How can I block the SMB (445/tcp) port on Windows 2012R2 Data Center?
I'm having the same problem. I can actually disable the 445 in rules. I can also set them to block as well as the explicit block rule. I'm suspecting there is something working differently in 2012 than 2008, I gave my host a different name, disabled the Alfresco SMB server and I can still enumerate default file shares on the host (admin$, C$, Z$). It shouldn't give me anything back when I'm querying //alfresco instead of the real name of the server... With Wireshark I can see the client trying to use 445, failing a few times and then falling back to port 139. What seems to work is disabling Windows file and print sharing on the network interface (network control panel, select interface, properties, untick file and printer sharing) I still can't get the CIFS authentication with AD to work, but at least the attempt is hitting the right engine now!
Related videos on Youtube
Brian Knoblauch
Just another nobody out in the world, banging out some code from time to time...
Updated on September 18, 2022Comments
-
Brian Knoblauch almost 2 years
I've got an interesting software configuration (Alfresco CIFS) that requires me to block access to the Windows SMB port for proper operation. I tried adding a new inbound firewall rule at the top that blocks 445/tcp, but it seems to be ignored. If I try to edit the preexisting Windows SMB rule, I'm unable due to a "This rule has been applied by the system administrator and cannot be modified". I am the system administrator and am running this as an escalated process... What's the best (or any workable) way to block 445/tcp on Windows 2012R2 DataCenter?
-
Get-HomeByFiveOClock over 9 yearsMay want to check either Group Policy or local Security policy to see if that port is opened by either of those.
-
Brian Knoblauch over 9 yearsNo policies applied that involve the firewall.
-
Get-HomeByFiveOClock over 9 yearsThat is indeed strange then!? Are you sure an explicit DENY rule on the firewall doesn't block it? Windows firewall should evaluates DENY rules before the ALLOWS see. Another option is to block it later (after passing through the windows firewall) with your anti-virus, given that your particular antivirus software will allow you to block individual ports.
-
Brian Knoblauch over 9 yearsI just had another thought. I blocked 445/TCP on IPv6 and IPv4. I wonder if Alfresco only listens on 135 on IPv4? Clients normally try IPv6 first and if Alfresco isn't overriding that too, Windows would snag it...
-
-
RalfFriedl over 4 yearsBut how is that related to the question?