none
Windows Firewall - Allow Specific Computers Access to File Shares

    Question

  • This question has been asked, but never fully answered. So I'm going to bring it up again, and share my work-arounds, and why I can no longer use a work-around

    Necessity:

    I need to be able to allow "authenticated" computers to access file shares on a new file server. On our other file servers, authentication is handled by AD accounts (shares are assigned AD groups in their security settings, accounts must be in the proper groups to be able to access the share). Users can technically use whatever computer they'd like, as long as they have the proper credentials. I need to restrict usage, to only specific computers, as well as specific users. Piece of cake right?

    Work-Around:

    I've (in the past) done this by simply assigning the authenticted computers static IP addresses on the DHCP, so that I can then enter that IP into the "scope" section of the Windows Firewall. Done deal. Pretty simple. The problem, is that there are a finite number of IP adderesses, and some of the newer projects needs a larger set of authenticated computes. Hence assigning a static IP addresses to each computer is not only ineffecient, but it's inplausible as this necessity grows.

    Thoughts:

    I've been trying to educate myself with IPSec as I see that there are some nice "Authorized Computers" and "Authorized Users" tabs under Windows Firewall rules. That's perfect! I can even assign a group of computers to make future management easier! Problem is, it doesnt work as easily as it says it will. I enter my computer name, and my user name, and I cant access the share. I suspect this has something to do with the mandatory changing of access to "Allow the connection" to "Allow the connection if it is secure..." Perhaps my connections are being flagged as "not secure" so no rules past that are processed and I'm not  allowed access? I don't know.

    How can I configure these "Authorized Computers" and "Authorized Users" tabs to work as I want them to (to work at all). Do I need to configure the clients connections to be something other than the default? So that the server sees them as secure?

    Thanks

    MFiebs

    Friday, July 12, 2013 4:37 PM

Answers

  •  

    Figured out the solution. I'll tell you what I did specifically, for others seeking similar solutions, you can look over what I did, and adapt it to your specific needs.

     

    The server and clients need an agreed upon method with which to pass extra jazz (such as computer names) into connection requests. That is done in Windows Firewall via Connection Security Rules. For testing purposes, I managed these via the Windows Advanced Firewall GUI, but it will be implemented via a GPO. It can also be scripted. I'll give you the script command that would achieve the same settings that I set up in the GUI as it's a bit easier to articulate the specific settings ...
                    Server:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequestout auth1=computerkerb
                    Client1:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequireout auth1=computerkerb
                    Client2:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequestout auth1=computerkerb

     

    Notice the slight different between the server and the client Connection Security Rule, if you set the server to "requireinrequireout" the server will lose connection to the network as it is requiring all outgoing traffic to be secure. What’s important for the server in this setup is "requirein," what’s important for the clients is that they "requireout." If you don’t specify the server's ip address, you won’t get good results, it's a necessity. Therefor it must also be a static IP (no surprise here).

     

    Now that they're offering the computer name in their communication, we can use it within the Firewall. Within the Windows Firewall with Advanced Security GUI, you can right click on "Windows Firewall with Advanced Security on Local Computer" and select properties. Since I'm working on a domain, I changed only the Domain Profile settings. For the Inbound Connections, I changed it to from the default "Block (default)" to "Block All Connections." This serves as our bottle neck.

    Finally I made a custom inbound rule to allow traffic if it is secure, all programs, any protocol, all ports. I named it "All Communication." Obviously you could make a more specific rule that I did, mine basically covers everything for testing purposes. I checked the "Override Block Rules" check box, if you forget this, you won't override the "Block All Communications" that we set earlier. Since it's an override, you must select at least one computer, I made a AD group that houses the computers I want to grant access to (the idea being that for future adds or removes, it can be managed simply by AD group addition or subtraction instead of further managing the firewall) - so I entered the group in the "Authorized Computers" box.

    Viola. Only the computers in that AD group can access the server. I manage share permissions independently, and am able to control which computers are able to get through the firewall via an AD group for easy future manageability.

    It's a shame I couldn't find this anywhere else. Hope it serves someone else's needs as in my research I observed many people wanting to do the same (or similar) thing.

    • Marked as answer by MFiebs Wednesday, July 24, 2013 6:40 PM
    Wednesday, July 24, 2013 6:40 PM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    Please confirm there is a good physical connection between the clents and the server.

