How to open file and printer shares to the internet?

6

3

i tried to make file and printer sharing open to the internet on NT3.51 in 1998, but it just refused to actually ever work.

Are are the IP ports and protocols that must be port-forwarded to make file and printer sharing available to the internet?

Reading KB298804 - Internet firewalls can prevent browsing and file sharing, it says that there are two port ranges:

  • Microsoft file sharing SMB: Port 135-139 (TCP and UDP)
  • Direct-hosted SMB traffic without NetBIOS: Port 445 (TCP and UPD)

Try attempts so far

i open those port ranges on my router, NATting them to my desktop machine, but i cannot access them from the outside:

alt text

Other machines on the LAN can access the shares.

Packet capture on the router shows that the traffic is reaching my home machine. My work machine is trying to connect direct (without NetBIOS). Then it pings, and then it frantically keeps trying other ports:

IP/TCP   69.59.196.211:445 <== 216.8.139.6:59763  tcp 0
IP/ICMP  69.59.196.211     <== 216.8.139.6        ICMP echo request    
IP/ICMP  69.59.196.211     ==> 216.8.139.6        ICMP echo reply
IP/TCP   69.59.196.211:139 <== 216.8.139.6:59764  tcp 0
IP/TCP   69.59.196.211:445 <== 216.8.139.6:59763  tcp 0
IP/TCP   69.59.196.211:139 <== 216.8.139.6:59764  tcp 0
IP/TCP   69.59.196.211:445 <== 216.8.139.6:59763  tcp 0
IP/TCP   69.59.196.211:139 <== 216.8.139.6:59764  tcp 0

Then i tried disabling the Windows Firewall completely, to see if it was the culprit:

alt text

And disabling the firewall completely worked.

So what settings on the Windows Firewall will allow File and Printer sharing from all networks, not just the local network?

i stumbled across a page that lists all the rules. The port 445 traffic is only allows from the Local subnet. i'd like to change it to Any, but the rule does not look editable:

alt text

So the question becomes how to allow port 445 traffic from Any remote address, not just the Local subnet?

Answer

i found the spot where you can enable direct-hosted SMB traffic to allow traffic from any remote host (by default it limits to local subnet):

alt text

The important points are:

  • Incoming Rules
  • File and Printer Sharing (SMB-in) (Private Profile)
  • Scope. Remote Address: Any

There are multiple rules called "File and Printer Sharing (SMB-in):

  • File and Printer Sharing (SMB-in) (Private Profile)
  • File and Printer Sharing (SMB-in) (Public Profile)
  • File and Printer Sharing (SMB-in) (Domain Profile)

These profiles correspond to your selection of a network's location:

  • Home ==> Private profile
  • Work ==> Private profile
  • Public ==> Public profile

and if you joined a domain, then the profiles are configured through the domain admin

  • domain ==> Domain profile

Self-learner. Guide exists here for anyone else who wants to open their machine's file sharing to the internet (Yeah right).

Ian Boyd

Posted 2009-11-02T15:26:05.317

Reputation: 18 244

I hope you don't plan on keeping it this way. VPN would be much smarter. – emgee – 2011-04-12T02:54:25.090

Answers

2

Just looking at my machine here (unfortunately XP so admittedly not the same), if I go into the exceptions tab in firewall settings, and edit the "File and Printer Sharing" entry, there is an option to "Change Scope". This presents you with the following three options:

  • Any Computer (including those on the Internet)
  • My network (subnet) only
  • Custom list

Can you confirm that the port ranges you mentioned are all present in the list when you edit the File and Printer Sharing entry, and that their scopes are all set to Any?

Update: If you go to "Windows Firewall with Advanced Security" by clicking "Advanced Settings" from the left hand column on the Firewall homepage in Control Panel, you may be able to find the rule in question and edit its scope from there.

Update 2: Just seen your new screenshot, can you not change the rule from the other tabs? They both sound potentially useful!

BenA

Posted 2009-11-02T15:26:05.317

Reputation: 5 245

That sounds like what i need. i just have to find it in 7. – Ian Boyd – 2009-11-02T16:39:25.857

And as you gave me the idea, and you're the only person to respond, you get answer credit. – Ian Boyd – 2009-11-02T18:19:48.727

5

Opening ports 135, 139, and 445 to the internet has got the be the biggest security vulnerability I've ever seen. The SMB service is extremely vulnerable and there are several exploits that allow hackers to walk right in and and do whatever they want on your machine. For sharing over the internet I would suggest using FTP or SSH.

Robert Murphy

Posted 2009-11-02T15:26:05.317

Reputation: 59

1I wonder how you're going to share printer thru FTP. – MadBoy – 2011-03-17T18:28:52.640

Sharing a printer over the internet? scary.... – Robert Murphy – 2011-03-17T20:41:14.103

Can you direct me to a security vulnerability in SMB? Is SMB inherently less secure than FTP or HTTP? – Ian Boyd – 2011-03-17T22:53:46.590

There are new SMB vulnerabilities almost every month. Just take a look at the Microsoft security bulletins.

– nhinkle – 2011-03-17T23:49:26.403

1@RobertMurphy "Sharing a printer over the internet" Chrome has the feature built-in now. – Ian Boyd – 2012-09-17T21:04:40.810

Or FTP+SSH (SFTP). For what it's worth, I plan to use this guide not to open my machine to SMB connections from any random IP, but to temporarily whitelist specific IPs via remote desktop (using Chrome's, but that's not important) when I need to get at my shares from somewhere else. Should be much less insecure. :) – dgw – 2013-03-22T05:52:44.787

Asked: 2009-11-02T15:26:05.317

Viewed: 13 376 times

Active: 2011-08-20T05:37:36.943