Secure SMB Traffic in Windows Server (2024)

As a defense in depth measure, you can use segmentation and isolation techniques to secure SMBtraffic and reduce threats between devices on your network.

SMB is used for file sharing, printing, and inter-process communication such as named pipes and RPC.It's also used as a network data fabric for technologies such as Storage Spaces Direct, StorageReplica, Hyper-V Live Migration, and Cluster Shared Volumes. Use the following sections to configureSMB traffic segmentation and endpoint isolation to help prevent outbound and lateral networkcommunications.

Block inbound SMB access

Block TCP port 445 inbound from the internet at your corporate hardware firewalls. Blocking inboundSMB traffic protects devices inside your network by preventing access from the internet.

If you want users to access their files inbound at the edge of your network, you can use SMB overQUIC. This uses UDP port 443 by default and provides a TLS 1.3-encrypted security tunnel like a VPNfor SMB traffic. The solution requires Windows 11 and Windows Server 2022 Datacenter: AzureEdition file servers running on Azure Stack HCI. For more information, see SMB over QUIC.

Block outbound SMB access

Block TCP port 445 outbound to the internet at your corporate firewall. Blocking outboundSMB traffic prevents devices inside your network from sending data using SMB to the internet.

It is unlikely you need to allow any outbound SMB using TCP port 445 to the internet unless yourequire it as part of a public cloud offering. The primary scenarios include Azure Files and Office365.

If you are using Azure Files SMB, use a VPN for outbound VPN traffic. Byusing a VPN, you restrict the outbound traffic to the required service IP ranges. For moreinformation about Azure Cloud and Office 365 IP address ranges, see:

• Azure IP ranges and service tags:

  See Also

  What is Port 445?What is Port 3389?TryHackMe: Network Services — Walkthrough
  • public cloud
  • US government cloud
  • Germany cloud
  • China cloud.

  The JSON files are updated weekly and include versioning both for the full file and eachindividual service tag. The AzureCloud tag provides the IP ranges for the cloud (Public, USgovernment, Germany, or China) and is grouped by region within that cloud. Service tags in thefile will increase as Azure services are added.

• Office 365 URLs and IP address ranges.

With Windows 11 and Windows Server 2022 Datacenter: Azure Edition, you can use SMB over QUIC toconnect to file servers in Azure. This uses UDP port 443 by default and provides a TLS 1.3-encryptedsecurity tunnel like a VPN for the SMB traffic. For more information, seeSMB over QUIC.

By inventorying your network's SMB traffic, you get an understanding of traffic that is occurringand can determine if it's necessary. Use the following checklist of questions to help identifyunnecessary SMB traffic.

For server endpoints:

1. Which server endpoints require inbound SMB access to do their role? Do they need inboundaccess from all clients, certain networks, or certain nodes?
2. Of the remaining server endpoints, is inbound SMB access necessary?

For client endpoints:

1. Which client endpoints (for example, Windows 10) require inbound SMB access? Do they need inboundaccess from all clients, certain networks, or certain nodes?
2. Of the remaining client endpoints, is inbound SMB access necessary?
3. Of the remaining client endpoints, do they need to run the SMB server service?

For all endpoints, determine if you allow outbound SMB in the safest and most minimal fashion.

Review server built-in roles and features that require SMB inbound. For example, file servers anddomain controllers require SMB inbound to do their role. For more information on built-in rolesand feature network port requirements, seeService overview and network port requirements for Windows.

Review servers that need to be accessed from inside the network. For example, domain controllers andfile servers likely need to be accessed anywhere in the network. However, application server accessmay be limited to a set of other application servers on the same subnet. You can use the followingtools and features to help you inventory SMB access:

• Use the Get-FileShareInfo command from the AZSBTools module set to examine shares on servers and clients.
• Enable an audit trail of SMB inbound access using the registry key Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\File Share. Since the number of events may be large, consider enabling for a specified amount of time or use Azure Monitor.

Examining SMB logs lets you know which nodes are communicating with endpoints over SMB. You candecide if an endpoint's shares are in use and understand which to exist.

