File sharing

[capitan]

I have a few XP sp2 machines which have the firewall enabled, and file
and printer sharing is set to be allowed to pass through the firewall,
but it doesn't work (can't run administrative share). Most machines
here this configuration works fine. Any suggestions as to why this
doesn't work on a select few machines? Thanks.

 

[Steven L Umbach]

Try running the command netsh firewall show state on a computer that has the
problem and then one that does not have the problem to see how the results
compare. If you get an access denied message to the administrative share
that would indicate that you are not a local administrator on the computer
or that simple file sharing is enabled. I would also use telnet to try and
access TCP port 139 and 445 on a machine that works correctly and one that
does not to help determine if it is a network access or other problem. You
can use the command telnet xxx.xxx.xxx.xxx 39 using the actual IP address of
the computer you want to access. If the port is open you will see a blank
command window with a blinking cursor like you will see if you run telnet
127.0.0.1 445 on your computer. Portqry is also a tool from Microsoft that
allows you to scan network computer for port availability from the command
line.

Steve

http://support.microsoft.com/kb/310099/ --- Portqry

 

[capitan]

Try running the command netsh firewall show state on a computer that has the
problem and then one that does not have the problem to see how the results
compare. If you get an access denied message to the administrative share
that would indicate that you are not a local administrator on the computer
or that simple file sharing is enabled. I would also use telnet to try and
access TCP port 139 and 445 on a machine that works correctly and one that
does not to help determine if it is a network access or other problem. You
can use the command telnet xxx.xxx.xxx.xxx 39 using the actual IP address of
the computer you want to access. If the port is open you will see a blank
command window with a blinking cursor like you will see if you run telnet
127.0.0.1 445 on your computer. Portqry is also a tool from Microsoft that
allows you to scan network computer for port availability from the command
line.

Steve

http://support.microsoft.com/kb/310099/ --- Portqry

Thanks for the suggestions I will give them a try!

capitan

 

[capitan]

Thanks for the suggestions I will give them a try!

capitan

OK, I did all of the tests you suggested Steve, and it turns out that
even though the firewalls of these 2 machines (one that works properly
and one that doesn't) guis show the same settings, the Microsoft
directory services shows as filtered on the machine where file sharing
is failing to get through the firewall. I have done some research on
how to correct that since doing through the gui is not working, and I
have come up with using 'netsh firewall show portopening' and then to
correct it, 'netsh firewall set portopening TCP 445' But I think there
should be more on this command, I just can't find how to specify that I
want that port listening for Microsoft directory services instead of
filtering. Can anyone who knows command line for the XP SP2 firewall
help me out please?

Thanks!

 

[capitan]

OK, I did all of the tests you suggested Steve, and it turns out that
even though the firewalls of these 2 machines (one that works properly
and one that doesn't) guis show the same settings, the Microsoft
directory services shows as filtered on the machine where file sharing
is failing to get through the firewall. I have done some research on
how to correct that since doing through the gui is not working, and I
have come up with using 'netsh firewall show portopening' and then to
correct it, 'netsh firewall set portopening TCP 445' But I think there
should be more on this command, I just can't find how to specify that I
want that port listening for Microsoft directory services instead of
filtering. Can anyone who knows command line for the XP SP2 firewall
help me out please?

Thanks!

Just thought of more info I would like to add to this post. What I
actually need to do is to enable port opening TCP 445 through the scope
of a few different subnets. So far I have:

'netsh firewall set portopening TCP 445 microsoft-ds service enable'

How can I query the working machine to get the scope information for
subnets on port TCP 445? If I can get that, I then know how to
configure the port on the other machine.

Alternately, as I mentioned, I think I could specify the scope of
subnets to allow.

Any suggestions? Thanks!

 

[Steven L Umbach]

Out of curiously can you access the shares when the firewall is disabled on
the problem computers? It would be good to confirm that first. Also does the
command netstat -anp tcp show ports 139 and 445 listening or connected on
the problem computers?

Steve

 

[capitan]

Out of curiously can you access the shares when the firewall is disabled on
the problem computers? It would be good to confirm that first. Also does the
command netstat -anp tcp show ports 139 and 445 listening or connected on
the problem computers?

Steve

Hi Steve. Yes, I can access the administrative share, I can access the
computer through the Computer Management Console remotely, and I can
access the registry remotely through regedit when the firewall is turned
off. I cannot access any of this when the firewall is turned on. I
believe access to all of this access is controlled by file sharing. The
logged in user can also access file servers and mapped shares with the
firewall on. I'm just cut off on the above necessary administrative
functions I mentioned above.

