Why is file sharing over internet still working, despite all firewall exceptions for filesharing being...

Today is the Center

Why don't electron-positron collisions release infinite energy?

How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?

Why was the small council so happy for Tyrion to become the Master of Coin?

Why dont electromagnetic waves interact with each other?

Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)

Fencing style for blades that can attack from a distance

How can I make my BBEG immortal short of making them a Lich or Vampire?

Why are 150k or 200k jobs considered good when there are 300k+ births a month?

How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?

Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)

Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?

How does strength of boric acid solution increase in presence of salicylic acid?

Why can't I see bouncing of a switch on an oscilloscope?

How to format long polynomial?

Why do falling prices hurt debtors?

In Japanese, what’s the difference between “Tonari ni” (となりに) and “Tsugi” (つぎ)? When would you use one over the other?

What does it mean to describe someone as a butt steak?

Minkowski space

Python: next in for loop

Arthur Somervell: 1000 Exercises - Meaning of this notation

Is it unprofessional to ask if a job posting on GlassDoor is real?

Is this a crack on the carbon frame?

Is it important to consider tone, melody, and musical form while writing a song?



Why is file sharing over internet still working, despite all firewall exceptions for filesharing being disabled?


Windows network shares still visible (and accessible) with “file and printer sharing” deactivatedHow to securely enable file sharing over PPTP on Windows 2008 ServerServer 2008 SBS:Can browse by server name, but not IPUnable to Access Share on Windows 2008Load balancing a Windows File Share using HA-ProxySlow SMB/CIFS to/from Win2008R2 ServerWhy does Public Folder share prompt for password even after I set “Turn off password protected sharing”For an internet-facing, all-roles-in-one Exchange server, what do I need to let through the firewall?How can I get Windows Server 2012 R2 to stop asking for a file share password?File sharing on specific server not working over WANWindows network shares still visible (and accessible) with “file and printer sharing” deactivated






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







3















Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).



The Network and Sharing Center's options for everything except password protected sharing are off.



Why would I still be able to access a network share on that server via an address like "\my.server.com" over the internet?



The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.



Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?



EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)










share|improve this question
















bumped to the homepage by Community 14 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.











  • 2





    Check for custom rules, like those not in groups particularly.

    – Chris S
    Sep 24 '12 at 20:12











  • I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."

    – Triynko
    Sep 24 '12 at 20:22













  • Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.

    – Triynko
    Sep 24 '12 at 20:27











  • Wonder if it's related to this hotfix: support.microsoft.com/kb/974195

    – Triynko
    Sep 24 '12 at 20:38






  • 2





    "Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!

    – Triynko
    Sep 24 '12 at 20:48




















3















Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).



The Network and Sharing Center's options for everything except password protected sharing are off.



Why would I still be able to access a network share on that server via an address like "\my.server.com" over the internet?



The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.



Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?



EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)










share|improve this question
















bumped to the homepage by Community 14 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.











  • 2





    Check for custom rules, like those not in groups particularly.

    – Chris S
    Sep 24 '12 at 20:12











  • I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."

    – Triynko
    Sep 24 '12 at 20:22













  • Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.

    – Triynko
    Sep 24 '12 at 20:27











  • Wonder if it's related to this hotfix: support.microsoft.com/kb/974195

    – Triynko
    Sep 24 '12 at 20:38






  • 2





    "Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!

    – Triynko
    Sep 24 '12 at 20:48
















3












3








3


1






Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).



The Network and Sharing Center's options for everything except password protected sharing are off.



Why would I still be able to access a network share on that server via an address like "\my.server.com" over the internet?



The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.



Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?



EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)










share|improve this question
















Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).



The Network and Sharing Center's options for everything except password protected sharing are off.



Why would I still be able to access a network share on that server via an address like "\my.server.com" over the internet?



The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.



Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?



EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)







windows-server-2008 file-sharing server-message-block windows-firewall






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 24 '12 at 20:51







Triynko

















asked Sep 24 '12 at 20:03









TriynkoTriynko

1,72862528




1,72862528





bumped to the homepage by Community 14 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 14 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.










  • 2





    Check for custom rules, like those not in groups particularly.

    – Chris S
    Sep 24 '12 at 20:12











  • I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."

    – Triynko
    Sep 24 '12 at 20:22













  • Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.

    – Triynko
    Sep 24 '12 at 20:27











  • Wonder if it's related to this hotfix: support.microsoft.com/kb/974195

    – Triynko
    Sep 24 '12 at 20:38






  • 2





    "Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!

    – Triynko
    Sep 24 '12 at 20:48
















  • 2





    Check for custom rules, like those not in groups particularly.

    – Chris S
    Sep 24 '12 at 20:12











  • I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."

    – Triynko
    Sep 24 '12 at 20:22













  • Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.

