How to:
Block TeamViewer on your Network

This article explains how to accurately block all TeamViewer remote connections on your network. We include information on the TeamViewer Port, IP Addresses, and DNS Records needed to block this application. These instructions should protect you against all usage of this common remote desktop application.

TeamViewer requires no configuration or any special firewall rules to allow it to connect. All a user need to do is to download the EXEs from the website and run them – this makes it very easy for anyone to setup and to circumvent security restrictions. Corporate networks probably don’t want to allow such easy remote access. With such an easy installation process, how do you block TeamViewer?

Step 0: Policy

Ensure you are entitled to block this application and your end-users are aware of your corporate policy against this sort of access. You should always have written policy to back up these enforcements.

Step 1: DNS Block

The first step is to block the resolution of DNS records on the teamviewer.com domain. If you run your own DNS server (such as an Active Directory server) then this is easy.

  1. Open your DNS Management Console
  2. Create a top-level record for ‘teamviewer.com’.
  3. Do nothing else. By pointing this record nowhere you will stop connections to this domain and all of it’s subdomains

Step 2: Check Clients Can’t Connect to External DNS Servers

Ensure the only DNS connections allowed on your network are to your own internal DNS servers (which contain this dummy-record). This removes the possibility of the TeamViewer client checking DNS records against their own servers, instead of yours.

  1. Log into your Firewall or Router
  2. Add a new outgoing firewall rule to disallow TCP & UDP port 53 from all source IP addresses, EXCEPT the addresses of your own DNS servers.

This means clients will now only be able to resolve the DNS records you allow through your own DNS server (and these servers can forward requests on to external servers, of course).

Step 3: Block Access to TeamViewer IP Address Range

The TeamViewer client will still sometimes be able to connect to known IP Addresses, despite the DNS Record being blocked. To overcome this, you need to block access to their IP Address range.

  1. Log into your Firewall or Router
  2. Add a new outgoing firewall rule to disallow connections to 178.77.120.0/24

The TeamViewer IP Address Range is 178.77.120.0/24, which translates to 178.77.120.1 – 178.77.120.254.

Step 4: Block TeamViewer Port

This step probably isn’t necessary, but can be good as an extra layer of protection. TeamViewer connects on port 5938, but also tunnels via ports 80 (HTTP) & 443 (SSL) if that is unavailable. Here’s how to block that port:

  1. Log into your Firewall or Router
  2. Add a new outgoing firewall rule to disallow TCP & UDP port 5938 from all source IP Addresses

Step 5: Group Policy Restrictions

If you have an Active Directory Network, consider adding Software Restrictions to Group Policy. Here’s how you can do it:

  1. Download the TeamViewer EXE file from their website.
  2. Open your your Group Policy Management Console, and create a new GPO.
  3. In your GPO go to Software Restriction Polices found under User Configuration > Windows Settings > Security Settings > Software Restriction Policies.
  4. Right click and choose “New Software Restriction Policies”.
  5. Select “Browse” in the New Hash Rule popup window. Find the TeamViewer setup EXE and open it.
  6. Close those windows and link your new GPO to the domain and make it apply to everyone.

Step 6: Deep Packet Inspection

If all of these steps fail you, you may need to implement a firewall which performs Deep Packet Inspection and Unified Threat Management. These devices are specifically trained to look for common remote access tools and block them. They also cost a lot of money.

 

These steps should help you reliably block TeamViewer on your network. This protects you against users trying to gain remote access to your network using this software, or getting to their own PCs at home to circumvent filters. It is worth checking your setup regularly to ensure it is still functioning as expected, as the ports and IP Addresses may change in the future. You should also apply similar restrictions to all of the other common remote access tools. When it comes to security, you can never be too sure.

Get the Broadcast Technology Newsletter

Sign up for the email newsletter about media and technology. Sent irregularly. No spam.

I'm Anthony Eden, and I'm a IT Professional, Broadcast Technician, Software Developer, and Solutions Engineer. I've been working in broadcast media since 2008, and developing software and websites for just as long. Right now, I provide freelance services through Media Realm - in particular, to the media and not-for-profit industries.

Follow Anthony on Twitter: @anthony_eden