The netstat command you asked me to run shows this for ports 139 and 445:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

It shows this on multiple computers having this problem. These are the
only entries for these ports.

capitan

 

[Steven L Umbach]

Well you did a good job in determining that Windows Firewall is indeed the
problem. Instead of creating exceptions for individual ports for FPS I
suggest that you try Group Policy and configuring the exemption for file and
print sharing and probably the remote administration exemption. Of course
you would need to do it in the appropriate Group Policy that would apply to
the computer accounts for the domain or standard profile as the case may be.
The settings in question are under computer configuration/administrative
templates/network/network connections/Windows Firewall/domain or standard
profile. If there are do domain level Group Policies being applied to these
computers currently for Windows Firewall, which you could verify by running
rsop.msc on the client computer, you could try using local Group Policy
[gpedit.msc] to see if it does what you want.

Steve

 

[capitan]

Well you did a good job in determining that Windows Firewall is indeed the
problem. Instead of creating exceptions for individual ports for FPS I
suggest that you try Group Policy and configuring the exemption for file and
print sharing and probably the remote administration exemption. Of course
you would need to do it in the appropriate Group Policy that would apply to
the computer accounts for the domain or standard profile as the case may be.
The settings in question are under computer configuration/administrative
templates/network/network connections/Windows Firewall/domain or standard
profile. If there are do domain level Group Policies being applied to these
computers currently for Windows Firewall, which you could verify by running
rsop.msc on the client computer, you could try using local Group Policy
[gpedit.msc] to see if it does what you want.

Steve

We have no group policy settings across the domain for the Windows
firewall, as it is controlled here on a machine by machine basis. What
specifically would I do to ensure there are no domain GP settings for
the firewall by opening rsop.msc (or how would I check once it's open)?

On one of the affected machines, I went into gpedit.msc and enabled both
the 'Allow remote administration exception' and the 'Allow file and
printer sharing exception' and rebooted. It still did not work, so then
I changed the scope to 'any computer' setting in file and printer
sharing and rebooted, that worked. So then I went back and put in a
custom setting to accept connections on the local subnet plus
connections from my subnet, and it still doesn't work. I need those
admin functions available to me, but I think it would be unsafe to leave
TCP port 139 wide open on laptops that operate off of the network and
connect via VPN sometimes. Anyone have any more suggestions as to how
to get the ideal balance of security and admin access from here?

Steve, thanks again for all of your help, it's much appreciated!

Thanks,
capitan

 

[Steven L Umbach]

When you run rsop.msc you will get a report screen showing Group Policy
settings for the computer and user. You would want to see if anything is
shown for computer configuration/administrative templates/network/network
connections/Windows Firewall and what settings from what Group Policy.

No you don't want to leave those exceptions open to everywhere. Possibly is
that there is a problem with the syntax you are using. If you were using
"localsubnet" try not using that but instead list the subnets to see if that
makes a difference as in 192.168.0.1/24,192.168.1.0/24 . I remember having
problems getting a custom scope to work correctly before. After configuring
the settings in Group Policy then go to the Windows Firewall properties to
see if the exceptions are what you expect for the scope.

Steve

Well you did a good job in determining that Windows Firewall is indeed
the problem. Instead of creating exceptions for individual ports for FPS
I suggest that you try Group Policy and configuring the exemption for
file and print sharing and probably the remote administration exemption.
Of course you would need to do it in the appropriate Group Policy that
would apply to the computer accounts for the domain or standard profile
as the case may be. The settings in question are under computer
configuration/administrative templates/network/network
connections/Windows Firewall/domain or standard profile. If there are do
domain level Group Policies being applied to these computers currently
for Windows Firewall, which you could verify by running rsop.msc on the
client computer, you could try using local Group Policy [gpedit.msc] to
see if it does what you want.

Steve

We have no group policy settings across the domain for the Windows
firewall, as it is controlled here on a machine by machine basis. What
specifically would I do to ensure there are no domain GP settings for the
firewall by opening rsop.msc (or how would I check once it's open)?

On one of the affected machines, I went into gpedit.msc and enabled both
the 'Allow remote administration exception' and the 'Allow file and
printer sharing exception' and rebooted. It still did not work, so then I
changed the scope to 'any computer' setting in file and printer sharing
and rebooted, that worked. So then I went back and put in a custom
setting to accept connections on the local subnet plus connections from my
subnet, and it still doesn't work. I need those admin functions available
to me, but I think it would be unsafe to leave TCP port 139 wide open on
laptops that operate off of the network and connect via VPN sometimes.
Anyone have any more suggestions as to how to get the ideal balance of
security and admin access from here?

Steve, thanks again for all of your help, it's much appreciated!

Thanks,
capitan