Block SMB between 2 sites

Andreas 1,301 Reputation points
2021-09-13T10:13:13.833+00:00

Hi,

We have Site A (2 DC`s, SCCM, Antivirus server++) and are now configuring Site B (1 DC)
We want to disable the possibility to browse the servers between these two sites, I mean not be able to for exampla \serverhostname\c$
Is it only port 445 that we need to block or do we need to block 137,138 and 139 also ?

I have read that blocking SMB does not mess with group policy since we are having windows server 2008-> and Windows 10-> machines
But I was wondering if it would cause any other problems related to AD ?

As I understand blocking SMB between 2 sites is a good practice so ransomware does spread...

Comments ?

Thanks for any reply
/R
Andy

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
653 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,728 questions
0 comments
Accepted answer
  1. Limitless Technology 39,371 Reputation points
    2021-09-14T13:55:18.797+00:00

    Hello Andreas,

    Blocking connectivity to SMB might prevent various applications or services from functioning. For a list of Windows and Windows Server applications and services that may stop functioning in this situation, see the Service overview and network port requirements for Windows. using below link

    https://learn.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

    Hope this answers all your queries, if not please do repost back.
    If an Answer is helpful, please click "Accept Answer" and upvote it : )

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.1K Reputation points MVP
    2021-09-13T14:17:20.097+00:00

    No, it isn't required for >= 2008.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts#windows-server-2008-and-later-versions

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.