Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment

Summary

Malicious users can use the Server Message Block (SMB) protocol for malicious purposes.
Firewall best practices and firewall configurations can enhance network security by helping to prevent potentially malicious traffic from crossing the enterprise perimeter.
Enterprise perimeter firewalls should block unsolicited communication (from the Internet) and outgoing traffic (to the Internet) to the following SMB-associated ports:
137
138
139
445
More Information
These ports can be used to initiate a connection with a potentially malicious Internet-based SMB server. SMB traffic should be restricted to private networks or virtual private networks (VPNs).
Suggestion
Blocking these ports at the enterprise edge or perimeter firewall helps protect systems that are behind that firewall from attempts to leverage SMB for malicious purposes. Organizations can allow port 445 access to specific Datacenter IP ranges to enable hybrid scenarios where on-premises clients (behind an enterprise firewall) use the SMB port.
Approaches
Perimeter firewalls typically use “Block listing” or “Approved listing” rule methodologies, or both.
Block listing
Allow traffic unless a deny (block listed) rule prevents it.
Example 1
Allow all
Deny 137 name services
Deny 138 datagram services
Deny 139 session service
Deny 445 session service
Source: Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment

Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment

Summary

Malicious users can use the Server Message Block (SMB) protocol for malicious purposes.

Firewall best practices and firewall configurations can enhance network security by helping to prevent potentially malicious traffic from crossing the enterprise perimeter.

Enterprise perimeter firewalls should block unsolicited communication (from the Internet) and outgoing traffic (to the Internet) to the following SMB-associated ports:

137
138
139
445

More Information

These ports can be used to initiate a connection with a potentially malicious Internet-based SMB server. SMB traffic should be restricted to private networks or virtual private networks (VPNs).

Suggestion

Blocking these ports at the enterprise edge or perimeter firewall helps protect systems that are behind that firewall from attempts to leverage SMB for malicious purposes. Organizations can allow port 445 access to specific Datacenter IP ranges to enable hybrid scenarios where on-premises clients (behind an enterprise firewall) use the SMB port.

Approaches

Perimeter firewalls typically use “Block listing” or “Approved listing” rule methodologies, or both.

Block listing
Allow traffic unless a deny (block listed) rule prevents it.

Example 1
Allow all
Deny 137 name services
Deny 138 datagram services
Deny 139 session service
Deny 445 session service