Why is file sharing over internet still working, despite all firewall exceptions for filesharing being...
Today is the Center
Why don't electron-positron collisions release infinite energy?
How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?
Why was the small council so happy for Tyrion to become the Master of Coin?
Why dont electromagnetic waves interact with each other?
Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)
Fencing style for blades that can attack from a distance
How can I make my BBEG immortal short of making them a Lich or Vampire?
Why are 150k or 200k jobs considered good when there are 300k+ births a month?
How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?
Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)
Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?
How does strength of boric acid solution increase in presence of salicylic acid?
Why can't I see bouncing of a switch on an oscilloscope?
How to format long polynomial?
Why do falling prices hurt debtors?
In Japanese, what’s the difference between “Tonari ni” (となりに) and “Tsugi” (つぎ)? When would you use one over the other?
What does it mean to describe someone as a butt steak?
Minkowski space
Python: next in for loop
Arthur Somervell: 1000 Exercises - Meaning of this notation
Is it unprofessional to ask if a job posting on GlassDoor is real?
Is this a crack on the carbon frame?
Is it important to consider tone, melody, and musical form while writing a song?
Why is file sharing over internet still working, despite all firewall exceptions for filesharing being disabled?
Windows network shares still visible (and accessible) with “file and printer sharing” deactivatedHow to securely enable file sharing over PPTP on Windows 2008 ServerServer 2008 SBS:Can browse by server name, but not IPUnable to Access Share on Windows 2008Load balancing a Windows File Share using HA-ProxySlow SMB/CIFS to/from Win2008R2 ServerWhy does Public Folder share prompt for password even after I set “Turn off password protected sharing”For an internet-facing, all-roles-in-one Exchange server, what do I need to let through the firewall?How can I get Windows Server 2012 R2 to stop asking for a file share password?File sharing on specific server not working over WANWindows network shares still visible (and accessible) with “file and printer sharing” deactivated
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).
The Network and Sharing Center's options for everything except password protected sharing are off.
Why would I still be able to access a network share on that server via an address like "\my.server.com
" over the internet?
The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.
Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?
EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)
windows-server-2008 file-sharing server-message-block windows-firewall
bumped to the homepage by Community♦ 14 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
|
show 1 more comment
Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).
The Network and Sharing Center's options for everything except password protected sharing are off.
Why would I still be able to access a network share on that server via an address like "\my.server.com
" over the internet?
The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.
Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?
EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)
windows-server-2008 file-sharing server-message-block windows-firewall
bumped to the homepage by Community♦ 14 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
2
Check for custom rules, like those not in groups particularly.
– Chris S
Sep 24 '12 at 20:12
I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."
– Triynko
Sep 24 '12 at 20:22
Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.
– Triynko
Sep 24 '12 at 20:27
Wonder if it's related to this hotfix: support.microsoft.com/kb/974195
– Triynko
Sep 24 '12 at 20:38
2
"Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!
– Triynko
Sep 24 '12 at 20:48
|
show 1 more comment
Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).
The Network and Sharing Center's options for everything except password protected sharing are off.
Why would I still be able to access a network share on that server via an address like "\my.server.com
" over the internet?
The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.
Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?
EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)
windows-server-2008 file-sharing server-message-block windows-firewall
Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).
The Network and Sharing Center's options for everything except password protected sharing are off.
Why would I still be able to access a network share on that server via an address like "\my.server.com
" over the internet?
The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.
Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?
EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)
windows-server-2008 file-sharing server-message-block windows-firewall
windows-server-2008 file-sharing server-message-block windows-firewall
edited Sep 24 '12 at 20:51
Triynko
asked Sep 24 '12 at 20:03
TriynkoTriynko
1,72862528
1,72862528
bumped to the homepage by Community♦ 14 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 14 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
2
Check for custom rules, like those not in groups particularly.
– Chris S
Sep 24 '12 at 20:12
I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."
– Triynko
Sep 24 '12 at 20:22
Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.
– Triynko
Sep 24 '12 at 20:27
Wonder if it's related to this hotfix: support.microsoft.com/kb/974195
– Triynko
Sep 24 '12 at 20:38
2
"Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!
– Triynko
Sep 24 '12 at 20:48
|
show 1 more comment
2
Check for custom rules, like those not in groups particularly.
– Chris S
Sep 24 '12 at 20:12
I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."
