Ryfujk

Today is the Center

Why don't electron-positron collisions release infinite energy?

How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?

Why was the small council so happy for Tyrion to become the Master of Coin?

Why dont electromagnetic waves interact with each other?

Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)

Fencing style for blades that can attack from a distance

How can I make my BBEG immortal short of making them a Lich or Vampire?

Why are 150k or 200k jobs considered good when there are 300k+ births a month?

How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?

Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)

Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?

How does strength of boric acid solution increase in presence of salicylic acid?

Why can't I see bouncing of a switch on an oscilloscope?

How to format long polynomial?

Why do falling prices hurt debtors?

In Japanese, what’s the difference between “Tonari ni” (となりに) and “Tsugi” (つぎ)? When would you use one over the other?

What does it mean to describe someone as a butt steak?

Minkowski space

Python: next in for loop

Arthur Somervell: 1000 Exercises - Meaning of this notation

Is it unprofessional to ask if a job posting on GlassDoor is real?

Is this a crack on the carbon frame?

Is it important to consider tone, melody, and musical form while writing a song?

Why is file sharing over internet still working, despite all firewall exceptions for filesharing being disabled?

Windows network shares still visible (and accessible) with “file and printer sharing” deactivatedHow to securely enable file sharing over PPTP on Windows 2008 ServerServer 2008 SBS:Can browse by server name, but not IPUnable to Access Share on Windows 2008Load balancing a Windows File Share using HA-ProxySlow SMB/CIFS to/from Win2008R2 ServerWhy does Public Folder share prompt for password even after I set “Turn off password protected sharing”For an internet-facing, all-roles-in-one Exchange server, what do I need to let through the firewall?How can I get Windows Server 2012 R2 to stop asking for a file share password?File sharing on specific server not working over WANWindows network shares still visible (and accessible) with “file and printer sharing” deactivated

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

3

1

Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).

The Network and Sharing Center's options for everything except password protected sharing are off.

Why would I still be able to access a network share on that server via an address like "\my.server.com" over the internet?

The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.

Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?

EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)

windows-server-2008 file-sharing server-message-block windows-firewall

share|improve this question

edited Sep 24 '12 at 20:51

Triynko

asked Sep 24 '12 at 20:03

TriynkoTriynko

1,72862528

bumped to the homepage by Community♦ 14 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Check for custom rules, like those not in groups particularly.
  
  – Chris S
  Sep 24 '12 at 20:12
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."
  
  – Triynko
  Sep 24 '12 at 20:22
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.
  
  – Triynko
  Sep 24 '12 at 20:27
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Wonder if it's related to this hotfix: support.microsoft.com/kb/974195
  
  – Triynko
  Sep 24 '12 at 20:38
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  "Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!
  
  – Triynko
  Sep 24 '12 at 20:48
  
  
  

  
  
  
  

 | 
show 1 more comment

3

1

Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).

The Network and Sharing Center's options for everything except password protected sharing are off.

Why would I still be able to access a network share on that server via an address like "\my.server.com" over the internet?

The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.

Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?

EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)

windows-server-2008 file-sharing server-message-block windows-firewall

share|improve this question

edited Sep 24 '12 at 20:51

Triynko

asked Sep 24 '12 at 20:03

TriynkoTriynko

1,72862528

bumped to the homepage by Community♦ 14 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Check for custom rules, like those not in groups particularly.
  
  – Chris S
  Sep 24 '12 at 20:12
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I sorted by port and was surprised to find that both "Terminal Services (NP-In)" and "Terminal Services Licensing Server (NP-In)" are allowing access through port 445. Is that normal? It's not a custom rule; it's built-in: "This is a predefined rule and some of its properties cannot be modified."
  
  – Triynko
  Sep 24 '12 at 20:22
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Sure enough, that was the problem. Upon disabling those two rules, and using CurrPorts to kill the original connection from the client, the client could no longer connect. Those TS exceptions are enabled on all profiles, so that's a major security hole in file sharing, IMO.
  
  – Triynko
  Sep 24 '12 at 20:27
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Wonder if it's related to this hotfix: support.microsoft.com/kb/974195
  
  – Triynko
  Sep 24 '12 at 20:38
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  "Terminal Services Licensing communicates by using RPC over named pipes. Service has the same firewall requirements as those of the “File and Printer Sharing” feature." - terminalserviceslog.com/blog/index.php/2008/06/29/… SERIOUSLY MICROSOFT!!!
  
  – Triynko
  Sep 24 '12 at 20:48
  
  
  

  
  
  
  

 | 
show 1 more comment

Every exception in my windows server firewall that starts with "File and Printer Sharing" is disabled (ordered by name, so that includes domain, public (active), and private profiles).

The Network and Sharing Center's options for everything except password protected sharing are off.

Why would I still be able to access a network share on that server via an address like "\my.server.com" over the internet?

The firewall is on for all profiles and blocking incoming connections by default. A "netstat -an" command on the server reveals the share connection is occurring over port 445 (SMB). I restarted the client to ensure it was actually re-establishing a new connection successfully.

