Setup file sharing in a most secure and convenient way?

Starlight5 · 21 Aug 2018

Hello,

I am setting up file sharing between my laptop & mini desktop PC, both running 10 Pro. I will be sharing content of 4x USB HDDs locally, and need to make it as secure as possible without resorting to use of different OS or third party software. I am limited to NTFS and Windows for server because I rely on both Bitlocker and Everything! file search heavily.

So far I adjusted SmbClientConfiguration and SmbServerConfiguration on both machines (screenshot below), and removed SMB1 from Windows features.

Both machines have fixed IPs on my home network, so I would like to block SMB (and RDP, since the machine is running headless with dummy FHD monitor adapter) from communicating with any other IPs using built-in Windows firewall - which entries do I need to adjust exactly?

I also assume I better create additional user on the server machine instead of using local administrator credentials - or will it be overkill after applying the measures above?

What else do I need to do?

Please kindly help! I'm very new to this, have literally zero experience working with Windows sharing, and would really appreciate some advice from people with experience and deep understanding of it.

Setup file sharing in a most secure and convenient way?-smbconfig.png

titetanium · 21 Aug 2018

Well, if you're looking to run the home network on SMBv2/3 and also block outside access, that can be done. Set it up as a private network with password file sharing. Then if you desire some way to access from the outside, I would suggest setting up an ssh server on the server machine and on the router, forward port 22 (or your desired port for ssh) so you can access the machine and the contents of the network through the server. You'll also need to configure the firewall to pass through the ssh port on the server too.

Starlight5 · 21 Aug 2018

@titetanium thank you for your answer!

I don't want outside access, moreover that I want to restrict both SMB and RDP to single IP address (and single MAC address would be nice addition too). Which entries in Windows 10 Pro machine serving as server's firewall should I adjust for that?

titetanium · 21 Aug 2018

Ok, I'm going to include some screenshots from control panel > windows firewall > advanced firewall rules.
1.

Setup file sharing in a most secure and convenient way?-smb_firewalling1.png

click on smb: private to open it for configuration.
2.

Setup file sharing in a most secure and convenient way?-smb_firewalling2.png

Click on secure connection, then apply.
3.

Setup file sharing in a most secure and convenient way?-smb_firewalling3.png

Click on remote computer tab, then (4) check allow only these computers followed by (5) clicking add button to (6) add your desired computers from your network. (7) Click ok. (8) Click apply. You should have access controlled to specific computers as you desire.

Hope this helps.

Starlight5 · 21 Aug 2018

@titetanium thank you very much, your advice really helped!

I failed to add computers, for whatever reason Firewall refuses to accept desktop's name; on the other hand, I configured both SMB-In and SMB-out under Private profile to only allow connections from&to specific IPs, and blocked all SMB connections under Domain & Public profiles; will do the same for server's RDP connectivity.

A few more questions, however:
* Should I bother resolving the "only allow connections from specific computers" issue, or is my setup secure enough as it is?
* Can I block all other file sharing services in firewall, or are some of them required for correct SMB functionality?

titetanium · 21 Aug 2018

Ok, I just tried the same thing and was not able to put any computer names in. However, I was able to put in ip-addresses per this screenshot:

Setup file sharing in a most secure and convenient way?-smb_firewalling4.png

.

Would this work for you?

Starlight5 · 21 Aug 2018

@titetanium yes, that's exactly what I did, for both SMB and RDP. Since this is my first time with Windows/SMB sharing, I'm not sure if I am supposed to implement some other security measures, in addition to configuring SMB and Firewall as listed above, or not.