question

Andreas-9700 avatar image
0 Votes"
Andreas-9700 asked LimitlessTechnology-2700 answered

Block SMB between 2 sites

Hi,

We have Site A (2 DC`s, SCCM, Antivirus server++) and are now configuring Site B (1 DC)
We want to disable the possibility to browse the servers between these two sites, I mean not be able to for exampla \\serverhostname\c$
Is it only port 445 that we need to block or do we need to block 137,138 and 139 also ?

I have read that blocking SMB does not mess with group policy since we are having windows server 2008-> and Windows 10-> machines
But I was wondering if it would cause any other problems related to AD ?

As I understand blocking SMB between 2 sites is a good practice so ransomware does spread...

Comments ?

Thanks for any reply
/R
Andy

windows-active-directorywindows-server-securitywindows-platform-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered

Hello Andreas,

Blocking connectivity to SMB might prevent various applications or services from functioning. For a list of Windows and Windows Server applications and services that may stop functioning in this situation, see the Service overview and network port requirements for Windows. using below link

https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
1 Vote"
DSPatrick answered DSPatrick commented

No, it isn't required for >= 2008.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts#windows-server-2008-and-later-versions

--please don't forget to upvote and Accept as answer if the reply is helpful--



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·

Hi,

Thanks for reply @DSPatrick
Ok so we have blocked SMB on all servers except dc, but one thing I am wondering about, it we block SMB to the domain controllers also that will cause the servers/clients not to see \\dc\netlogon and \\dc\sysvol. Will not this cause problems if we have scripts located here that is part of an GPO ?

Thanks for reply.

/R
Andy

0 Votes 0 ·

Something here may help.
http://woshub.com/cant-access-domain-sysvol-netlogon-folders/

--please don't forget to upvote and Accept as answer if the reply is helpful--



1 Vote 1 ·