Providing the router firewall has been correctly configured to block NetBIOS (TCP and UDP ports 137 to 139) and SMB over TCP (TCP port 445) exploits that use these services should be prevented. However, you can also create rules in the CIS firewall that will allow communication between devices on your LAN, only.
You can achieve this in a couple of different ways. The first is the most simple, the second is just a slightly more restrictive version.
- Open the CIS control panel and select Firewall security policy
- Select Network Zones and ensure there is an entry that covers the the range of IP addresses used by your LAN. (this is usually done automatically via the ‘Automatically detect new private networks’ option in More/preferences)
- Assuming there is such an entry, make a note of the name and close network Zones
- Select the ‘Stealth Ports Wizard’ and select the first option ‘Define a new trusted network…’
- In the Zone name drop down box select the name of the network zone we found earlier.
- Select OK
This process will add two Application rules to the System process and also two rules to Global list. Essentially, these rules allow for communication between devices participating in file and printer sharing on your LAN. Make sure you perform this task on each PC.
The second option, as I said, is similar, we just tighten the rules a little. To do this, either run through the procedure outlined above or create the rules manually. If you choose the first option you can edit the rules created by the stealth ports wizard:
Application rules: Application name - System
Rule Name - Allow System To Send Requests If The Target Is In [LAN] (change this to client/server names)
Action - Allow
Protocol - IP
Direction - OUT
Source Address - ANY (Change this to the either the MAC or ip address of the client PC on your LAN)
Destination Address - Network zone name (Change this to the MAC address of the server PC on your LAN)
IP Details - ANY
Application rules: Application name - System
Rule Name - Allow System To Receive Requests If The Sender Is In [LAN] (change this to client/server names)
Action - Allow
Protocol - IP
Direction - IN
Source Address - Network zone name (Change this to the MAC address of the server PC on your LAN)
Destination Address - ANY (Change this to wither the MAC or ip address of the client PC on your LAN)
IP Details - ANY
if necessary, modify the above depending on which PC is the client and which PC is the server, also add an additional rule to the System process to block and log all other communication:
Application rules: Application name - System
Rule name - Block and Log IP OUT
Action - Block
Protocol - IP
Direction - OUT
Source Address - ANY
Destination Address - ANY
IP Details - ANY
You now need to repeat the process for Global rules, however, there is no process name to associate with these rules, so they will affect all traffic that passes through Global rules:
Rule name - Allow All Outgoing Requests If The Target Is In [LAN]
Action - Allow
Protocol - IP
Direction - OUT
Source Address - ANY (Change this to the either the MAC or ip address of the client PC on your LAN)
Destination Address - Network zone name (Change this to the MAC address of the server PC on your LAN)
IP Details - ANY
Rule name - Allow All Incoming Requests If The Sender Is In [LAN]
Action - Allow
Protocol - IP
Direction - IN
Source Address - Network zone name (Change this to the MAC address of the server PC on your LAN)
Destination Address - ANY (Change this to the either the MAC or ip address of the client PC on your LAN)
IP Details - ANY
Then add an additional rule as the last entry in the Global rules list:
Rule name - Block and Log IP IN
Action - Block
Protocol - IP
Direction - IN
Source Address - ANY
Destination Address - ANY
IP Details - ANY
Remember, by adding this block rule to Global rules you will affect all traffic trying to enter your LAN, therefore, you will have to create global rules for applications that need inbound communication, such as p2p clients, above this rule.
The above is fine for basic file and printer sharing, however, accessing other shared media, movies, audio etc. will require additional rules.