– Triynko
Sep 24 '12 at 20:22
Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.
– Triynko
Sep 24 '12 at 20:27
Wonder if it's related to this hotfix: support.microsoft.com/kb/974195
– Triynko
Sep 24 '12 at 20:38
2
"Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!
– Triynko
Sep 24 '12 at 20:48
2
2
Check for custom rules, like those not in groups particularly.
– Chris S
Sep 24 '12 at 20:12
Check for custom rules, like those not in groups particularly.
– Chris S
Sep 24 '12 at 20:12
I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."
– Triynko
Sep 24 '12 at 20:22
I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."
– Triynko
Sep 24 '12 at 20:22
Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.
– Triynko
Sep 24 '12 at 20:27
Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.
– Triynko
Sep 24 '12 at 20:27
Wonder if it's related to this hotfix: support.microsoft.com/kb/974195
– Triynko
Sep 24 '12 at 20:38
Wonder if it's related to this hotfix: support.microsoft.com/kb/974195
– Triynko
Sep 24 '12 at 20:38
2
2
"Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!
– Triynko
Sep 24 '12 at 20:48
"Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!
– Triynko
Sep 24 '12 at 20:48
|
show 1 more comment
2 Answers
2
active
oldest
votes
I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.
The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.
A down vote with no explanation? Bad form.
– Ryan Bolger
Sep 25 '12 at 5:44
Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
– Triynko
Jan 3 '13 at 1:11
add a comment |
Had the same problem and @Triynko basically provided the right answer (different services though):
So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:
- Remote Access Management (NP-In)
- File Server Remote Management (SMB-In)
So thanks for that!
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f431503%2fwhy-is-file-sharing-over-internet-still-working-despite-all-firewall-exceptions%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.
The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.
A down vote with no explanation? Bad form.
– Ryan Bolger
Sep 25 '12 at 5:44
Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
– Triynko
Jan 3 '13 at 1:11
add a comment |
I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.
The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.
A down vote with no explanation? Bad form.
– Ryan Bolger
Sep 25 '12 at 5:44
Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
– Triynko
Jan 3 '13 at 1:11
add a comment |
I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.
The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.
I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.
The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.
answered Sep 24 '12 at 21:19
Ryan BolgerRyan Bolger
14.1k23051
14.1k23051
A down vote with no explanation? Bad form.
– Ryan Bolger
Sep 25 '12 at 5:44
Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
– Triynko
Jan 3 '13 at 1:11
add a comment |
A down vote with no explanation? Bad form.
– Ryan Bolger
Sep 25 '12 at 5:44
Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
– Triynko
Jan 3 '13 at 1:11
A down vote with no explanation? Bad form.
– Ryan Bolger
Sep 25 '12 at 5:44
A down vote with no explanation? Bad form.
– Ryan Bolger
Sep 25 '12 at 5:44
Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
– Triynko
Jan 3 '13 at 1:11
Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
– Triynko
Jan 3 '13 at 1:11
add a comment |
Had the same problem and @Triynko basically provided the right answer (different services though):
So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:
- Remote Access Management (NP-In)
- File Server Remote Management (SMB-In)
So thanks for that!
add a comment |
Had the same problem and @Triynko basically provided the right answer (different services though):
So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:
- Remote Access Management (NP-In)
- File Server Remote Management (SMB-In)
So thanks for that!
add a comment |
Had the same problem and @Triynko basically provided the right answer (different services though):
So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:
- Remote Access Management (NP-In)
- File Server Remote Management (SMB-In)
So thanks for that!
Had the same problem and @Triynko basically provided the right answer (different services though):
So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:
- Remote Access Management (NP-In)
- File Server Remote Management (SMB-In)
So thanks for that!
answered Aug 1 '17 at 14:14
lauxjpnlauxjpn
213
213
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f431503%2fwhy-is-file-sharing-over-internet-still-working-despite-all-firewall-exceptions%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Check for custom rules, like those not in groups particularly.
– Chris S
Sep 24 '12 at 20:12
I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."
– Triynko
Sep 24 '12 at 20:22
Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.
– Triynko
Sep 24 '12 at 20:27
Wonder if it's related to this hotfix: support.microsoft.com/kb/974195
– Triynko
Sep 24 '12 at 20:38
2
"Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!
– Triynko
Sep 24 '12 at 20:48