Is the "Password protected sharing: On" option in Network and Sharing Center bypassing the firewall restrictions, or adding some other exception somewhere that I'm missing?

EDIT: "Custom" rules are not the problem. It's the "built-in" rules for Terminal Services that was the problem. Can you believe port 445 (File Sharing Port) has to be wide open to the internet to use Terminal Services Licensing?)

windows-server-2008 file-sharing server-message-block windows-firewall

share|improve this question

edited Sep 24 '12 at 20:51

Triynko

asked Sep 24 '12 at 20:03

TriynkoTriynko

1,72862528

share|improve this question

edited Sep 24 '12 at 20:51

Triynko

asked Sep 24 '12 at 20:03

TriynkoTriynko

1,72862528

share|improve this question

edited Sep 24 '12 at 20:51

Triynko

asked Sep 24 '12 at 20:03

TriynkoTriynko

1,72862528

asked Sep 24 '12 at 20:03

TriynkoTriynko

1,72862528

asked Sep 24 '12 at 20:03

TriynkoTriynko

1,72862528

2 Answers
2

active

oldest

votes

0

I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.

The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.

share|improve this answer

answered Sep 24 '12 at 21:19

Ryan BolgerRyan Bolger

14.1k23051

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  A down vote with no explanation? Bad form.
  
  – Ryan Bolger
  Sep 25 '12 at 5:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
  
  – Triynko
  Jan 3 '13 at 1:11
  
  
  

  
  
  
  

add a comment | 

0

Had the same problem and @Triynko basically provided the right answer (different services though):

So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:

• Remote Access Management (NP-In)


• File Server Remote Management (SMB-In)

So thanks for that!

share|improve this answer

answered Aug 1 '17 at 14:14

lauxjpnlauxjpn

213

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f431503%2fwhy-is-file-sharing-over-internet-still-working-despite-all-firewall-exceptions%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.

The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.

share|improve this answer

answered Sep 24 '12 at 21:19

Ryan BolgerRyan Bolger

14.1k23051

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  A down vote with no explanation? Bad form.
  
  – Ryan Bolger
  Sep 25 '12 at 5:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
  
  – Triynko
  Jan 3 '13 at 1:11
  
  
  

  
  
  
  

add a comment | 

0

I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.

The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.

share|improve this answer

answered Sep 24 '12 at 21:19

Ryan BolgerRyan Bolger

14.1k23051

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  A down vote with no explanation? Bad form.
  
  – Ryan Bolger
  Sep 25 '12 at 5:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Not sure who down voted it, but it's gone now. I understand what ports need to be open to what, but my point was that the Terminal Service's firewall configuration, a built-in rule, has a default setting that opens port 445 to the Internet, so that file shares are accessible from the Internet even when all other file sharing exceptions are turned off.
  
  – Triynko
  Jan 3 '13 at 1:11
  
  
  

  
  
  
  

add a comment | 

I think you're confusing things a bit, Triynko. Those ports don't have to open to the Internet for internet connected clients to connect. They only have to be open between your Remote Desktop Server and your Remote Desktop Licensing server. They're also used for remote management of the Remote Desktop Services. The description fields on those firewall rules say as much.

The only port(s) that needs to be open to the Internet if you haven't reconfigured the defaults are 3389 for direct connections or 443 to your RDS Gateway server.

share|improve this answer

answered Sep 24 '12 at 21:19

Ryan BolgerRyan Bolger

14.1k23051

share|improve this answer

answered Sep 24 '12 at 21:19

Ryan BolgerRyan Bolger

14.1k23051

answered Sep 24 '12 at 21:19

Ryan BolgerRyan Bolger

14.1k23051

answered Sep 24 '12 at 21:19

Ryan BolgerRyan Bolger

14.1k23051

0

Had the same problem and @Triynko basically provided the right answer (different services though):

So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:

• Remote Access Management (NP-In)


• File Server Remote Management (SMB-In)

So thanks for that!

share|improve this answer

answered Aug 1 '17 at 14:14

lauxjpnlauxjpn

213

add a comment | 

0

Had the same problem and @Triynko basically provided the right answer (different services though):

So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:

• Remote Access Management (NP-In)


• File Server Remote Management (SMB-In)

So thanks for that!

share|improve this answer

answered Aug 1 '17 at 14:14

lauxjpnlauxjpn

213

add a comment | 

Had the same problem and @Triynko basically provided the right answer (different services though):

So in my case, it was not anything terminal service related, but the
following two rules, that were allowing traffic for port 445 TCP:

• Remote Access Management (NP-In)


• File Server Remote Management (SMB-In)

So thanks for that!

share|improve this answer

answered Aug 1 '17 at 14:14

lauxjpnlauxjpn

213

share|improve this answer

answered Aug 1 '17 at 14:14

lauxjpnlauxjpn

213

answered Aug 1 '17 at 14:14

lauxjpnlauxjpn

213

answered Aug 1 '17 at 14:14

lauxjpnlauxjpn

213