Windows 2003 Firewall Rules Allow UNC Access To Shared Folders

Read Time:2 Min, 46 Sec

E1Tips FireA couple weeks ago I wrote a post about setting up Windows Firewall on a Windows 2003 Server running Oracle JD Edwards EnterpriseOne.

Well, looks like I wrote that article a little too quickly. Because although Oracle JD Edwards EnterpriseOne ran perfectly, the users were not able to access the exported files on the shared folders. Actually, neither was I. In fact, I couldn’t get to any of the shared folders using a basic UNC path (i.e. \\servername\foldername\file.name).

Windows Firewall File and Print SharingI thought this would be easily resolved by checking a box on the Windows Firewall Exceptions tab like on the image to the right. I was wrong. Although, it seemed like it should work, it didn’t.

Then, I did some checking and found that I could access the shared folders from the servers on the same segment as the Windows 2003 Server but not from my laptop. Since I’ve been out of the Windows networking arena for a while and I had no idea what the Infrastructure Team might have setup, I decided to submit a Service Request to our Support Desk and hope for the best. Unfortunately, because Windows Server 2003 reached it’s End-of-Life in 2009, the extremely limited options of the Windows Firewall at that time and the number of different things that have been tried to segregate these servers from the rest of the network, my support options were pretty limited. Our Infrastructure Team worked with me for a while on the issue until we both gave up.

Defeated, I let it sit for a day or so.

Since I was getting tired of seeing that Service Request sitting in my queue, I took a look at it again. I did some research into the exact ports that needed to be opened up on any firewall to allow Windows Shared Folders to be used. Those ports are listed here:

  • udp 137: NetBIOS Name Service (nbname)
  • udp 138: NetBIOS Datagram Service (nbdatagram)
  • tcp 139: NetBIOS Session Service (nbsession)
  • tcp 445: SMB Over TCP

I tried to insert exceptions for those ports but kept getting errors notifying me that “An entry for the same port ‘TCP 445 (SMB over TCP)’ already exists” and I couldn’t make port_can_not_be_addedanother one. So, that made me want to see the raw settings in the registry rather than through the GUI. I did some searching and finally figured out that what I wanted could be found at the following registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

 

I found the entries to allow Windows Shared Folders and noticed that they were different than the entries that I had added manually. They indicated that the scope was for the “LocalSubNet” rather than “*”. No wonder I could only get to the shared folders from servers that were on the same network segment.

I replace the “LocalSubnet” with “*” and everything worked!

You can use a .reg file like the following to make the changes:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"

That was fun! I think…

Submit a Tip or Trick

Author

Stewart Schatz

Career: Principal CNC Consultant for Syntax Systems Limited specializing Oracle JD Edwards EnterpriseOne and the technology that supports it. Side Hustle: Owner/Operator of E1Tips.com Location: Lancaster, PA USA  What I like to do: Invest in Family, Explore Technology, Lead Teams, Share Knowledge/Experience, Hunt, Hike, etc.

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous post Results: Where Does The CNC Function Reside In Your IT Department?
Next post 5 Ways to Empty a File on Linux