3 edits |
Running/Enabling File Sharing servicesI have file sharing and print sharing disabled including the Server service as well.
But what if I want to share file across the LAN?
Should I use a software firewall along with my router?
Or, would a router alone be enough?
I have the Symantec EP as well with its firewall protection running. Would that be OK if I want to share files?
Thanks. |
|
 sivranVive Vivaldi
Premium Member
join:2003-09-15
Irving, TX |
sivran
Premium Member
2010-Feb-20 1:17 pm
If you have SEP then adding a second firewall would do you little good. And if you want to use windows file sharing, you'll have to re-enable the Server service.
You'll probably want to configure a rule to only allow certain IPs or a certain range of IPs to connect to your file sharing ports (137-139, 445). That way you can control which machines have access. |
|
| |
to slajoh01
Your router protects you from the WAN. Supposing none of these machines are DMZ'd or have ports associated with Windows file and printer sharing forwarded to the WAN - which from the sound of it there aren't - no one from the outside network will be able to access file shares you serve from LAN hosts to other LAN hosts. Your router in effect creates a shielded network scope inside your home.
Now inside that LAN scope you might not be sure whether you trust all participants. Someone could bring over an infected laptop and spread something to your file shares, or someone could associate with your WLAN without authorization and start looking at your file shares. These are the threats. So here are some specific best practices you can do (assuming Windows XP in these examples) in addition to the general recommended security practices that you already know.
1) Share any shares read-only. E.g., in Windows shell, in folder properties, in "Sharing" tab, when you check "Share this folder on the network", don't check "Allow network users to change my files".
2) As a precaution, though they are theoretically protected by the Administrator password, disable the Administrative shares of your drives (C:, etc) that are enabled by default in Windows, by creating a registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks with DWORD value 0 (zero) and rebooting. This is an good trick that essentially everyone that is not on a managed domain should do if they haven't already.
3) Make sure your wireless access point that is part of your router, if you have a router that has one, is secured against unauthorized users in range associating with it and gaining privileged network posture on your LAN. Usually this just means set a good WPA passphrase. You can get more advice about this in the Wireless Security forum http://www.dslreports.com/forum/wsecurity |
|
1 edit |
What about an additional software firewall like the SEP?
Will that be OK? Will that also prevent malware from spreading accross the LAN?
All i need to do is configure which IPs on my LAN can connect to my fileserver...
I never even had to use a software firewall since they can be annoying at times. All I needed was firewall router.
But now, since I want to share files, now I am running it along with the router. |
|
| |
SEP's firewall is aimed to stop malware from spreading for instance through known network facing vulnerabilities.
If there was someone or some malware writing infected files to a writeable, un-password-protected file share - which I think is the scenario you imaging - probably this activity would pass through the network layer to the disk, then SEP's realtime filesystem scanner would kick in and catch it on disk.
The inbound theat detection in a software firewall component is there to supplement the primary detection facility in the realtime filesystem scanner component. It can catch malware let's say a few milliseconds earlier, before it hits the disk, because the firewall's packet inspection traps trigger on network activity, while the filesystem scanner traps trigger on file open or write activity.
Convenience wise, SEP's firewall rules should stay out of the way of Windows file sharing by default without you having to take any action, as those modules on those ports should already be whitelisted.
In short:
- yes SEP's software firewall is OK and is good thing to have on your systems, certainly not hurting anything
- my belief is that you don't have to configure anything in SEP unless you want to introduce specific restrictions, Windows file sharing with LAN peers should work with the out of the box ruleset |
|
