Endpoint Firewall - Network Micro-Segmentation for Lateral Movement Prevention
Recommendation
Implement network micro-segmentation using Endpoint Firewall rules.
Description
Network micro-segmentation reduces the attack surface for lateral movement by restricting inbound network connections between endpoints.
This approach is important for preventing ransomware propagation, particularly over the SMB protocol.
To mitigate these risks:
-
Block incoming SMB connections on all workstations and servers that do not serve as file servers.
-
Consider blocking additional inbound TCP/UDP protocols commonly abused for lateral movement.
Operational Guidance
-
Block incoming SMB connections on endpoints that do not function as file servers.
-
Consider blocking additional inbound TCP/UDP protocols commonly used for lateral movement.
-
Apply rules broadly to endpoints that do not require inbound access.
-
Avoid enabling logging for high-volume protocols to prevent performance degradation.
Recommended Inbound Connections to Block with Endpoint Firewall
| Name / Service | Protocol | Ports | Description | Associated Risk (MITRE ATT&CK) | Enable Logging |
|---|---|---|---|---|---|
| SMB (Direct Hosting) | TCP | 445 | File sharing, named pipes, IPC | MITRE T1021.002 (SMB/Windows Admin Shares), T1486 (Data Encrypted for Impact) | No |
| NetBIOS Name Service | UDP | 137 | Legacy broadcast name resolution | MITRE T1557 (Adversary-in-the-Middle) | No |
| NetBIOS Datagram Service | UDP | 138 | Legacy broadcast/multicast messaging | MITRE T1557 (Adversary-in-the-Middle) | No |
| NetBIOS Session Service | TCP | 139 | Legacy SMB over NetBIOS | MITRE T1021.002 (SMB Lateral Movement) | No |
| RPC Endpoint Mapper | TCP | 135 | RPC service discovery | MITRE T1021.003 (RPC), T1047 (WMI) | Yes |
| RPC Dynamic Ports | TCP/UDP | 49152-65535 | Ephemeral RPC communication ports | MITRE T1021.003 (RPC), T1047 (WMI) | No |
| Remote Desktop Protocol (RDP) | TCP/UDP | 3389 | Interactive remote login | MITRE T1021.001 (RDP) | Yes |
| WinRM (HTTP) | TCP | 5985 | Remote management / PowerShell remoting | MITRE T1021.006 (WinRM), T1059.001 (PowerShell) | Yes |
| WinRM (HTTPS) | TCP | 5986 | Encrypted remote management | MITRE T1021.006 (WinRM), T1059.001 (PowerShell) | Yes |