How to block filesharing outside my lan?
Hello, my scenario is this:
I have windows 2003 server machines with public IPs that run various applications. I have set some shared folders on each one so that we can transfer files and access them across the DMZ network and also from our LAN. When I'm in the office I want my LAN users to be able to enter the ip of the server and access its shared files, i.e. \\123.456.789.123\fileshar
The user then enters a username and password (of the server's local user) and connects just fine.
However this also works from all over the internet, which is something I want to restrict.
The servers are not in a domain (workgroup only)
.
Any advice on how to do that will be appreciated!
I have windows 2003 server machines with public IPs that run various applications. I have set some shared folders on each one so that we can transfer files and access them across the DMZ network and also from our LAN. When I'm in the office I want my LAN users to be able to enter the ip of the server and access its shared files, i.e. \\123.456.789.123\fileshar
The user then enters a username and password (of the server's local user) and connects just fine.
However this also works from all over the internet, which is something I want to restrict.
The servers are not in a domain (workgroup only)
.
Any advice on how to do that will be appreciated!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you for your suggestion, I use a Cisco ASA firewall if you or anyone else knows how to block external SMB traffic using Cisco's ASDM6 I would be grateful! I'll start looking for that now!
In the second part of your question, I do not use a software firewall, do you think that Window's own will suffice?
In the second part of your question, I do not use a software firewall, do you think that Window's own will suffice?
The Windows Firewall is better than nothing. You need to enable the File and Printer Sharing exception and then modify the scope to use a Custom list. In the Custom list you can specifiy the IP ranges used by your LAN-side PCs.
I believe that the Cisco ASA boxes deny by default - might you have accidentially permitted all inbound traffic to the server rather than just those ports you need?
I believe that the Cisco ASA boxes deny by default - might you have accidentially permitted all inbound traffic to the server rather than just those ports you need?
ASKER
lamaslany I will need to check my ASA box and make sure I haven't accidentally permitted all inbound traffic.. Thanks! Will let you know how it goes!
regarding the hardware firewall if you provide the make/model you might get further assistance with the steps you need to take.
regarding the host-based software firewall can you confirm that a) you use one (and you should!) and b) whether it is the Windows Firewall or whether you have a third-party product.