This object monitors firewall inbound rules for File and Printer Sharing and generates an alert if either the rules are disabled or the corresponding TCP ports are blocked.
This object monitors firewall inbound rules for File and Printer Sharing and generates an alert if either the rules are disabled or the corresponding TCP ports 445 and 139 are blocked.
This monitor can enter a Critical health state for the following reasons:
The Windows Firewall is not running.
Firewall rules for File and Printer Sharing targeting TCP port 445 or 139 are disabled.
If the health state is unknown, it means that monitoring has not yet begun for this object.
Determine if Windows Firewall is enabled
To determine if Windows Firewall is enabled, use the following procedure:
1. At an elevated command prompt on the affected server, type: sc query mpssvc and press ENTER.
2. If the firewall is not running, type the following command: net start mpssvc.
Determine if port firewall rules are enabled
To determine if the firewall rules for the ports are enabled, use the following procedure:
1. Open the Control Panel on the affected server, click System and Security, and then click Windows Firewall.
2. In the left pane, click Advanced Settings and then click Inbound Rules.
3. Check whether the following rules are enabled and the Action is Allow:
File and Printer Sharing (NB-Session-In)
File and Printer Sharing (SMB-In)
4. If the firewall rules are not enabled, click the rule, and on the Action menu, click Enable Rule.
This monitor automatically resets to a Healthy state after you resolve the issue.
Target | Microsoft.Windows.FileServices.Service.SMB.6.3 | ||
Parent Monitor | System.Health.AvailabilityState | ||
Category | Custom | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.TimedScript.TwoStateMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Microsoft.Windows.FileServices.MonitoringAccount |
<UnitMonitor ID="Microsoft.Windows.FileServices.Service.SMB.6.3.FirewallPortConfig" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.FileServices.Service.SMB.6.3" ParentMonitorID="SystemHealth!System.Health.AvailabilityState" Remotable="true" Priority="Normal" RunAs="FileServices!Microsoft.Windows.FileServices.MonitoringAccount" TypeID="Windows!Microsoft.Windows.TimedScript.TwoStateMonitorType" ConfirmDelivery="false">
<Category>Custom</Category>
<AlertSettings AlertMessage="Microsoft.Windows.FileServices.Service.SMB.6.3.FirewallPortConfig.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Error"/>
<OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>
</OperationalStates>
<Configuration>
<IntervalSeconds>30</IntervalSeconds>
<SyncTime/>
<ScriptName>CheckFirewallPort.vbs</ScriptName>
<Arguments>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Arguments>
<ScriptBody>
Option Explicit
SetLocale("en-us")
Dim oArgs
Dim serverName
Set oArgs = WScript.Arguments
If oArgs.Count < 1 Then
Wscript.Quit -1
Else
serverName = oArgs(0)
End If
' NET_FW_PROFILE_TYPE2
Const NET_FW_PROFILE2_DOMAIN = &h0001
Const NET_FW_PROFILE2_PRIVATE = &h0002
Const NET_FW_PROFILE2_PUBLIC = &h0004
Const NET_FW_IP_PROTOCOL_TCP = &h0006
' Create the FwPolicy2 object
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
Dim fwCurrentProfile, fwCheckProfile
fwCurrentProfile = fwPolicy2.CurrentProfileTypes
fwCheckProfile = fwCurrentProfile And (NET_FW_PROFILE2_DOMAIN Or NET_FW_PROFILE2_PRIVATE)
Dim fwFileSharingPortsEnabled
fwFileSharingPortsEnabled ="False"
Dim rule
For Each rule in fwPolicy2.Rules
If (rule.Protocol = NET_FW_IP_PROTOCOL_TCP) And (rule.LocalPorts = "445") Then
If (Not rule.Enabled) And (rule.Profiles And fwCheckProfile ) Then
fwFileSharingPortsEnabled = "True"
Exit For
End If
End If
Next
Dim regularShareExist, objWMIService, colShares, objShare
regularShareExist = "False"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & serverName & "\root\microsoft\windows\smb")
Set colShares = objWMIService.ExecQuery("Select * from MSFT_SmbShare")
For each objShare in colShares
If objShare.Special = "False" Then
regularShareExist = "True"
Exit For
End If
Next
Dim portStatus
portStatus = "Disabled"
' Only if regular share exists and port 139/445 are not open will portStatus be returned as "Disabled"
If fwFileSharingPortsEnabled = "True" Then
portStatus = "Enabled"
Else
If regularShareExist = "False" Then
portStatus = "Enabled"
End If
End If
Dim oAPI, oBag
Set oAPI = CreateObject("MOM.ScriptAPI")
Set oBag = oAPI.CreatePropertyBag()
Call oBag.AddValue ("PortStatus", portStatus)
Call oAPI.Return(oBag)
</ScriptBody>
<TimeoutSeconds>300</TimeoutSeconds>
<ErrorExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='PortStatus']</XPathQuery>
</ValueExpression>
<Operator>NotEqual</Operator>
<ValueExpression>
<Value Type="String">Enabled</Value>
</ValueExpression>
</SimpleExpression>
</ErrorExpression>
<SuccessExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='PortStatus']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Enabled</Value>
</ValueExpression>
</SimpleExpression>
</SuccessExpression>
</Configuration>
</UnitMonitor>