6

Background

We're currently upgrading an old app from running on Windows Server 2003 to running it on Windows Server 2012.

Users and other systems communicate with this system via HTTP (i.e. users accessing the website), FTP (files to sync data from client devices) and Windows Shares (files to sync data from devices which don't have FTP capabilities).

To do this migration, I'd like to disable the current live system and repoint users to the new one. I want to ensure the old website, FTP and file shares are inaccessible so there's no chance of anyone communicating to the old locations (i.e. I want them to get an error if they somehow reach the old system; so we know there's an issue rather than waiting for someone to notice integrity issues due to (say) files queueing up on the shares).

However, after the migration we'll be running some tests to know if all's worked. If there are issues we may wish to roll back to the current solution - I want this to be painless & as risk free as possible.

For FTP: I'll stop & the FTP (FileZilla) service; meaning for roll back I just have to start this service and it will be instantly accessible, without any additonal configuration (e.g. recreating users & permissions).

For HTTP: I'll stop the IISAdmin and W3Svc services; same reasoning as above.

Question:

Is there a simple way to disable network sharing (i.e. make windows shares innaccessible without changing the permissions on those shares / their config) on Windows Server 2003 without losing configuration settings?

JohnLBevan
  • 1,214
  • 7
  • 22
  • 46

3 Answers3

11

Two methods I can think of that don't require modifying the shares:

  1. Disable the Server service. (ServiceName: LanmanServer. DisplayName: server)

and/or

  1. Unbind File and Printer Sharing on the NIC.
StackzOfZtuff
  • 1,842
  • 13
  • 21
joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • 1
    Both of these have the effect that I, at least, would be irked by-- that being that I couldn't access the administrative shares anymore. I would assume normal users weren't accessing them (and therefore there's no risk in keeping them around), but they'd still be available to me to allow for easy access to the source machine during the migration. – Evan Anderson Oct 16 '14 at 21:25
4

Here's what I'd do.

  • Backup the HKLM\System\CurrentControlSet\Services\LanManServer\Shares registry key and subkeys
  • Delete any shares you want to "disable".
  • Restart the "Server" service.
  • Restore the shares from the registry backup to "enable" them again.

It's a bit heavy-handed, but I'd prefer that to @TheCleaner's suggestion of changing permission because it makes the shares gone w/ no chance of anybody accessing them, "Domain Admins" member or otherwise.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks Evan; sounds like a pretty safe solution. I'll avoid marking as accepted answer for the mo, in the hope someone comes up with an even simpler & less risky option... but I suspect I'll be ticking your answer soon... Thanks again. – JohnLBevan Oct 16 '14 at 19:43
  • 1
    Sorry Evan and John, I should have been more clear. Since you are migrating I meant setup the new shares on the new server with those permissions I stated, and lock it down via NTFS security. Much easier to manage that way. Then just disable the old shares on the old server once you point the clients to the new one after a final robocopy to grab the updated changes prior to final migration. – TheCleaner Oct 16 '14 at 21:11
2

I know this is an old question, but I had a similar requirement recently, albeit on Windows Server 2008 R2. Here is one option that came to mind: Block share access via Windows Firewall:

In Windows Server 2003 SP1:

Control Panel > Windows Firewall > Exceptions tab > Untick File and Printer Sharing > OK button.

In my case I ended up putting a Deny on the share permissions, but since you required a solution that doesn't change existing permissions or config, I thought I'd mention the host firewall option.

Jimadine
  • 141
  • 3