Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 23, 2017 8:31 PM
I disabled smb1 on our file server.
Now certain copiers can not scan to folders.
How do I make Windows Firewall rules to allow incoming SMB1 traffic only to specific copier IP addresses?? and not to anything else??
This is a partial response to WannaCry...copiers are the things with poor configuration.
Or should we tell the copiers to use the IP address instead of the server name, like so??
\1.2.3.4\folder\destination folder share
instead of
\servername\folder\destination folder share
Thank you, Tom
All replies (5)
Wednesday, May 24, 2017 7:59 AM
Hi,
>>Or should we tell the copiers to use the IP address instead of the server name, like so??
We could access shared resource via this fashion.\ip\shared
leave out dns resolution for this FQDN.
>>How do I make Windows Firewall rules to allow incoming SMB1 traffic only to specific copier IP addresses?? and not to anything else??
You could use customize firewall settings:
Best regards,
Andy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, May 24, 2017 1:31 PM
Thank you for reminding me about that part of the settings.
Does entering an IP list constitute an implicit Deny for IPs and computers that are not in the list??
Do I need a separate rule for each SMB1 port (445, 137-139)??
We will also test IP address access to the share.
Thank you, Tom
Thursday, May 25, 2017 3:18 AM
Thank you for reminding me about that part of the settings.
Does entering an IP list constitute an implicit Deny for IPs and computers that are not in the list??
Do I need a separate rule for each SMB1 port (445, 137-139)??
We will also test IP address access to the share.
Thank you, Tom
You could refer to the following steps:
Click Next->Next
Click Finish!
Besides, i'd prefer to use GPO and scripts for this purpose:
Please remember to MARK the answer, thank you!!!
Note:i used my server2012 for capturing, so in step 4 please select your smb1.0 related service.
sc.exe query mrxsmb10
Best regards,
Andy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, May 25, 2017 12:17 PM
Hello Andy,
I think you do not understand my question. I will try again.
If I specify ALLOWING 3 specific IPs access to a service on a port, does this automatically DENY all other IPs access to the same service on the same port??
Furthermore, scripts and GPOs are globally applied, they don't allow exceptions.
I need to program exceptions (allow certain IPs to use smb1) and deny everything else.
Please post here any requests for clarification.
Thank you, Tom
Monday, June 5, 2017 6:27 AM
Hello Andy,
I think you do not understand my question. I will try again.
If I specify ALLOWING 3 specific IPs access to a service on a port, does this automatically DENY all other IPs access to the same service on the same port??
Furthermore, scripts and GPOs are globally applied, they don't allow exceptions.
I need to program exceptions (allow certain IPs to use smb1) and deny everything else.
Please post here any requests for clarification.
Thank you, Tom
Sorry for the late reply and misunderstood on this issue.
Have you tried my methods?
Besides,using Windows Firewall with Advanced Security to modify the scope of the File and Printer Sharing (SMB-in) rule for the appropriate network profile to allow inbound SMB connections from the appropriate subnets, i suppose is the only way currently.
Best regards,
Andy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].