network-sharesambawindows
we have got a Windows server runnung with 5 shares. To increase VPN security I'd like to forbid access to one of the shares from VPN-Network (10.8..). Is this possible via Windows firewall? What are the other possibilities? Can the machine get a second IP and share the one share through this particular IP, but not through the other?
Best Regards
I am curious what kind of firewall setup you have, and if it differs on your production and non-production systems. According to here, these are the ports you need to allow:
netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
If you have some of these set up, but not all of them, it could explain why you get the password authentication box but then it can no longer communicate with your samba system.
Best Answer
This cannot be done with the level of specificity that you require. The sticky wicket is this:
You cannot create rules that restrict access to a specific share based on IP address/subnet. You can restrict share access by computer account and standard Windows group permissions, but that doesn't help you unless the computers that are coming through the VPN are both domain joined and also never simultaneously show up on the local network (they'd be restricted from accessing the share wether they were coming through the VPN or on the LAN).
What you might need to do is separate that one share on to its own file server. From there, you can restrict access to the server as a whole based on subnets using Windows Firewall (or IPSec rules, but that's ugly and unnecessary).