[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 257
  • Last Modified:

How to block filesharing outside my lan?

Hello, my scenario is this:
I have windows 2003 server machines with public IPs that run various applications. I have set some shared folders on each one so that we can transfer files and access them across the DMZ network and also from our LAN. When I'm in the office I want my LAN users to be able to enter the ip of the server and access its shared files, i.e. \\123.456.789.123\fileshare\

The user then enters a username and password (of the server's local user) and connects just fine.

However this also works from all over the internet, which is something I want to restrict.
The servers are not in a domain (workgroup only)
.
Any advice on how to do that will be appreciated!
0
leontas
Asked:
leontas
  • 3
  • 2
1 Solution
 
lamaslanyCommented:
Block external SMB traffic on your firewall.  I assume you have a hardware firewall if you have a DMZ?

You might want to go further and also configure the host-based firewall to allow only traffic from your LAN IP range.
0
 
lamaslanyCommented:
PS:  

regarding the hardware firewall if you provide the make/model you might get further assistance with the steps you need to take.

regarding the host-based software firewall can you confirm that a) you use one (and you should!) and b) whether it is the Windows Firewall or whether you have a third-party product.


0
 
leontasAuthor Commented:
thank you for your suggestion, I use a Cisco ASA firewall if you or anyone else knows how to block external SMB traffic using Cisco's ASDM6 I would be grateful! I'll start looking for that now!

In the second part of your question, I do not use a software firewall, do you think that Window's own will suffice?
0
 
lamaslanyCommented:
The Windows Firewall is better than nothing.  You need to enable the File and Printer Sharing exception and then modify the scope to use a Custom list.  In the Custom list you can specifiy the IP ranges used by your LAN-side PCs.

I believe that the Cisco ASA boxes deny by default - might you have accidentially permitted all inbound traffic to the server rather than just those ports you need?
0
 
leontasAuthor Commented:
lamaslany I will need to check my ASA box and make sure I haven't accidentally permitted all inbound traffic.. Thanks! Will let you know how it goes!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now