Malicious users can use the Server Message Block (SMB) protocol for malicious purposes.
Firewall best practices and firewall configurations can enhance network security by helping to prevent potentially malicious traffic from crossing the enterprise perimeter.
Enterprise perimeter firewalls should block unsolicited communication (from the Internet) and outgoing traffic (to the Internet) to the following SMB-associated ports:
These ports can be used to initiate a connection with a potentially malicious Internet-based SMB server. SMB traffic should be restricted to private networks or virtual private networks (VPNs).
Blocking these ports at the enterprise edge or perimeter firewall helps protect systems that are behind that firewall from attempts to leverage SMB for malicious purposes. Organizations can allow port 445 access to specific Datacenter IP ranges to enable hybrid scenarios where on-premises clients (behind an enterprise firewall) use the SMB port.
Perimeter firewalls typically use “Block listing” or “Approved listing” rule methodologies, or both.
Allow traffic unless a deny (block listed) rule prevents it.
Deny 137 name services
Deny 138 datagram services
Deny 139 session service
Deny 445 session service