots or named pipes (RPC over SMB)
- Server (file and print sharing)
- Group Policy
- Net Logon
- Distributed File System (DFS)
- Terminal server licensing
- Print spooler
- Computer browser
- Remote procedure call locator
- Fax service
- Indexing service
- Performance logs and alerts
- Systems Management Server
- License logging service
How to undo the workaroundUnblock the ports at the firewall. For more information about ports, see TCP and UDP port assignments.
ReferencesAzure remote apps https://azure.microsoft.com/en-us/documentation/articles/remoteapp-ports/
Azure datacenter IPs http://go.microsoft.com/fwlink/?LinkId=825637
Microsoft Office https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2