Configure Windows Defender Firewall

Use firewall rules to add extra connection security. Configure rules to block both inbound andoutbound communications that include exceptions. An outbound firewall policy that prevents use ofSMB connections both outside and inside your managed network while allowing access to the minimumset of servers and no other devices is a lateral defense-in-depth measure.

For information on the SMB firewall rules you need to set for inbound and outbound connections, seethe support articlePreventing SMB traffic from lateral connections and entering or leaving the network.

The support article includes templates for:

• Inbound rules that are based on any kind of network profile.
• Outbound rules for private/domain (trusted) networks.
• Outbound rules for guest/public (untrusted) networks. This template is important to enforce onmobile devices and home-based telecommuters that are not behind your firewall that is blockingoutbound traffic. Enforcing these rules on laptops reduces the odds of phishing attacks that sendusers to malicious servers to harvest credentials or run attack code.
• Outbound rules that contain an override allowlist for domain controllers and file serverscalled Allow the connection if secure.

To use the null encapsulation IPSEC authentication, you must create a Security Connection rule onall computers in your network that are participating in the rules. Otherwise, the firewallexceptions won't work and you'll only be arbitrarily blocking.

To create a Connection Security rule, use Windows Defender Firewall with Advanced Security controlpanel or snap-in:

1. In Windows Defender Firewall, select Connection Security Rules and choose a New rule.
2. In Rule Type, select Isolation then select Next.
3. In Requirements, select Request authentication for inbound and outbound connections then select Next.
4. In Authentication Method, select Computer and User (Kerberos V5) then select Next.
5. In Profile, check all profiles (Domain, Private, Public) then select Next.
6. Enter a name your rule then select Finish.

Remember, the Connection Security rule must be created on all clients and servers participating inyour inbound and outbound rules or they will be blocked from connecting SMB outbound. These rulesmay already be in place from other security efforts in your environment and like the firewallinbound/outbound rules, can be deployed via group policy.

When configuring rules based on the templates in thePreventing SMB traffic from lateral connections and entering or leaving the networksupport article, set the following to customize the Allow the connection if secure action:

1. In the Action step, select Allow the connection if it is secure then select Customize.
2. In Customize Allow if Secure Settings, select Allow the connection to use null encapsulation.

The Allow the connection if it is secure option allows override of a global block rule. You can usethe easy but least secure Allow the connection to use null encapsulation with *override blockrules, which relies on Kerberos and domain membership for authentication. Windows Defender Firewallallows for more secure options like IPSEC.

For more information about configuring the firewall, see Windows Defender Firewall with Advanced Security deployment overview.

Updated firewall rules (preview)

Beginning with Windows 11 Insider preview Build 25992 (Canary) and Windows Server Preview Build 25997, the built-in firewall rules doesn't contain the SMB NetBIOS ports anymore. In earlier versions of Windows Server, when you created a share, the firewall automatically enabled certain rules in the File and Printer Sharing group. In particular, the built-in firewall automatically used inbound NetBIOS ports 137 through 139. Shares made with SMB2 or later don't use NetBIOS ports 137-139. If you need to use an SMB1 server for legacy compatibility reasons, you must manually reconfigure the firewall to open those ports

We made this change to improve network security. This change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. By default, the firewall rule only open the minimum number of ports required for sharing data. Administrators can reconfigure the rules to restore the legacy ports.

Disable SMB Server if unused

Windows clients and some of your Windows Servers on your network may not require the SMB Serverservice to be running. If the SMB Server service isn't required, you can disable the service. Beforedisabling SMB Server service, be sure no applications and processes on the computer require theservice.

You can use Group Policy Preferences to disable the service on a large number of machines when youare ready to implement. For more information about configuring Group Policy Preferences, seeConfigure a Service Item.

Test and deploy using policy

Begin by testing using small-scale, hand-made deployments on select servers and clients. Use phasedgroup policy rollouts to make these changes. For example, start with the heaviest user of SMB suchas your own IT team. If your team's laptops and apps and file share access work well after deployingyour inbound and outbound firewall rules, create test group policy within your broad test and QAenvironments. Based on results, start sampling some departmental machines, then expand out.

Next steps

Watch Jessica Payne's Ignite conference session Demystifying the Windows Firewall