Windows 2003 Firewall Rules Allow UNC Access To Shared Folders
Read Time:2 Min, 46 Sec
A couple weeks ago I wrote a post about setting up Windows Firewall on a Windows 2003 Server running Oracle JD Edwards EnterpriseOne.
Well, looks like I wrote that article a little too quickly. Because although Oracle JD Edwards EnterpriseOne ran perfectly, the users were not able to access the exported files on the shared folders. Actually, neither was I. In fact, I couldn’t get to any of the shared folders using a basic UNC path (i.e. \\servername\foldername\file.name).
I thought this would be easily resolved by checking a box on the Windows Firewall Exceptions tab like on the image to the right. I was wrong. Although, it seemed like it should work, it didn’t.
Then, I did some checking and found that I could access the shared folders from the servers on the same segment as the Windows 2003 Server but not from my laptop. Since I’ve been out of the Windows networking arena for a while and I had no idea what the Infrastructure Team might have setup, I decided to submit a Service Request to our Support Desk and hope for the best. Unfortunately, because Windows Server 2003 reached it’s End-of-Life in 2009, the extremely limited options of the Windows Firewall at that time and the number of different things that have been tried to segregate these servers from the rest of the network, my support options were pretty limited. Our Infrastructure Team worked with me for a while on the issue until we both gave up.
Defeated, I let it sit for a day or so.
Since I was getting tired of seeing that Service Request sitting in my queue, I took a look at it again. I did some research into the exact ports that needed to be opened up on any firewall to allow Windows Shared Folders to be used. Those ports are listed here:
- udp 137: NetBIOS Name Service (nbname)
- udp 138: NetBIOS Datagram Service (nbdatagram)
- tcp 139: NetBIOS Session Service (nbsession)
- tcp 445: SMB Over TCP
I tried to insert exceptions for those ports but kept getting errors notifying me that “An entry for the same port ‘TCP 445 (SMB over TCP)’ already exists” and I couldn’t make 
another one. So, that made me want to see the raw settings in the registry rather than through the GUI. I did some searching and finally figured out that what I wanted could be found at the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
I found the entries to allow Windows Shared Folders and noticed that they were different than the entries that I had added manually. They indicated that the scope was for the “LocalSubNet” rather than “*”. No wonder I could only get to the shared folders from servers that were on the same network segment.
I replace the “LocalSubnet” with “*” and everything worked!
You can use a .reg file like the following to make the changes:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001" "139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004" "445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005" "138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"
That was fun! I think…
Happy
0
Sad
0
Excited
0
Sleepy
0
Angry
0
Surprise
0
Average Rating