How to block filesharing outside my lan?

Posted on 2009-04-19
Last Modified: 2012-05-06
Hello, my scenario is this:
I have windows 2003 server machines with public IPs that run various applications. I have set some shared folders on each one so that we can transfer files and access them across the DMZ network and also from our LAN. When I'm in the office I want my LAN users to be able to enter the ip of the server and access its shared files, i.e. \\123.456.789.123\fileshare\

The user then enters a username and password (of the server's local user) and connects just fine.

However this also works from all over the internet, which is something I want to restrict.
The servers are not in a domain (workgroup only)
Any advice on how to do that will be appreciated!
Question by:leontas
    LVL 19

    Accepted Solution

    Block external SMB traffic on your firewall.  I assume you have a hardware firewall if you have a DMZ?

    You might want to go further and also configure the host-based firewall to allow only traffic from your LAN IP range.
    LVL 19

    Expert Comment


    regarding the hardware firewall if you provide the make/model you might get further assistance with the steps you need to take.

    regarding the host-based software firewall can you confirm that a) you use one (and you should!) and b) whether it is the Windows Firewall or whether you have a third-party product.

    LVL 2

    Author Comment

    thank you for your suggestion, I use a Cisco ASA firewall if you or anyone else knows how to block external SMB traffic using Cisco's ASDM6 I would be grateful! I'll start looking for that now!

    In the second part of your question, I do not use a software firewall, do you think that Window's own will suffice?
    LVL 19

    Expert Comment

    The Windows Firewall is better than nothing.  You need to enable the File and Printer Sharing exception and then modify the scope to use a Custom list.  In the Custom list you can specifiy the IP ranges used by your LAN-side PCs.

    I believe that the Cisco ASA boxes deny by default - might you have accidentially permitted all inbound traffic to the server rather than just those ports you need?
    LVL 2

    Author Comment

    lamaslany I will need to check my ASA box and make sure I haven't accidentally permitted all inbound traffic.. Thanks! Will let you know how it goes!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    This video discusses moving either the default database or any database to a new volume.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now