{
	"id": "30b69598-1c15-476a-950b-8bf02693d2f7",
	"created_at": "2026-04-06T00:06:26.895297Z",
	"updated_at": "2026-04-10T13:12:11.034483Z",
	"deleted_at": null,
	"sha1_hash": "82ba7237486ca3fd08374ca36363adf05eb13d90",
	"title": "Preventing SMB traffic from lateral connections and entering or leaving the network",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85936,
	"plain_text": "Preventing SMB traffic from lateral connections and entering or\r\nleaving the network\r\nArchived: 2026-04-05 16:45:17 UTC\r\nApplies To\r\nSummary\r\nServer Message Block (SMB) is a network file sharing and data fabric protocol. SMB is used by billions of\r\ndevices in a diverse set of operating systems, including Windows, MacOS, iOS, Linux, and Android. Clients use\r\nSMB to access data on servers. This allows sharing of files, centralized data management, and lowered storage\r\ncapacity needs for mobile devices. Servers also use SMB as part of the Software-defined Data Center for\r\nworkloads such as clustering and replication.\r\nBecause SMB is a remote file system, it requires protection from attacks in which a Windows computer might be\r\ntricked into contacting a malicious server that's running inside a trusted network or to a remote server outside the\r\nnetwork perimeter. Firewall best practices and configurations can enhance security and prevent malicious traffic\r\nfrom leaving the computer or its network.\r\nEffect of changes\r\nBlocking connectivity to SMB might prevent various applications or services from functioning. For a list of\r\nWindows and Windows Server applications and services that may stop functioning in this situation, see Service\r\noverview and network port requirements for Windows\r\nMore information\r\nPerimeter firewall approaches\r\nPerimeter hardware and appliance firewalls that are positioned at the edge of the network should block unsolicited\r\ncommunication (from the internet) and outgoing traffic (to the internet) to the following ports.  \r\nApplication protocol Protocol Port\r\nSMB TCP 445\r\nNetBIOS Name Resolution UDP 137\r\nhttps://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\r\nPage 1 of 7\n\nNetBIOS Datagram Service UDP 138\r\nNetBIOS Session Service TCP 139\r\nIt is unlikely that any SMB communication originating from the internet or destined for the internet is legitimate.\r\nThe primary case might be for a cloud-based server or service such as Azure Files. You should create IP address-based restrictions in your perimeter firewall to allow only those specific endpoints. Organizations can allow port\r\n445 access to specific Azure Datacenter and O365 IP ranges to enable hybrid scenarios in which on-premises\r\nclients (behind an enterprise firewall) use the SMB port to talk to Azure file storage. You should also allow only\r\nSMB 3.x traffic and require SMB AES-128 encryption. See the \"References\" section for more information.\r\nNote The use of NetBIOS for SMB transport ended in Windows Vista, Windows Server 2008, and in all later\r\nMicrosoft operating systems when Microsoft introduced SMB 2.02. However, you may have software and devices\r\nother than Windows in your environment. You should disable and remove SMB1 if you have not already done so\r\nbecause it still uses NetBIOS. Later versions of Windows Server and Windows no longer install SMB1 by default\r\nand will automatically remove it if allowed.\r\nWindows Defender firewall approaches\r\nAll supported versions of Windows and Windows Server include the Windows Defender Firewall (previously\r\nnamed the Windows Firewall). This firewall provides additional protection for devices, especially when devices\r\nmove outside a network or when they run within one.\r\nThe Windows Defender Firewall has distinct profiles for certain types of networks: Domain, Private, and\r\nGuest/Public. The Guest/Public network typically gets much more restrictive settings by default than the more\r\ntrustworthy Domain or Private networks. You may find yourself having different SMB restrictions for these\r\nnetworks based on your threat assessment versus operational needs.