Help creating a Policy to block all SMB except to 2 Domain Controllers


I am asking advice on how to block ALL SMB traffic except to 2 domain controllers. This is to currently to block windows shares between end users.

I am using Policy Manager to push to EOS.

3 replies

Userlevel 6
For the most part, the ports in question would be listed here.

https://support.microsoft.com/en-us/kb/3185535

Although I would review it before using a trace to confirm what is there.
If you look at hthe Thread management in the default.pmd, there is a limit for 135,137 ports, you could block those, and or add in specific rules for the additional ports as needed, and then apply them to the roles for users, not the servers.

Does this assist?
It helps narrow it down, thanks!

Is there a way to consolidate the rules within the role or will I have to have a rule for each port to be allowed to each DC? Plus a deny all SMB first (to rule them all).
Userlevel 6
You should consolidate rules under a service. Then a role is typically populated in policy manager with services. You could create a service, add to an existing one etc. Does this help?

Reply