Stop File Sharing over a network

[Alphahawk]

What I want to do is stop windows machines from seeing other windows machines over the network without having to turn off file sharing on each machine. One way I have heard of doing that is to make it so that when the system pulls a ip address from the dhcp server I assing a different subnet mask to each one. I am hopeing that there is a better way than that to do this. I was hoping that by blocking ports 139, and 445 in tcp and ports 137, 138, and 445 udp that I could do this. So far no luck though.

Anyone know any way to stop computer to computer transfers without having to make changes to the client system?

 

[Boscoh]

Where are you blocking those ports? On a router? If so, and those PC's are all plugged into that one router then thats why it isnt working. By doing that you're only blocking those ports from the internet, you arent blocking those ports from computer-to-computer. Does that make sense? If this is what you are doing, then you'll need a seperate manageable switch with the ability to block these ports on each port on the switch. Thats the only way I can think of to do it without modifying the client.

However, if you dont want the clients to share files with each other, then why not disable file sharing?

 

[gunrunnerjohn]

On any machine that you want to disable file sharing, just turn off NETBIOS over TCP/IP in TCP/IP Advanced Properties.

 

[Alphahawk]

Originally posted by: gunrunnerjohn
On any machine that you want to disable file sharing, just turn off NETBIOS over TCP/IP in TCP/IP Advanced Properties.

Gunrunnerjohn I know you can do that but I dont want to turn it off on each computer. The computers are not mine they are just connecting to my network and I want to prevent people from seeing someone elses computer

 

[gunrunnerjohn]

I get it. One thing to check for is NETBEUI or some other protocol loaded. Your firewall won't do you any good if they have NETBEUI, the file sharing will simply hop over the firewall. If you limit the computers to TCP/IP, then blocking the NETBIOS ports should indeed stop file sharing.

 

[JackMDS]

If the other computers are not yours there is nothing you can do on them.

You want your computers not be accessible by the others?

Use TCP/IP only
Configure your IPs manually.

Install software firewall on your computers.

Configure the ?Trusted Zone? in each of your computers to trust your IPs only

 

[goldboyd]

What kind of switches are you using? Look into private VLANs, or VLAN ACLs; asuming the traffic your trying to block is not crossing a layer 3 device, if it is, then block it there.

 

[Alphahawk]

Gunrunner that is all fine and dandy but problem is that when file sharing the packets dont access the router they find the shortest path to the other computer which doesnt invovle going through the router.

jackmds. there are ways to do it without touching the client systems. what I am tring to do is find the easiest and most secure way to do it. One way supposidly is to assign each system to a different subnetmask but I am find flaws in that and it becomes a resource nightmare. Another way is to use a level 3 device to filter the packets but that is extremely expensive.

goldboy. I have looked at them a little and still working through the info.

Nother option that would be possible is what is the feasabbility of changing the router tables so that ip's from 192.168.2.50-254 are only allows to talk to 192.168.1.1 which is the server. is that possible?

 

[Boscoh]

I understand what you're asking. What you want to do is all going to depend on your switch. Is the switch you're using an integrated switch on the back of something like a Linksys or a Dlink? If it is, I doubt you'll be able to do anything at the Network-level, none of the integrated switches on those platforms that I've seen have any manageability in them, and anything you do in the router configuration permissions-wise is only going to effect internet-bound connections. If this is the case, then you need to get a seperate manageable switch. Cisco 2950's and 2940's (and probably other Cisco switches) have the ability to do what you are asking. It's called Protected Port Mode, basically you select all the ports on the switch and put them into this mode and they are not allowed to talk to each other, their traffic must be forwarded through a layer 3 device (your router) which is only going to allow them out to the internet. It sounds like this is what you want to do.

 

[cmetz]

Alphahawk, get a Dell 3324/3348 or a Cisco 3550 (/2950?) or Extreme or Foundry managed switch (I'm sure there are others), you can do L4 ACLs on every port and just block those TCP and UDP ports. If you insist on doing this in an intermediate system, you're going to have to shell out for one with some smarts.

NetBEUI & IPX blocking I don't know about off the top of my head, I'd have to take a look at my lab switches to tell you whether or not they can block on ethertype.