\r\nInbound connections to a computer\r\nFor Windows clients and servers that do not host SMB shares, you can block all inbound SMB traffic by using the\r\nWindows Defender Firewall to prevent remote connections from malicious or compromised devices. In the\r\nWindows Defender Firewall, this includes the following inbound rules.\r\nName Profile Enabled\r\nFile and Printer Sharing (SMB-In) All No\r\nNetlogon Service (NP-In) All No\r\nhttps://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\r\nPage 2 of 7\n\nRemote Event Log Management (NP-In) All No\r\nRemote Service Management (NP-In) All No\r\nYou should also create a new blocking rule to override any other inbound firewall rules. Use the following\r\nsuggested settings for any Windows clients or servers that do not host SMB Shares:\r\nName: Block all inbound SMB 445\r\nDescription: Blocks all inbound SMB TCP 445 traffic. Not to be applied to domain controllers or\r\ncomputers that host SMB shares.\r\nAction: Block the connection\r\nPrograms: All\r\nRemote Computers: Any\r\nProtocol Type: TCP\r\nLocal Port: 445\r\nRemote Port: Any\r\nProfiles: All\r\nScope (Local IP Address): Any\r\nScope (Remote IP Address): Any\r\nEdge Traversal: Block edge traversal\r\nYou must not globally block inbound SMB traffic to domain controllers or file servers. However, you can restrict\r\naccess to them from trusted IP ranges and devices to lower their attack surface. They should also be restricted to\r\nDomain or Private firewall profiles and not allow Guest/Public traffic.\r\nNote The Windows Firewall has blocked all inbound SMB communications by default since Windows XP SP2\r\nand Windows Server 2003 SP1. Windows devices will allow inbound SMB communication only if an\r\nadministrator creates an SMB share or alters the firewall default settings. You should not trust the default out-of-box experience to still be in-place on devices, regardless. Always verify and actively manage the settings and their\r\ndesired state by using Group Policy or other management tools.\r\nFor more information, see Designing a Windows Defender Firewall with Advanced Security Strategy and\r\nWindows Defender Firewall with Advanced Security Deployment Guide\r\nOutbound connections from a computer\r\nhttps://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\r\nPage 3 of 7\n\nWindows clients and servers require outbound SMB connections in order to apply group policy from domain\r\ncontrollers and for users and applications to access data on file servers, so care must be taken when creating\r\nfirewall rules to prevent malicious lateral or internet connections. By default, there are no outbound blocks on a\r\nWindows client or server connecting to SMB shares, so you will have to create new blocking rules.\r\nYou should also create a new blocking rule to override any other inbound firewall rules. Use the following\r\nsuggested settings for any Windows clients or servers that do not host SMB Shares.\r\nGuest/Public (untrusted) networks\r\nName: Block outbound Guest/Public SMB 445\r\nDescription: Blocks all outbound SMB TCP 445 traffic when on an untrusted network\r\nAction: Block the connection\r\nPrograms: All\r\nRemote Computers: Any\r\nProtocol Type: TCP\r\nLocal Port: Any\r\nRemote Port: 445\r\nProfiles: Guest/Public\r\nScope (Local IP Address): Any\r\nScope (Remote IP Address): Any\r\nEdge Traversal: Block edge traversal\r\nNote Small office and home office users, or mobile users who work in corporate trusted networks and then\r\nconnect to their home networks, should use caution before they block the public outbound network. Doing this\r\nmay prevent access to their local NAS devices or certain printers.