Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment

Summary
Malicious users can use the Server Message Block (SMB) protocol for malicious purposes. 

Firewall best practices and firewall configurations can enhance network security by helping to prevent potentially malicious traffic from crossing the enterprise perimeter. 

Enterprise perimeter firewalls should block unsolicited communication (from the Internet) and outgoing traffic (to the Internet) to the following SMB-associated ports:

137
138
139
445
More information
These ports can be used to initiate a connection with a potentially malicious Internet-based SMB server. SMB traffic should be restricted to private networks or virtual private networks (VPNs). 

Suggestion 

Blocking these ports at the enterprise edge or perimeter firewall helps protect systems that are behind that firewall from attempts to leverage SMB for malicious purposes. Organizations can allow port 445 access to specific Azure Datacenter IP ranges (see the following reference) to enable hybrid scenarios where on-premises clients (behind an enterprise firewall) use the SMB port to talk to Azure file storage.

Approaches 

Perimeter firewalls typically use “Block listing” or “Approved listing” rule methodologies, or both. 

Block listing 
Allow traffic unless a deny (block listed) rule prevents it. 

Example 1
Allow all
Deny 137 name services
Deny 138 datagram services
Deny 139 session service
Deny 445 session service

Approved listing 
Deny traffic unless an allow rule allows it. 

To help prevent attacks that may use other ports, we recommend that you block all unsolicited communication from the Internet. We suggest a blanket deny, with allow rule exceptions (approved listing). 

Note The approved listing method in this section blocks NetBIOS and SMB traffic implicitly by not including an allow rule. 

Example 2
Deny all
Allow 53 DNS
Allow 21 FTP
Allow 80 HTTP
Allow 443 HTTPS
Allow 143 IMAP
Allow 123 NTP
Allow 110 POP3
Allow 25 SMTP

The list of allow ports is not exhaustive. Depending on corporate needs, additional firewall entries may be needed.

Impact of workaround

Several Windows services use the affected ports. Blocking connectivity to the ports may prevent various applications or services from functioning. Some of the applications or services that could be affected include the following:
  • Applications that use SMB (CIFS)
  • Applications that use mailslots or named pipes (RPC over SMB)
  • Server (file and print sharing) 
  • Group Policy
  • Net Logon
  • Distributed File System (DFS)
  • Terminal server licensing 
  • Print spooler 
  • Computer browser 
  • Remote procedure call locator 
  • Fax service 
  • Indexing service 
  • Performance logs and alerts 
  • Systems Management Server
  • License logging service 

How to undo the workaround

Unblock the ports at the firewall. For more information about ports, see TCP and UDP port assignments.

References

Azure remote apps https://azure.microsoft.com/en-us/documentation/articles/remoteapp-ports/

Azure datacenter IPs http://go.microsoft.com/fwlink/?LinkId=825637

Microsoft Office https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
Properties

Article ID: 3185535 - Last Review: 08/31/2016 23:11:00 - Revision: 2.0

Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows 8.1 Enterprise, Windows 8.1 Pro, Windows 8.1, Windows RT 8.1, Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2008 R2 Service Pack 1, Windows 7 Service Pack 1, Windows Server 2008 Service Pack 2, Windows Vista Service Pack 2

  • kbexpertiseinter kbsecurity kbsecvulnerability KB3185535
Feedback