关闭

Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate en

358人阅读 评论(0) 收藏 举报
分类:
Summary
Malicious users can use the Server Message Block (SMB) protocol for malicious purposes. 

Firewall best practices and firewall configurations can enhance network security by helping to prevent potentially malicious traffic from crossing the enterprise perimeter. 

Enterprise perimeter firewalls should block unsolicited communication (from the Internet) and outgoing traffic (to the Internet) to the following SMB-associated ports:

137
138
139
445
More information
These ports can be used to initiate a connection with a potentially malicious Internet-based SMB server. SMB traffic should be restricted to private networks or virtual private networks (VPNs). 

Suggestion 

Blocking these ports at the enterprise edge or perimeter firewall helps protect systems that are behind that firewall from attempts to leverage SMB for malicious purposes.

Approaches 

Perimeter firewalls typically use block listing, approved listing rule methodologies, or both. 

Block listing 
Allow traffic unless a deny (block listed) rule prevents it. 

Example 1
Allow all
Deny 137 name services
Deny 138 datagram services
Deny 139 session service
Deny 445 session service

Approved listing 
Deny traffic unless an allow rule allows it. 

To help prevent attacks that may use other ports, we recommend that you block all unsolicited communication from the Internet. We suggest a blanket deny, with allow rule exceptions (approved listing). 

Note The approved listing method in this section blocks NetBIOS and SMB traffic implicitly by not including an allow rule. 

Example 2
Deny all
Allow 53 DNS
Allow 21 FTP
Allow 80 HTTP
Allow 443 HTTPS
Allow 143 IMAP
Allow 123 NTP
Allow 110 POP3
Allow 25 SMTP

The list of allow ports is not exhaustive. Depending on corporate needs, additional firewall entries may be needed. 

Impact of workaround

Several Windows services use the affected ports. Blocking connectivity to the ports may prevent various applications or services from functioning. Some of the applications or services that could be affected include the following:
  • Applications that use SMB (CIFS)
  • Applications that use mailslots or named pipes (RPC over SMB)
  • Server (file and print sharing) 
  • Group Policy
  • Net Logon
  • Distributed File System (DFS)
  • Terminal server licensing 
  • Print spooler 
  • Computer browser 
  • Remote procedure call locator 
  • Fax service 
  • Indexing service 
  • Performance logs and alerts 
  • Systems Management Server
  • License logging service 

How to undo the workaround

Unblock the ports at the firewall. For more information about ports, see TCP and UDP port assignments.

References

Azure remote apps https://azure.microsoft.com/en-us/documentation/articles/remoteapp-ports/

Azure datacenter IPs http://go.microsoft.com/fwlink/?LinkId=825637

Microsoft Office https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
Properties

Article ID: 3185535 - Last Review: 08/26/2016 23:25:00 - Revision: 1.0

Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows 8.1 Enterprise, Windows 8.1 Pro, Windows 8.1, Windows RT 8.1, Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2008 R2 Service Pack 1, Windows 7 Service Pack 1, Windows Server 2008 Service Pack 2, Windows Vista Service Pack 2

  • kbexpertiseinter kbsecurity kbsecvulnerability KB3185535
0
0
查看评论

使用JDBC连接SQL 2005

从微软网站上下载最新的JDBC2.0,解开压缩包以后你会在AUTH目录下面发现一个sqljdbc_auth.dll。如果这个文件不拷贝到system32目录下面那么   String connectionUrl = "jdbc:sqlserver://lab4...
  • pjchen
  • pjchen
  • 2008-08-05 14:57
  • 1973

配置 apache 多端口

配置httpd.conf 监听多个端口   代码如下: # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. S...
  • zuowensheng
  • zuowensheng
  • 2014-10-16 11:36
  • 543

ubuntu安装chrome报错解决

直接双击软件中心会报错 用命令安装也会报下面这个错 dpkg: dependency problems prevent configuration of google-chrome-stable:  google-chrome-stable depends on libnss3-1d...
  • del1214
  • del1214
  • 2012-03-03 12:51
  • 8351

Item8: Prevent exceptions from leaving destructors

C++并不禁止析构函数吐出异常。但不鼓励你这么做。这是有理由的:class Widget {public: ... ~Widget() { ... } // assume this might emit an exception};void doSomething(){ ...
  • hfutqianwei
  • hfutqianwei
  • 2010-05-13 16:06
  • 151

Django web应用关联Apache

工作环境:win7 32位 软件:Apache 2.2.19      mod_wsgi 3.3    Python 2.7.11 其实很简单,第一步保证上述几个软件的版本号对应能相互支持即可。 第二步,经建立一个Django web应用,比如我...
  • feifanhanmc
  • feifanhanmc
  • 2016-05-22 13:07
  • 248

fiddler https 抓包

原理 fiddler抓包原理 fiddler 调试器注册到操作系统因特网服务中,系统所有的网络请求都会走fiddler的代理,所以fiddler才能抓包。 Debug traffic from any client and browser  Fiddler helps you de...
  • stamSuper1
  • stamSuper1
  • 2017-07-26 15:19
  • 1117

数据库—存储过程。

存储过程: 存储过程(Stored Procedure)是在大型数据库系统中,一组为了完成特定功能的SQL 语句集,经编译后存储在数据库中,用户通过指定存储过程的名字并给出参数(如果该存储过程带有参数)来执行它。存储过程是数据库中的一个重要对象,任何一个设计良好的数据库应用程序都应该用到存储过程。...
  • u010924845
  • u010924845
  • 2014-08-15 20:09
  • 1046

Dropout: A Simple Way to Prevent Neural Networks from Overtting(泛读)

一.文献名字和作者     Dropout: A Simple Way to Prevent Neural Networks from Overtting     二.阅读时间     2014年11月19日 ...
  • shengno1
  • shengno1
  • 2014-11-19 01:20
  • 2594

Dropout: A Simple Way to Prevent Neural Networks from Overfitting

本文来自《Dropout: A Simple Way to Prevent Neural Networks from Overfitting》 以学习笔记的形式书写,有些地方写得或者翻译得不太恰当,望见谅!!过拟合问题一直是深度学习中难以处理的问题,dropout的key idea就是在训练过程中...
  • u014422406
  • u014422406
  • 2017-04-20 13:10
  • 862

Ubuntu下安装MySQL出错(dpkg: dependency problems prevent configuration of mysql-community-server)

安装MySQL最后一步,输入命令:sudo dpkg -i mysql-{common,community-client,client,community-server,server}_*.deb输出:(Reading database ... 160146 files and directorie...
  • sinat_36246371
  • sinat_36246371
  • 2017-03-02 13:41
  • 1187
    个人资料
    • 访问:803047次
    • 积分:8208
    • 等级:
    • 排名:第2965名
    • 原创:23篇
    • 转载:844篇
    • 译文:2篇
    • 评论:26条
    最新评论