Information Technology Reference
In-Depth Information
Using VBScript
This code enables the file and printer sharing exception for the current firewall profile.
' ------ SCRIPT CONFIGURATION ------
Set Firewall = CreateObject("HNetCfg.FwMgr")
Set Policy = Firewall.LocalPolicy.CurrentProfile
' ------ END CONFIGURATION ---------
Set Services = Policy.Services
Set Service = Services.Item(0)
Service.Enabled = TRUE
WScript.Echo "Setting enabled"
How It Works
Before the Windows Firewall was available through Service Pack 1 for Windows Server 2003,
enabling file and printer sharing meant that you needed to manually open UDP ports 137 and
138, TCP ports 139 and 445, and the ICMP echo message. In the Windows Firewall, you can
simply enable or disable the preconfigured file and printer sharing exception in the GUI, the
Registry, or using netsh or VBScript.
Like the remote administration exception, file and printer sharing opens several well-
known ports that are often used by malicious users to engage in network attacks. You should
therefore configure the scope of the file and printer sharing exception carefully to ensure that
only authorized users can access these ports on your Windows Server 2003 computer.
Though both the remote administration and file and printer sharing exceptions open TCP
port 445, you can enable and disable them independently of each other. However, enabling the
file and printer sharing exception will enable ICMP echo messages even if you've disabled the
ICMP exception.
In addition to enabling the file and printer sharing exception in Group Policy, you need to
specify the IPv4 addresses that are permitted to make remote administration connections. As
with other Windows Firewall settings, you can use
LocalSubnet
to specify the local subnet,
*
to
specify all hosts, or a custom list of addresses. For IPv6 addresses, you can only specify
LocalSubnet
or
*
; you can't create a custom exception list.
■
Note
If you disable the file and printer sharing exception without allowing local exceptions as described
in Recipe 3-5, local administrators will not be able to enable the exception on any computers that they
administer.
See Also
Recipe 3-8 to configure the remote administration exception
Eric Cross's Networking: “Configure Windows Firewall Settings for File and Printer
Sharing” (
http://ecross.mvps.org/howto/firewall.htm
)
Microsoft TechNet: “Help: Enable or Disable the File and Printer Sharing Exception”
(
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
ServerHelp/267c6000-957e-4fb4-8698-e41d4439fb58.mspx
)