\r\nPrivate/Domain (trusted) networks\r\nName: Allow outbound Domain/Private SMB 445\r\nDescription: Allows outbound SMB TCP 445 traffic to only DCs and file servers when on a trusted\r\nnetwork\r\nAction: Allow the connection if it is secure\r\nCustomize Allow if Secure Settings: pick one of the options, set Override block rules = ON\r\nPrograms: All\r\nhttps://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\r\nPage 4 of 7\n\nProtocol Type: TCP\r\nLocal Port: Any\r\nRemote Port: 445\r\nProfiles: Private/Domain\r\nScope (Local IP Address): Any\r\nScope (Remote IP Address): \u003clist of domain controller and file server IP addresses\u003e\r\nEdge Traversal: Block edge traversal\r\nNote You can also use the Remote Computers instead of Scope remote IP addresses, if the secured connection\r\nuses authentication that carries the computer’s identity. Review the Defender Firewall documentation for more\r\ninformation about “Allow the connection if is secure” and the Remote Computer options.\r\nName: Block outbound Domain/Private SMB 445\r\nDescription: Blocks outbound SMB TCP 445 traffic. Override by using the “Allow outbound\r\nDomain/Private SMB 445” rule\r\nAction: Block the connection\r\nPrograms: All\r\nRemote Computers: N/A\r\nProtocol Type: TCP\r\nLocal Port: Any\r\nRemote Port: 445\r\nProfiles: Private/Domain\r\nScope (Local IP Address): Any\r\nScope (Remote IP Address): N/A\r\nEdge Traversal: Block edge traversal\r\nYou must not globally block outbound SMB traffic from computers to domain controllers or file servers.\r\nHowever, you can restrict access to them from trusted IP ranges and devices to lower their attack surface.\r\nFor more information, see Designing a Windows Defender Firewall with Advanced Security Strategy and\r\nWindows Defender Firewall with Advanced Security Deployment Guide\r\nSecurity connection rules\r\nhttps://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\r\nPage 5 of 7\n\nYou must use a security connection rule to implement the outbound firewall rule exceptions for the \"Allow the\r\nconnection if it is secure\" and \"Allow the connection to use null encapsulation\" settings. If you do not set\r\nthis rule on all Windows-based and Windows Server-based computers, authentication will fail, and SMB will be\r\nblocked outbound. \r\nFor example, the following settings are required:\r\nRule type: Isolation\r\nRequirements: Request authentication for inbound and outbound connections\r\nAuthentication method: Computer and user (Kerberos V5)\r\nProfile: Domain, Private, Public\r\nName: Isolation ESP Authentication for SMB overrides\r\nFor more information about security connection rules, see the following articles:\r\nDesigning a Windows Defender Firewall with Advanced Security Strategy\r\nChecklist: Configuring Rules for an Isolated Server Zone\r\nWindows Workstation and Server Service\r\nFor consumer or highly isolated, managed computers that do not require SMB at all, you can disable the Server or\r\nWorkstation services. You can do this manually by using the “Services” snap-in (Services.msc) and the\r\nPowerShell Set-Service cmdlet, or by using Group Policy Preferences. When you stop and disable these services,\r\nSMB can no longer make outbound connections or receive inbound connections.\r\nYou must not disable the Server service on domain controllers or file servers or no clients will be able to apply\r\ngroup policy or connect to their data anymore. You must not disable the Workstation service on computers that are\r\nmembers of an Active Directory domain or they will no longer apply group policy.\r\nReferences\r\nDesigning a Windows Defender Firewall with Advanced Security Strategy Windows Defender Firewall with\r\nAdvanced Security Deployment Guide Azure remote apps Azure datacenter IP addresses Microsoft O365 IP\r\naddresses\r\nNeed more help?\r\nWant more options?\r\nExplore subscription benefits, browse training courses, learn how to secure your device, and more.\r\nhttps://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\r\nPage 6 of 7\n\nSource: https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\r\nhttps://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections"
	],
	"report_names": [
		"preventing-smb-traffic-from-lateral-connections"
	],
	"threat_actors": [],
	"ts_created_at": 1775433986,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/82ba7237486ca3fd08374ca36363adf05eb13d90.pdf",
		"text": "https://archive.orkl.eu/82ba7237486ca3fd08374ca36363adf05eb13d90.txt",
		"img": "https://archive.orkl.eu/82ba7237486ca3fd08374ca36363adf05eb13d90.jpg"
	}
}