SMB and Forest Trusts

  • 158 Views
  • Last Post 30 June 2017
ahobbs posted this 30 June 2017

Hey all
We have two Active Directory Forests that we want to create a two-way transitive Forest trust.
One AD forest is Windows 2008 R2 and the other is Windows 2012 R2
Do Forest Trusts require SMB? if so will disabling SMB 1 or 2 on the DC's prevent us from creating the AD forest trust? 
Our security team want both SMB v1 and 2 disabled but I'm curious of the impact of doing so.
thanks in advance!
A

Order By: Standard | Newest | Votes
jeremyts posted this 30 June 2017

You should absolutely consider disabling SMB 1 across the board and only re-enable if needed to specific servers for legacy requirements.

 

For a Trust Relationship to be created, TCP port 445 (SMB) only needs to be open during the trust creation process. However, once the trust has been created,

verified and tested, this port can be closed off on firewalls between the forests if required for security purposes.

 

You cannot disable SMB on the Domain Controllers altogether. This is required for client communication, replication, etc.

 

Cheers,

Jeremy

 

show

ahobbs posted this 30 June 2017

Hey Jeremy
Thanks for responding. 
So I should disable SMB 1 across all clients and servers using the following article as a guide:
https://support.microsoft.com/en-gb/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
This article does not recommend disabling SMB v2 or 3. Based on what you've said I'll need to keep SMB enabled as they're DC's (2008 R2 and 2012 R2) but I can close the firewall port (445) once the trust has been created, verified and tested?
A


show

jeremyts posted this 30 June 2017

I’m not telling you to disable SMB 1. I used the word “consider”. You and your security team will need to test and decide that as I know nothing about your

environment.

 

The rest is correct. Remember that the vulnerability is SMB 1. So if that’s all you’re trying to protect against, you don’t need to worry about closing the

firewall port as long as SMB 1 is disabled.

 

Cheers,

Jeremy

 

show

Close