How to block TeamViewer?
Solution 1:
Just for completeness, TeamViewer uses three different ports in specific order.
-
TCP/UDP port
5938
is the primary port TeamViewer prefers to use. This is also currently the only port used by Android, Windows Mobile and BlackBerry clients. - If connection fails, TeamViewer tries TCP
443
next. This is actually the most problematic part, because blocking the default HTTPS port443
will block all secure web sites. Tampering with the data would involve using fake root CA and decrypting the data, and without that it's really hard to detect whether it's TeamViewer traffic or just normal TLS encrypted HTTPS. - Default HTTP port, TCP
80
is the third alternative. That would be easy to block e.g. by using a transparent proxy, but is totally unnecessary, because the443
is used before this.
Therefore, blocking the connections on network level from any client (incl. BYOD) would involve:
-
Faking or blocking DNS queries for
*.teamviewer.com
. This should actually be the most efficient way, if you trust the TeamViewer GmbH's word (for the opposite purposes):The TeamViewer software makes connections to our master servers located around the world. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to
*.teamviewer.com
. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server. -
Additionally, blocking TeamViewer's known IP address ranges, but as we can soon see, this may be problematic and hard to maintain:
-
178.77.120.0/25
;DE-HE-MASTER-EXT
; TeamViewer GmbH -
159.8.209.208/28
;NETBLK-SOFTLAYER-RIPE-CUST-SS30641-RIPE
; TeamViewer GmbH - Some in
92.51.156.64/26
; owned by Host Europe GmbH; risk for false positives... - etc.; also risk for false positives and need for removals in the future.
-
- In addition, very paranoid administrators could utilize some Deep Packet Inspection.
If you don't trust TeamViewer GmbH, and as TeamViewer works on ports 443
and 80
with a standalone TeamViewerQS.exe
, the Group Policy (e.g. Software Restriction Policies) would be a good addition that increases protection on Windows machines joined to an AD domain.
Solution 2:
First Step block DNS
TeamViewer client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TeamViewer client must be connected first to the TeamViewer server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.
Second Step block IP Address Range
The TeamViewer IP Address Range is 178.77.120.0/24, but you have to check again.