4

I've found myself with an interesting problem; I need to push files from one windows server to another. SMB/CIFS is out because we block the port.

If I was on a linux / OS X system I'd have SCP; WinRM doesn't support file transfers until powershell 3.

I can use any services that come with Windows Server 2008 R2 or Server 2012.

So the question is, who can come up with an original solution?

Edit: To help highlight this requirement TCP 445 is unavailable; any solution will need to use a different port.

Harry Johnston
  • 6,005
  • 4
  • 35
  • 52
Preflightsiren
  • 457
  • 2
  • 8
  • 3
    I can't follow. Why does SMB/CIFS not work? You could use NFS, both 2008 R2 and 2012 support it... – MichelZ Jul 19 '12 at 12:34
  • 5
    `"SMB/CIFS is out due to sharing the port with Active Directory services."` What? – MDMarra Jul 19 '12 at 12:35
  • I think I forgot to mention, the reason CIFS is out is that these machines talk across a DMZ; Port TCP 445 is used by domain computers to communicate authentication tokens and other sensitive information. To mitigate the risk of attack, we've decided to block TCP 445 which has the side effect of blocking CIFS. – Preflightsiren Jul 19 '12 at 13:05
  • 1
    You should edit your question and explicitly state all ports and restrictions that are specific to your environment. If you can't use token-based auth, how are you going to be authenticated to transfer the files? A separate authentication process? That sort of thing factors into this. – MDMarra Jul 19 '12 at 13:11
  • Also, authentication tokens are distributed over port 88, not 445. 445 is used for password changes, but afaik, no tokens are ever transmitted over it. – MDMarra Jul 19 '12 at 13:42
  • You could use IIS, with https and client certificates. Unless you have someone on-deck with expertise configuring IIS, though, it would be both simpler and safer to buy a third-party SSH server. – Harry Johnston Jul 20 '12 at 21:43
  • in what direction does the data need to flow? from dmz to internal? or the other way round? – cwheeler33 Jul 20 '12 at 23:20

4 Answers4

6

Use SMB.

SMB/CIFS is out due to sharing the port with Active Directory services.

I'm not sure what exactly you're talking about, but that's not right. Modern implementations of SMB use SMB over TCP, which happens on port 445. Legacy implementations of SMB rely on NetBIOS over TCP, which uses a combination of ports 137-139. None of these ports are AD specific.

AD relies a lot of ports, the most common ones are:

  • 53 - DNS resolution
  • 88 - Kerberos
  • 135 - RPC Endpoint Mapping
  • 389 - LDAP
  • 636 - LDAP over SSL
  • 3268 - Global Catalog
  • 3269 - Global Catalog over SSL
  • 49152 - 65535 - for RPC endpoints (on a 2008 and later DC)

Sure some functions of a client logging in use SMB (like processing GPOs), but there's nothing authentication or authorization specific that runs over the same ports as SMB. You seem to be (mistakenly) over-protective of port 445 :-)

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • AD members communicate over TCP 445 for particular AD operations. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports and http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1d83647a-a124-4bfd-a206-194f338cac3b – Preflightsiren Jul 19 '12 at 12:55
  • Hence, can't use SMB/CIFS :( – Preflightsiren Jul 19 '12 at 12:55
  • I still don't get it. I have an Active Directory running on my Domain Controller, and I'm still able to browse to \\dc\c$ over CIFS/SMB :D – MichelZ Jul 19 '12 at 12:57
  • @Preflightsiren Still not sure what you're trying to say. Are you saying that this will not work because of some conflict, or that some security requirement for your network? Are you planning on hosting these shares directly on your Domain Controllers? – MDMarra Jul 19 '12 at 12:59
  • Even if these shares are on DCs, that's not a problem. DCs can host shares - in fact, they have to. \\domain\NETLOGON and \\domain\SYSVOL are important pieces of AD. – mfinni Jul 19 '12 at 13:24
  • @mfinni Agreed, I wasn't suggesting otherwise. But from a security perspective, you might not want to expose SYSVOL to a DMZ if you're in a locked-down environment. – MDMarra Jul 19 '12 at 13:26
  • to cut it short, all TCP 445 traffic is blocked. – Preflightsiren Jul 19 '12 at 13:30
  • 2
    Then you'll have to use a mechanism other than SMB, such as FTP. – joeqwerty Jul 19 '12 at 13:32
2

Since you're blocking the port that Windows natively uses for both authentication and file transfers, you're up a creek for finding a native protocol to do this. You might be able to use NFS for this. You could install FileZilla server (free), and script the transfers with psftp or another SCP client. Since you have no native option, the sky is almost the limit for you.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • NFS might work, but I feel dirty enough using it on Linux, nevermind Windows :) Not to mention it's not *native* in Windows until 2008 R2. The tags here say 2008, but a good option nonetheless. – MDMarra Jul 19 '12 at 14:25
2

Windows Server 2008 only natively supports (both the server and the client for) CIFS and FTP. Everything else requires that you install/download something else. Since CIFS is unavailable this leaves you with FTP.

Chris S
  • 77,945
  • 11
  • 124
  • 216
1

Just a thought in light of the all the discussion above, if the server is in a DMZ, are you blocking traffic inbound to the DMZ from the private network? You could connect to the server in the DMZ via SMB/CIFS from a host in the private network and pull the files from the destination server instead of pushing the files.

jbuch
  • 66
  • 4