File and printer sharing services provide useful functionality in network environments but can pose security risks. In enterprise environments, these services must be systematically controlled through centralized management. Active Directory Group Policy Objects (GPO) enable consistent security policies to be applied across all domain computers.
1. Methods to Disable File and Printer Sharing Services
1.1. Windows Firewall Configuration via GPO (Recommended)
This is the most effective and secure method, controlling file and printer sharing through Windows Firewall.
1.1.1. Configuration Path
Computer Configuration
└── Administrative Templates
└── Network
└── Network Connections
└── Windows Firewall
└── Domain Profile
1.1.2. Detailed Configuration Steps
| Step | Action |
|---|---|
| 1 | Launch Group Policy Management Console |
| 2 | Select target OU and create new GPO or edit existing GPO |
| 3 | Navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile |
| 4 | Double-click “Windows Firewall: Allow file and printer sharing exception” policy |
| 5 | Select “Disabled” |
| 6 | Click Apply > OK |
| 7 | Link and deploy GPO |
1.1.3. Affected Ports
- TCP 139: NetBIOS Session Service
- TCP 445: SMB over TCP
- UDP 137: NetBIOS Name Service
- UDP 138: NetBIOS Datagram Service
1.2. Service Disabling Method
1.2.1. Service Control via GPO
| Configuration Path | Setting |
|---|---|
| Computer Configuration > Windows Settings > Security Settings > System Services | Set Server service to Disabled |
| Computer Configuration > Windows Settings > Security Settings > System Services | Configure Workstation service (if needed) |
1.2.2. Command-Line Service Control
# Stop and disable Server service
sc stop lanmanserver
sc config lanmanserver start= disabled
# Control Workstation service (if needed)
sc stop lanmanworkstation
sc config lanmanworkstation start= disabled
1.3. Registry-Based Method
Registry settings that can be used for GPO deployment scripts or automation.
1.3.1. Registry Key Location
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer
1.3.2. Configuration Values
| Value Name | Data Type | Setting Value | Description |
|---|---|---|---|
| Start | REG_DWORD | 4 | Service disabled (4=Disabled) |
1.3.3. PowerShell Script Example
# Disable Server service
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer" -Name "Start" -Value 4
# Verify changes
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer" -Name "Start"
1.4. Network Adapter Binding Removal
Use this method when you need to disable file and printer sharing on specific network adapters only.
1.4.1. Using nvspbind Tool
# Check network adapter GUID
wmic nicconfig get description,settingid
# Remove file and printer sharing from specific adapter
nvspbind.exe /d {AdapterGUID} ms_server
2. Policy Validation and Verification Methods
2.1. GPO Application Verification
# Force GPO update
gpupdate /force
# Verify applied policies
gpresult /r
# Check Resultant Set of Policy (RSoP)
rsop.msc
2.2. Service Status Check
# Query service status
sc query lanmanserver
# Check firewall rules
netsh advfirewall firewall show rule name="File and Printer Sharing"
2.3. Port Status Check
# Check open ports
netstat -an | findstr ":445\|:139\|:137\|:138"
# Check specific port listening status
netstat -an | findstr "LISTENING" | findstr ":445"
3. Recommended Settings and Considerations
3.1. Recommended Approaches
| Method | Rating | Reason |
|---|---|---|
| Windows Firewall GPO | ★★★★★ | Safe and centrally manageable |
| Service Disabling GPO | ★★★★☆ | Effective but may impact some functionality |
| Command-line/Scripts | ★★★☆☆ | Useful for automation but complex to manage |
| Manual Configuration | ★★☆☆☆ | Suitable only for small environments |
3.2. Important Considerations
- Domain Controllers: Exercise caution as domain controllers require SYSVOL and NETLOGON shares
- Server Systems: Exclude systems serving as file servers or printer servers
- Management Tool Impact: May affect management tools like PSExec, WMI, Remote Registry
- Backup and Rollback: Perform thorough testing in test environments before policy application
4. Exception Settings and Special Situation Handling
4.1. Specific IP Range Allowance
In Windows Firewall GPO settings, enter allowed IP addresses in the “Allow unsolicited incoming messages from” field:
- Allow all IPs:
* - Allow specific IPs:
192.168.1.100,192.168.1.101 - Allow subnets:
192.168.1.0/24
4.2. Differential Application by OU
├── Servers OU (Allow file sharing)
├── Workstations OU (Block file sharing)
└── Admin OU (Admin exception settings)