    Then I suggest we check the firewall log to confirm the reason why the traffic was blocked.

    When we know the "blocked" reason, it is easier to solve the problem.

    hope it helps

    Ted

    Monday, July 15, 2013 7:54 AM
  • I access the file shares successfully. I set the firewall rule to "Allow the connection if it is secure..." and I get no access to any shares. So it appears then that the problem lies in the definition of a "secure connection." Which I'm having trouble understanding.

    Tuesday, July 16, 2013 7:40 PM
  • To simplify the problem/solution. I've decided to isolate the issue via pinging, as it requires only one rule to work properly, where as file share can require a few different port depending on how your connecting, and is generally more messy than a simple ping test.

    So applying rules to "File and Printer Sharing (Echo Request - ICMPv4-In)" ...

          File and Printer Sharing (Echo Request - ICMPv4-In) - Allowed
                   Client 1: Ping successful
                   Client 2: Ping successful

          File and Printer Sharing (Echo Request - ICMPv4-In) - Blocked
                   Client 1: Ping unsuccessful
                   Client 2: Ping unsuccessful

          File and Printer Sharing (Echo Request - ICMPv4-In) - Allow Only Secure Connections...
                   Client 1: Ping successful
                   Client 2: Ping successful

         File and Printer Sharing (Echo Request - ICMPv4-In) - Allow Only Secure Connections... 
         Only allow connections from remote computers: checked
         Remote Computers: AD\{Client 1's Computer Name}
                   Client 1: Ping successful
                   Client 2: Ping successful <-- I expected different result

    Perhaps my problem is just the need for further configuration? I'm stuck, why is Client 2's connection allowed albeit only Client 1's computer name entered in the "Only allow connections from remote computers" box?

    Monday, July 22, 2013 4:44 PM
  •  

    Figured out the solution. I'll tell you what I did specifically, for others seeking similar solutions, you can look over what I did, and adapt it to your specific needs.

     

    The server and clients need an agreed upon method with which to pass extra jazz (such as computer names) into connection requests. That is done in Windows Firewall via Connection Security Rules. For testing purposes, I managed these via the Windows Advanced Firewall GUI, but it will be implemented via a GPO. It can also be scripted. I'll give you the script command that would achieve the same settings that I set up in the GUI as it's a bit easier to articulate the specific settings ...
                    Server:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequestout auth1=computerkerb
                    Client1:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequireout auth1=computerkerb
                    Client2:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequestout auth1=computerkerb

     

    Notice the slight different between the server and the client Connection Security Rule, if you set the server to "requireinrequireout" the server will lose connection to the network as it is requiring all outgoing traffic to be secure. What’s important for the server in this setup is "requirein," what’s important for the clients is that they "requireout." If you don’t specify the server's ip address, you won’t get good results, it's a necessity. Therefor it must also be a static IP (no surprise here).

     

    Now that they're offering the computer name in their communication, we can use it within the Firewall. Within the Windows Firewall with Advanced Security GUI, you can right click on "Windows Firewall with Advanced Security on Local Computer" and select properties. Since I'm working on a domain, I changed only the Domain Profile settings. For the Inbound Connections, I changed it to from the default "Block (default)" to "Block All Connections." This serves as our bottle neck.

    Finally I made a custom inbound rule to allow traffic if it is secure, all programs, any protocol, all ports. I named it "All Communication." Obviously you could make a more specific rule that I did, mine basically covers everything for testing purposes. I checked the "Override Block Rules" check box, if you forget this, you won't override the "Block All Communications" that we set earlier. Since it's an override, you must select at least one computer, I made a AD group that houses the computers I want to grant access to (the idea being that for future adds or removes, it can be managed simply by AD group addition or subtraction instead of further managing the firewall) - so I entered the group in the "Authorized Computers" box.

    Viola. Only the computers in that AD group can access the server. I manage share permissions independently, and am able to control which computers are able to get through the firewall via an AD group for easy future manageability.

    It's a shame I couldn't find this anywhere else. Hope it serves someone else's needs as in my research I observed many people wanting to do the same (or similar) thing.

    • Marked as answer by MFiebs Wednesday, July 24, 2013 6:40 PM
    Wednesday, July 24, 2013 6:40 PM