Curiousity killed the cat: Enabling/Disabling File Sharing Part one

By default, 2012 Server disables the File and Printer Sharing group of rules in windows firewall. This means that you won't be able to get to shares, including the  administrative shares, and by default, you won't be able to ping the server either.

"NO SMB FOR YOU!"

There are multiple ways to enable these rules and get SMB(and therefore, File and Print Sharing) up and running.

Install a role/feature
 
The first is to to install a server role/feature that adds, and enables, it's own firewall rule, usually for port 445(direct SMB), like the File Server role. Even though the "File and Printer Sharing" rule group may still be disabled, SMB will be enabled. I'll talk more about that in part 2.

Windows Firewall
 
The second is to go into Windows Firewall with Advanced Security, Inbound Rules, sort by Group, and enable all of the "File and Printer Sharing" rules. That was easy. The problem with this method is that it enables File and Printer Sharing for all of the windows firewall profiles: domain, public, private.You can further go into the properties of each rule in the set, click on Advanced tab, and uncheck public and private profiles. This would be a better option, since it assigns the rules to Domain profile only. Since the other profiles have no inbound rules for this set, they are blocked implicitly.

Advanced Sharing Settings
 
 The third is to use the familiar Change Advanced Sharing Settings in Network and Sharing Center in Control Panel. But enabling a profile option here for file sharing just enables the "File and Printer Sharing" rules for the Windows Firewall profile!  But you have individual control of rules for each profile. More on that in a bit.

GUI is all well and good unless you installed Server Core. The next options will help you with that!

 Command Line 
A fourth option is to use netsh utility from the command line:
netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
 This will also enable these rules for all Firewall profiles.

Powershell 3

A fifth option is to use Powershell 3. Before, you could do it through WMI, but in 2012 we have cmdlets in the new NetSecurity module. To do the same as the above netsh command:
get-netfirewallrule -displaygroup 'File and Printer Sharing' | enable-netfirewallrule

The problem with this, again, is that it enables these rules for all Firewall profiles. So, how about enabling it for the Domain profile only, and then the other two profiles would block implicitly because they have no inbound rules, like so:
set-netfirewallrule -displaygroup 'File and Printer Sharing' -profile Domain -enabled true

There we go. But, it's still only one set of rules! This sets my OCD off. Why does changing multiple profiles in the "Advanced Sharing Settings" GUI create individual rules for each profile? Well, because it copies the rule set into new rules.

Take a fresh install(or revert your firewall rules to Default in Windows Firewall). Now go into Advanced Sharing Settings and enabled file and printer sharing under Domain profile. This is what the rules in the File and Printer Sharing" group look like now:

It copied all of the rules to new rules, and assign the Domain profile to them. Since "Name" property has to be unique, it assigns GUID's to the new rules. But it kept Private and Public profiles assigned to the original rules. If you go back into the Advanced Sharing Settings and enable, then disable "file and printer sharing" under Private profile, it will break out the profiles even further by copying over another set:

So, back to my OCD. Taking a fresh install, I wanted to split out the profiles into individual rule sets using powershell. After much tinkering, this is what i came up with:

get-netfirewallrule | where {($_.displaygroup -eq 'File and Printer Sharing') -and ($_.profile -eq 'Any')} | set-netfirewallrule -profile public -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile private -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile domain -passthru | enable-netfirewallrule

Not the prettiest thing in the world, but it seems to work just fine! This set of cmdlets starts with a rule set it gets from get-netfirewallrule, filtering it down to only the "File and Printer Sharing" group, and only if they are assigned to the Any/All profile, as you would expect with a fresh install. It passes this rule set to set-netfirewall rule, which changes these original 16 rules to "public" profile. Next, we use foreach-object with copy-netfirewallrule so we can give each individual rule a new GUID for a name. After this, the original rules(not the copies) are  passed on and set-netfirewallrule sets them to private profile. These rules again are copied to new rules, and the original rules are sent through the pipeline where they are finally set to Domain profile and enabled.  The final result:

OCD satisfied! Since I'm still learning powershell scripting, my next goal is to create a script that will mimic the "Advanced Sharing Settings" GUI. I'll probably call it ASS for short.

One last note: For as long as I can remember, you can disable file and printer sharing on each network interface individually. This will trump anything else in reference to traffic that hits that NIC. And you can still do it in 2012: