Summary
IMPORTANT: These protocols may be necessary to permit in your environment, depending on the configuration. For example, it may be difficult to block SMB traffic to site servers if they are also distribution points, or to HTTP(S) if they are both a management point and an SMS Provider. Review the referenced documentation and test thoroughly prior to implementing these rules in production.To help prevent NTLM coercion and relay and remote management from untrusted, non-admin networks, block connections from unnecessary sources to site systems via protocols and ports that can be used for coercion, relay, and remote management, including:
- HTTPS and WMI traffic to SMS Providers
- MSSQL traffic to site databases
- SMB traffic to primary (including CAS) and passive site servers
Linked Defensive IDs
- PREVENT-9: Enforce MFA for SMS Provider calls
- PREVENT-12: Require SMB signing on site systems
- PREVENT-14: Require EPA on AD CS and site databases
Associated Offensive IDs
- CRED-5: Dump credentials from the site database
- ELEVATE-1: NTLM relay site server to SMB on site systems
- ELEVATE-2: NTLM relay via automatic client push installation
- EXEC-1: Application deployment
- EXEC-2: PowerShell script execution
- RECON-2: Enumerate SCCM roles via SMB
- RECON-3: Enumerate SCCM roles via HTTP
- RECON-4: Query client devices via CMPivot
- RECON-5: Locate users via SMS Provider
- TAKEOVER-1: NTLM coercion and relay to MSSQL on remote site database
- TAKEOVER-2: NTLM coercion and relay to SMB on remote site database
- TAKEOVER-3: NTLM coercion and relay to HTTP on AD CS
- TAKEOVER-4: NTLM coercion and relay from CAS to origin primary site server
- TAKEOVER-5: NTLM coercion and relay to AdminService on remote SMS Provider
- TAKEOVER-6: NTLM coercion and relay to SMB on remote SMS Provider
- TAKEOVER-7: NTLM coercion and relay to SMB between primary and passive site servers
- TAKEOVER-8: NTLM coercion and relay HTTP to LDAP on domain controller