How to isolate the Windows shares from the Internet ?

I want to isolate the Windows shares on my local network from the Internet. How can I do that with CIS ?

In more details: I have 2 PCs using Windows XP which are connected to a WLAN home router. One of them has a shared folder (in the Windows terminology), let’s call it the server and the other one needs to access the folder, let’s call it the client.

The server has the “File and Printer Sharing for Microsoft Networks” enabled on the network card that connects to the WLAN router. Also, the client has “Client for Microsoft Networks” enabled on the network card that connects to the WLAN router. The WLAN router also connects to the internet.
I am concerned that this increases the attack surface of the client and server: maybe the Windows shares are accessible from the Internet or maybe the ports that the SMB protocol uses are left open to the Internet.

My question is this: can I configure CIS to eliminate this danger ? For example can CIS filter the SMB protocol and make sure that its messages stay inside my home LAN ?

As long as the ports on your router are not open to the internet I don’t see a danger for hackers taking advantage of it. Try a service like from Gibson Research to probe the first 1024 ports. That will tell is the router ports are stealth, close or open.

Being on the web in general is a risk. So you will have to make sure your browsers are securely configured to reduce the chances of getting compromised in general.

You could create a file-group in D+ that contains the shared folder, and then create a rule for the filegroup that excludes source IP in from src IP not in network zone. To ad a layer of stealth, you’d need to add ICMP blocks out to the internet (to prevent the host from acknowleging its existance by tranxmitting connection denied ICMP).

However w/NAT routers should drop unsolicited traffic at the network perimeter. The only way unsolicited conncections can be made with nodes on a network would be if the router is configured for port forwarding (or if NAT is disabled).

Subsequent to that, prior to accessing the share itself, the source needs access to the host itself. That would entail allowing inboud connection to either Windows Operating System or System (or both). Furthermore, all your app rules should be outbound explict.

In any case, any inbound connection attempts to either the host or shared resource on the host will generate an alert. Default behavior would be to block the connection unless its explicitely allowed.

Providing the router firewall has been correctly configured to block NetBIOS (TCP and UDP ports 137 to 139) and SMB over TCP (TCP port 445) exploits that use these services should be prevented. However, you can also create rules in the CIS firewall that will allow communication between devices on your LAN, only.

You can achieve this in a couple of different ways. The first is the most simple, the second is just a slightly more restrictive version.

  1. Open the CIS control panel and select Firewall security policy
  2. Select Network Zones and ensure there is an entry that covers the the range of IP addresses used by your LAN. (this is usually done automatically via the ‘Automatically detect new private networks’ option in More/preferences)
  3. Assuming there is such an entry, make a note of the name and close network Zones
  4. Select the ‘Stealth Ports Wizard’ and select the first option ‘Define a new trusted network…’
  5. In the Zone name drop down box select the name of the network zone we found earlier.
  6. Select OK

This process will add two Application rules to the System process and also two rules to Global list. Essentially, these rules allow for communication between devices participating in file and printer sharing on your LAN. Make sure you perform this task on each PC.

The second option, as I said, is similar, we just tighten the rules a little. To do this, either run through the procedure outlined above or create the rules manually. If you choose the first option you can edit the rules created by the stealth ports wizard:

Application rules: Application name - System
Rule Name - Allow System To Send Requests If The Target Is In [LAN] (change this to client/server names)
Action - Allow
Protocol - IP
Direction - OUT
Source Address - ANY (Change this to the either the MAC or ip address of the client PC on your LAN)
Destination Address - Network zone name (Change this to the MAC address of the server PC on your LAN)
IP Details - ANY

Application rules: Application name - System
Rule Name - Allow System To Receive Requests If The Sender Is In [LAN] (change this to client/server names)
Action - Allow
Protocol - IP
Direction - IN
Source Address - Network zone name (Change this to the MAC address of the server PC on your LAN)
Destination Address - ANY (Change this to wither the MAC or ip address of the client PC on your LAN)
IP Details - ANY

if necessary, modify the above depending on which PC is the client and which PC is the server, also add an additional rule to the System process to block and log all other communication:

Application rules: Application name - System
Rule name - Block and Log IP OUT
Action - Block
Protocol - IP
Direction - OUT
Source Address - ANY
Destination Address - ANY
IP Details - ANY

You now need to repeat the process for Global rules, however, there is no process name to associate with these rules, so they will affect all traffic that passes through Global rules:

Rule name - Allow All Outgoing Requests If The Target Is In [LAN]
Action - Allow
Protocol - IP
Direction - OUT
Source Address - ANY (Change this to the either the MAC or ip address of the client PC on your LAN)
Destination Address - Network zone name (Change this to the MAC address of the server PC on your LAN)
IP Details - ANY

Rule name - Allow All Incoming Requests If The Sender Is In [LAN]
Action - Allow
Protocol - IP
Direction - IN
Source Address - Network zone name (Change this to the MAC address of the server PC on your LAN)
Destination Address - ANY (Change this to the either the MAC or ip address of the client PC on your LAN)
IP Details - ANY

Then add an additional rule as the last entry in the Global rules list:

Rule name - Block and Log IP IN
Action - Block
Protocol - IP
Direction - IN
Source Address - ANY
Destination Address - ANY
IP Details - ANY

Remember, by adding this block rule to Global rules you will affect all traffic trying to enter your LAN, therefore, you will have to create global rules for applications that need inbound communication, such as p2p clients, above this rule.

The above is fine for basic file and printer sharing, however, accessing other shared media, movies, audio etc. will require additional rules.