Heya folks, Ned here again. Today I clear up an old idiosyncrasy of Windows Server: if the SMB Server service is always installed, why is there a role called "File Server" and what does enabling it do?
Let's... role ;)
Default SMB firewall behavior
The SMB Server service - "Server", aka "Lanmanserver" - always exists in Windows and isn't something you install; it's just there, as soon as you install the OS. However, since Windows XP and Windows Server 2003, that service can't be contacted from remote machines by default because the built-in firewall blocks it. SMB needs, at a minimum, TCP/445 inbound and without that port opening, there is no remote file serving in SMB2+ on any supported versions of Windows. Even though the C$ and ADMIN$ built-in shares exist by default, no one can access them from a remote machine by default.
But you probably don't remember opening a firewall port on your file server, right? You created a share and it just worked. That's because as soon as you create a custom SMB share, SMB Server automatically enable the various SMB firewall rules for file servers for access, administration, applications, etc. Watch:
That works well for dedicated file servers - as soon as you add a share, everything is taken care of. But we also needed a way to just enable file server administration and grant administrators access to the built-in system shares C$ and Admin$ using SMB2+ on all Windows Servers. We didn't want them to have to create a share just to access some existing built-in shares. And we didn't want them to dig around in the firewall looking for the right rules to enable for management. So when you "install" the file server role, we just enable the basic ports needs for file server administration and accessing those built-in SMB shares; no legacy stuff or historical app compat, just the very basic. In fact, it's very possible the server is not a "file server", so much as one you just want to copy a few files to or from as an administrator.
Here I am adding the File Server role:
And here are the firewall rules enabled:
So now you know. I'm thinking about changing the default firewall rules opened by creating a share as they are a legacy from older times; we'd do this in the Windows Insider builds first and see how many tens of thousands of applications I can break that were piggybacking on those. It's going to take awhile. >_<
You are now ready for File Server trivia night at any bar or restaurant near Microsoft campus. I prefer PostDoc, myself.
Until next time,
- Ned "the name 'firewall' is very dumb, a real firewall allows nothing through, ever" Pyle