Curiousity killed the cat: Enabling/Disabling File Sharing Part one

By default, 2012 Server disables the File and Printer Sharing group of rules in windows firewall. This means that you won't be able to get to shares, including the  administrative shares, and by default, you won't be able to ping the server either.

"NO SMB FOR YOU!"

There are multiple ways to enable these rules and get SMB(and therefore, File and Print Sharing) up and running.

Install a role/feature
 
The first is to to install a server role/feature that adds, and enables, it's own firewall rule, usually for port 445(direct SMB), like the File Server role. Even though the "File and Printer Sharing" rule group may still be disabled, SMB will be enabled. I'll talk more about that in part 2.

Windows Firewall
 
The second is to go into Windows Firewall with Advanced Security, Inbound Rules, sort by Group, and enable all of the "File and Printer Sharing" rules. That was easy. The problem with this method is that it enables File and Printer Sharing for all of the windows firewall profiles: domain, public, private.You can further go into the properties of each rule in the set, click on Advanced tab, and uncheck public and private profiles. This would be a better option, since it assigns the rules to Domain profile only. Since the other profiles have no inbound rules for this set, they are blocked implicitly.

Advanced Sharing Settings
 
 The third is to use the familiar Change Advanced Sharing Settings in Network and Sharing Center in Control Panel. But enabling a profile option here for file sharing just enables the "File and Printer Sharing" rules for the Windows Firewall profile!  But you have individual control of rules for each profile. More on that in a bit.

GUI is all well and good unless you installed Server Core. The next options will help you with that!

 Command Line 
A fourth option is to use netsh utility from the command line:
netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
 This will also enable these rules for all Firewall profiles.

Powershell 3

A fifth option is to use Powershell 3. Before, you could do it through WMI, but in 2012 we have cmdlets in the new NetSecurity module. To do the same as the above netsh command:
get-netfirewallrule -displaygroup 'File and Printer Sharing' | enable-netfirewallrule

The problem with this, again, is that it enables these rules for all Firewall profiles. So, how about enabling it for the Domain profile only, and then the other two profiles would block implicitly because they have no inbound rules, like so:
set-netfirewallrule -displaygroup 'File and Printer Sharing' -profile Domain -enabled true

There we go. But, it's still only one set of rules! This sets my OCD off. Why does changing multiple profiles in the "Advanced Sharing Settings" GUI create individual rules for each profile? Well, because it copies the rule set into new rules.

Take a fresh install(or revert your firewall rules to Default in Windows Firewall). Now go into Advanced Sharing Settings and enabled file and printer sharing under Domain profile. This is what the rules in the File and Printer Sharing" group look like now:

It copied all of the rules to new rules, and assign the Domain profile to them. Since "Name" property has to be unique, it assigns GUID's to the new rules. But it kept Private and Public profiles assigned to the original rules. If you go back into the Advanced Sharing Settings and enable, then disable "file and printer sharing" under Private profile, it will break out the profiles even further by copying over another set:

So, back to my OCD. Taking a fresh install, I wanted to split out the profiles into individual rule sets using powershell. After much tinkering, this is what i came up with:

get-netfirewallrule | where {($_.displaygroup -eq 'File and Printer Sharing') -and ($_.profile -eq 'Any')} | set-netfirewallrule -profile public -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile private -passthru | foreach-object {copy-netfirewallrule -inputobject $_ -newname ("{"+(([guid]::newguid()).tostring().toupper())+"}") -passthru} | set-netfirewallrule -profile domain -passthru | enable-netfirewallrule

Not the prettiest thing in the world, but it seems to work just fine! This set of cmdlets starts with a rule set it gets from get-netfirewallrule, filtering it down to only the "File and Printer Sharing" group, and only if they are assigned to the Any/All profile, as you would expect with a fresh install. It passes this rule set to set-netfirewall rule, which changes these original 16 rules to "public" profile. Next, we use foreach-object with copy-netfirewallrule so we can give each individual rule a new GUID for a name. After this, the original rules(not the copies) are  passed on and set-netfirewallrule sets them to private profile. These rules again are copied to new rules, and the original rules are sent through the pipeline where they are finally set to Domain profile and enabled.  The final result:

OCD satisfied! Since I'm still learning powershell scripting, my next goal is to create a script that will mimic the "Advanced Sharing Settings" GUI. I'll probably call it ASS for short.

One last note: For as long as I can remember, you can disable file and printer sharing on each network interface individually. This will trump anything else in reference to traffic that hits that NIC. And you can still do it in 2012:

Curiousity killed the cat: Getting distracted by the File Server role feature

Note: "File and Printer Sharing" firewall rules are disabled by default on a new install of 2012. This article assumes that these rules have been enabled.  I'll cover more about that in the next article.

While working on the 2.1 study notes, I've been distracted by a couple of quirks of windows. The first has to do with the File Server role feature in 2012. 

The first thing to note is the File and Storage Services (FileAndStorage-Services) role itself, and the Storage Services (Storage-Services) role feature, are installed by default, and as far as I can tell cannot be removed.

Now, say you want to share a folder. A lot of documentation will tell you that you that you need to install the File Server (FS-Fileserver) first. I don't think you actually do(more on that in a bit) as long as you've enabled the File and Printer Sharing firewall rules. However, if you don't have it installed, and you attempt to share out a folder, the feature will be "automagically" installed(along with its parent feature role: File and iSCSI Services)! (This feature also adds some new firewall rules in the "File and Remote Management" group I'll also cover these in the next article). In the following example, I use new-smbshare but you could also create one in the gui.

File Server not installed, make folder, share folder, file server now installed!

(Note that even without fs-fileserver installed, the admin shares installed by default are still available remotely. For instance, you can still get to \\server\C$)

I don't yet know if there is a way to disable this automatic install process, but I think you can trick it into not installing.  Use the -remove switch with uninstall-windowsfeature. (Note: before removing file server feature role, you will have to remove any non-system shares). But as outlined in 1.1.5 regarding features on demand, shouldn't it just use Windows Update as source to reinstall when you create a share? I'm actually not sure about this, since I'm using the MS virtual labs right now with no internet access.

File Server removed from SxS, mkdir folder, share folder, File Server still removed

 Look Ma, no File Server role feature and i can share out folders!. But wait, File and iSCSI Services now shows as installed! What kind of trickery is this? I really have no idea.  What I do know is that without the FS-Fileserver role installed, you won't be able to view the share in Server Manager, and I'm sure some other advanced functionality is missing.  You can still browse to it from other computers, change settings in explorer, and use get-smbshare to see it.

Of course the real mystery here might be why I spent so much time on this!