    – Triynko
    Sep 24 '12 at 20:27











  • Wonder if it's related to this hotfix: support.microsoft.com/kb/974195

    – Triynko
    Sep 24 '12 at 20:38






  • 2





    "Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!

    – Triynko
    Sep 24 '12 at 20:48










2




2





Check for custom rules, like those not in groups particularly.

– Chris S
Sep 24 '12 at 20:12





Check for custom rules, like those not in groups particularly.

– Chris S
Sep 24 '12 at 20:12













I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."

– Triynko
Sep 24 '12 at 20:22







I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."

– Triynko
Sep 24 '12 at 20:22















Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.

– Triynko
Sep 24 '12 at 20:27





Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.

– Triynko
Sep 24 '12 at 20:27













Wonder if it's related to this hotfix: support.microsoft.com/kb/974195

– Triynko
Sep 24 '12 at 20:38





Wonder if it's related to this hotfix: support.microsoft.com/kb/974195

– Triynko
Sep 24 '12 at 20:38




2




2





"Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!

– Triynko
Sep 24 '12 at 20:48







"Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!

– Triynko
Sep 24 '12 at 20:48












2 Answers
2






active

oldest

votes


















0














I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.



The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.






share|improve this answer
























  • A down vote with no explanation? Bad form.

    – Ryan Bolger
    Sep 25 '12 at 5:44











  • Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.

    – Triynko
    Jan 3 '13 at 1:11





















0














Had the same problem and @Triynko basically provided the right answer (different services though):




So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:




  • Remote Access Management (NP-In)

  • File Server Remote Management (SMB-In)




So thanks for that!






share|improve this answer
























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "2"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f431503%2fwhy-is-file-sharing-over-internet-still-working-despite-all-firewall-exceptions%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.



    The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.






    share|improve this answer
























    • A down vote with no explanation? Bad form.

      – Ryan Bolger
      Sep 25 '12 at 5:44











    • Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.

      – Triynko
      Jan 3 '13 at 1:11


















    0














    I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.



    The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.






    share|improve this answer
























    • A down vote with no explanation? Bad form.

      – Ryan Bolger
      Sep 25 '12 at 5:44











    • Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.

      – Triynko
      Jan 3 '13 at 1:11
















    0












    0








    0







    I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.



    The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.






    share|improve this answer













    I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.



    The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Sep 24 '12 at 21:19









    Ryan BolgerRyan Bolger

    14.1k23051




    14.1k23051













    • A down vote with no explanation? Bad form.

      – Ryan Bolger
      Sep 25 '12 at 5:44











    • Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.

      – Triynko
      Jan 3 '13 at 1:11





















    • A down vote with no explanation? Bad form.

      – Ryan Bolger
      Sep 25 '12 at 5:44











    • Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.

      – Triynko
      Jan 3 '13 at 1:11



















    A down vote with no explanation? Bad form.

    – Ryan Bolger
    Sep 25 '12 at 5:44





    A down vote with no explanation? Bad form.

    – Ryan Bolger
    Sep 25 '12 at 5:44













    Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.

    – Triynko
    Jan 3 '13 at 1:11







    Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.

    – Triynko
    Jan 3 '13 at 1:11















    0














    Had the same problem and @Triynko basically provided the right answer (different services though):




    So in my case, it was not anything terminal service related, but the
    following two rules, that were allowing traffic for port 445 TCP:




    • Remote Access Management (NP-In)

    • File Server Remote Management (SMB-In)




    So thanks for that!






    share|improve this answer




























      0














      Had the same problem and @Triynko basically provided the right answer (different services though):




      So in my case, it was not anything terminal service related, but the
      following two rules, that were allowing traffic for port 445 TCP:




      • Remote Access Management (NP-In)

      • File Server Remote Management (SMB-In)




      So thanks for that!






      share|improve this answer


























        0












        0








        0







        Had the same problem and @Triynko basically provided the right answer (different services though):




        So in my case, it was not anything terminal service related, but the
        following two rules, that were allowing traffic for port 445 TCP:




        • Remote Access Management (NP-In)

        • File Server Remote Management (SMB-In)




        So thanks for that!






        share|improve this answer













        Had the same problem and @Triynko basically provided the right answer (different services though):




        So in my case, it was not anything terminal service related, but the
        following two rules, that were allowing traffic for port 445 TCP:




        • Remote Access Management (NP-In)

        • File Server Remote Management (SMB-In)




        So thanks for that!







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Aug 1 '17 at 14:14









        lauxjpnlauxjpn

        213




        213






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f431503%2fwhy-is-file-sharing-over-internet-still-working-despite-all-firewall-exceptions%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

            Список ссавців Італії Природоохоронні статуси | Список |...

            Маріан Котлеба Зміст Життєпис | Політичні погляди |...