Blog Post

Storage at Microsoft
2 MIN READ

What the heck is the File Server "role" in Windows Server???

NedPyle's avatar
NedPyle
Icon for Microsoft rankMicrosoft
Jul 27, 2021

Heya folks, Ned here again. Today I clear up an old idiosyncrasy of Windows Server: if the SMB Server service is always installed, why is there a role called "File Server" and what does enabling it do? 

 

Let's... role 😉

 

Default SMB firewall behavior

The SMB Server service - "Server", aka "Lanmanserver" - always exists in Windows and isn't something you install; it's just there, as soon as you install the OS. However, since Windows XP and Windows Server 2003, that service can't be contacted from remote machines by default because the built-in firewall blocks it. SMB needs, at a minimum, TCP/445 inbound and without that port opening, there is no remote file serving in SMB2+ on any supported versions of Windows. Even though the C$ and ADMIN$ built-in shares exist by default, no one can access them from a remote machine by default. 

 

But you probably don't remember opening a firewall port on your file server, right? You created a share and it just worked. That's because as soon as you create a custom SMB share, SMB Server automatically enable the various SMB firewall rules for file servers for access, administration, applications, etc. Watch:

 

Brand new machine with no custom shares, viewed via Windows Admin Center

 

 

Firewall on a brand new machine:

 

 

I make a custom share:

 

 

The firewall afterwards:

 

 

The File Server role

That works well for dedicated file servers - as soon as you add a share, everything is taken care of. But we also needed a way to just enable file server administration and grant administrators access to the built-in system shares C$ and Admin$ using SMB2+ on all Windows Servers. We didn't want them to have to create a share just to access some existing built-in shares. And we didn't want them to dig around in the firewall looking for the right rules to enable for management. So when you "install" the file server role, we just enable the basic ports needs for file server administration and accessing those built-in SMB shares; no legacy stuff or historical app compat, just the very basic. In fact, it's very possible the server is not a "file server", so much as one you just want to copy a few files to or from as an administrator. 

 

Here I am adding the File Server role:

 

 

And here are the firewall rules enabled:

 

 

So now you know. I'm thinking about changing the default firewall rules opened by creating a share as they are a legacy from older times; we'd do this in the Windows Insider builds first and see how many tens of thousands of applications I can break that were piggybacking on those. It's going to take awhile. >_<

 

You are now ready for File Server trivia night at any bar or restaurant near Microsoft campus. I prefer PostDoc, myself.

 

Until next time,

 

- Ned "the name 'firewall' is very dumb, a real firewall allows nothing through, ever" Pyle

 

 

 

Updated Nov 07, 2022
Version 2.0
  • If I am not mistaken, the role is not installed. Will double check Ned. 

  • Karl-WE I don't know what you mean re: Core server. Should be the same, except that running graphical admin tools won't be possible. 

  • Heya Ned, your story is right for Windows OS / Windows Server with GUI but isn't it a bit different with Windows Server core installations?

    Same domain controllers (AD DS) will open these ports, also installing printing services (required SMB and share print$ to access drivers from remote clients) but also Failover Clustering will open these and require the service.

  • Knibbud's avatar
    Knibbud
    Copper Contributor

    Thanks NedPyle , this clarifies a lot. Does the same apply for "DFS namespaces" role as well? ==> "by adding DFS Namespaces role on a DC, you are not decreasing the security on a DC. Those same firewall ports were opened by DCPROMO"?

  • Knibbud It doesn't actually do anything extra on a DC, which already opens the firewall rules for SMB and DFSN usage (which as you point out, automatically happens for SYSVOL). DCPROMO does some rather wacky things that effectively install the File Server, DFSN, and DFSR roles without actually installing the roles, including adding the services, opening firewall.

     

    Bottom line: by adding this FS role on a DC, you are not decreasing the security on a DC. Those same firewall ports were opened by DCPROMO. 

  • Knibbud's avatar
    Knibbud
    Copper Contributor

    NedPyle , Might be slightly of topic. What does this role do for security? For sure less is more. 
    The challenge I face is the following. When enabling DFS namespaces on a domain controller it automatically enables the File Server role as well. If you might wonder why would you install DFS namespaces on a DC then the answer is, that it is coming from MS Guidance on this topic: "Server Hosting Domain-Based Namespaces ==> Must be a member server or domain controller in the domain in which the namespace is configured. (This requirement applies to every namespace server that hosts a given domain-based namespace.)"

    The challenge I now encounter is that it is considered a best practice NOT to run anything else on a DC than AD, AD integrated DNS and I was hoping to add potentially Domain-Based Namespaces. The process is relatively lite and we need a DC in each location anyways. Especially as no specific requirements system are given for DFS namespaces. On a DC the netlogon folder access requires SMB to be openend up 445/TCP and DFS-R is used to replicate the netlogon with other DC's so enabling the file server role does not seem to dramatically change the setup other than triggering some flags in the security community... file server on a DC.. No Way!!

     

    So assuming that we will not turn this DC into a file server, does the Filer Server role further reduce security for a DC when installing the DFS namespaces and thus File Server role?

  • PhoenixTK2080 FSRM definitely does a bunch of that stuff, is a separate feature (File Server Resource Manager), maybe that's what you're remembering?

  • PhoenixTK2080's avatar
    PhoenixTK2080
    Copper Contributor

    Hi NedPyle,

    If I recall, the File server role will also install the advanced features regarding reports, shares management, etc. I know that we used to produce many shceduled reports for our servers data analytics (stotage by share, capacity management, etc.).

    Well, I'll need to take another look at that! Could I've mixed features?! 😛