Solved

Block IP address on Window 2012

Posted on 2014-10-14
8
732 Views
Last Modified: 2014-10-16
How to block some IP address from accessing the FS01 ? is there any screen dump / example for reference ?

Tks
0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40381465
maybe use the windows firewall with advanced security ( i supposed FS01 is another win2012 federated server's hostname) https://support.gearhost.com/hc/en-us/articles/200341715-Block-IP-address-with-Windows-Firewall-2008-2012

if your are looking at ADFS proxy server, you can see more of the FW setting required for the SSL comms
http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx
0
 

Author Comment

by:AXISHK
ID: 40381596
FS01 is just our Window 2012 file server name - not a window federated server.  So, does the link work ?

Is it possible to  block IPs to access a particular folder in Window 2012 only ? Tks
0
 
LVL 63

Expert Comment

by:btan
ID: 40381662
The windows firewall for the first link for the file server should be alright.

For the folder restriction, it is best to go via Windows Security Model restricts access per-user, not per-IP. (http://windows.microsoft.com/en-us/windows-vista/share-files-and-folders-over-the-network-from-windows-vista-inside-out)

E.g. both Windows Sharing and Windows File Security have option to Allow and Deny access to a files and/or folders based on user names and/or computer names and/or Active Directory security groups. So the best is via setting  the share/file security to allow user group or even "Everyone", but deny a list of computers. Overall to accomplish with an AD security group created with all the computers you want to deny. Assigned the that AD security group to the resource access.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 

Author Comment

by:AXISHK
ID: 40383810
Try to block a computer for a shared folder access, but it doesn't work. It only works for user name. Any alternative solution ?

Tks
0
 

Author Comment

by:AXISHK
ID: 40383892
Already try to block the IP 10.0.20.10 from access the server in Firewall setting but it doesn't work. Any idea ?
WindowFS.png
0
 
LVL 63

Expert Comment

by:btan
ID: 40384686
you cannot block based on computer ip access to shared folder using windows ACL as mentioned in prev post, they bind to user identity. But it seems viable for NFS http://technet.microsoft.com/en-us/library/cc753731.aspx

NFS-based access control for a shared resource is determined based on network names and groups. To use NFS permissions, you must first install the Services for Network File System (NFS) role service using Server Manager. After installing Services for NFS, use NFSAdmin.exe to create client groups and to add client computers to those groups before configuring NFS share permissions.

New shared resources. In the Provision a Shared Folder Wizard, if you select NFS as a share protocol, the NFS Permissions page is available in the wizard. You specify whether access is to be controlled by a specific client computer (host), or by a client group.


For the FW, 三haring a folder or file creates a Windows Firewall exception for File and Printer Sharing. The exception opens the ports listed. http://technet.microsoft.com/en-us/library/cc731402.aspx

The following ports are associated with file sharing and server message block (SMB) communications:
Microsoft file sharing SMB: User Datagram Protocol (UDP) ports from 135 through 139 and Transmission Control Protocol (TCP) ports from 135 through 139.
Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UPD).
 
947709 How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista
http://support.microsoft.com/default.aspx?scid=kb;EN-US;947709
0
 

Author Comment

by:AXISHK
ID: 40385777
Still can't fix out the problem on firewall, Anything missing ?
Block01.png
Block02.png
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40385789
see if this helps - enable/disable file share and udp
http://support.adminarsenal.com/entries/21531976-Windows-Firewall-Ports-and-Exceptions

to block the rules to prevent file and print services are :-
NetBIOS Datagram Service     Block    All programs   UDP 138
NetBIOS Name Service             Block    All programs   UDP 137
NetBIOS Session Service             Block    All programs   TCP 139
SMB over TCP                           Block    All programs   TCP 445
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In my previous 24 VMware Articles (http://www.experts-exchange.com/ARTH_1864316.html?arthOrderBy=3&arthSort=1#arth), most featured Intermediate VMware Topics. My next series of articles concentrated on topics for the VMware Novice;   If you would…
Resolve DNS query failed errors for Exchange
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question