Windows File Server exposed to the internet

[LewisCurbishley]

Hi all,

We have a server that's currently responding to NETBIOS pings even though ports 137-139 and port 53 are blocked externally.

Can anyone help please?

 

[frowertr]

You are port scanning this machine from outside your LAN or is this a scan from inside your network?

If it's inside then there isn't much cause for alarm. What version of Windows is this server?

 

[LewisCurbishley]

Hi,

I am running an nbtstat command from an external network.

Items;-

Server 2012 R2
DrayTek Vigor Firewall Router

For security purposes I cannot give out the IP address, but am getting the following return.

C:\Users\lewis.curbishley>nbtstat -a ***.***.***.***

Local Area Connection:
Node IpAddress: [***.***.***.***] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
CAL-SVR01 <00> UNIQUE Registered
CALCHAN <00> GROUP Registered
CALCHAN <1C> GROUP Registered
CAL-SVR01 <20> UNIQUE Registered
CALCHAN <1B> UNIQUE Registered

MAC Address = 9C-8E-99-64-B7-BC

 

[mikeymikec]

Does this server have a public IP?

Have you blocked port 135?

 

[LewisCurbishley]

Hi,

Yes it does.

And no, on the router I have configured it to block any inbound connections on port 137-139 and port 53 as these are all the ports used for NETBIOS & DNS.

 

[mikeymikec]

Try 135 as well. With 137-139 blocked, people *probably* can't log in to Windows file sharing services, but I think with 135 available they can query the machine for services.

I'm a bit confused though; why don't you have *everything* blocked on this server (ie. default firewall config) and then open only what is required? Otherwise, you might also want to take a look at port 445 as that's the port used by =>Win2k machines for file sharing normally (135,137-139 was the older service that is still left open for compatibility).

 

[frowertr]

Try 135 as well. With 137-139 blocked, people *probably* can't log in to Windows file sharing services, but I think with 135 available they can query the machine for services.

I'm a bit confused though; why don't you have *everything* blocked on this server (ie. default firewall config) and then open only what is required? Otherwise, you might also want to take a look at port 445 as that's the port used by =>Win2k machines for file sharing normally (135,137-139 was the older service that is still left open for compatibility).

^

Yeah it sounds like an odd setup. How are you accessing this machine from the Internet? Is the firewall actually port forwarding specific ports directly to this servers internal IP? Or is 1:1 Nat setup and that server has its own dedicated external facing IP?

I think you need to step back and determine why this server is external facing at all? If you have external users on the Internet that need file sharing done by this server you need need to use a VPN to access your internal resources.

 

[LewisCurbishley]

Hi Guys,

Managed to get it fixed thanks.

And I didn't initially set this up in the 1st place. I see where you're coming from. It was a bit ridiculous not to just have everything blocked and only open needed stuff.

Only problem I had is the users needed a quick resolution and the option of making huge firewall changes just wasn't going to be a feasable option during works hours and unplanned.

I made the necessary changes and blocked ports 137-139. 135 and 53 and 445 for any external inbound connections and this fixed my issue immediately.

Cheers for all your help guys.

 

[Phynaz]

So you still have a naked windows box sitting on the Internet. It's probably already been owned

 

[Enigma102083]

Why does a file server have a public IP to begin with? It should not. Ever.