How to Temporarily Disable Windows File Shares While Preserving Share Configuration During Server Migration


10 views

During server migrations, particularly when dealing with legacy systems like Windows Server 2003 to 2012 upgrades, administrators often need to temporarily disable file sharing while maintaining all configuration settings for potential rollback scenarios. The main requirements are:

  • Immediate termination of share access
  • Zero configuration loss
  • Quick restoration capability
  • No permission changes

The Windows Server service (LanmanServer) is responsible for sharing local resources. Stopping this service will immediately disable all file shares while preserving their configurations. Here's how to implement this:

# PowerShell command to stop Server service
Stop-Service -Name "LanmanServer" -Force

# To verify service status
Get-Service -Name "LanmanServer"

# For rollback, simply restart the service
Start-Service -Name "LanmanServer"

For more granular control, you can block SMB ports via Windows Firewall:

netsh advfirewall firewall add rule name="Block SMB" dir=in action=block protocol=TCP localport=445,139
netsh advfirewall firewall add rule name="Block SMB" dir=out action=block protocol=TCP localport=445,139

To restore access:

netsh advfirewall firewall delete rule name="Block SMB"

For the most persistent solution (surviving reboots), modify the Server service startup type:

# Set startup to Disabled
sc config LanmanServer start= disabled

# For rollback, set back to Automatic
sc config LanmanServer start= auto

After implementing any of these methods, verify effectiveness:

  • Attempt to access shares from client machines (should fail)
  • Check share configurations remain intact (net share command)
  • Validate registry entries at HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

When planning your migration window:

  1. Implement the chosen share disable method
  2. Update DNS records to point to new server
  3. Monitor client connections to both old and new systems
  4. Maintain the old system in this state for at least 48 hours post-migration

During infrastructure upgrades, we often need to temporarily disable services while preserving their configurations for potential rollback. With Windows file shares, this requires careful handling since simply stopping the Server service would break all SMB functionality.

The cleanest approach is creating firewall rules to block SMB traffic while keeping shares configured:

netsh advfirewall firewall add rule name="Block SMB Inbound" dir=in action=block protocol=TCP localport=445,139
netsh advfirewall firewall add rule name="Block SMB Outbound" dir=out action=block protocol=TCP localport=445,139

For legacy systems without advanced firewall:

sc config lanmanserver start= disabled
net stop lanmanserver

Re-enable with:

sc config lanmanserver start= auto
net start lanmanserver

After implementation, test from a client machine:

net use \\server\sharename

Should return "System error 53 has occurred" or similar network path not found error.

Here's how we implemented this during our last migration:

  1. Document all existing shares using: net share
  2. Implement firewall blocking 24h before cutover
  3. Monitor event logs for any failed access attempts
  4. For rollback, simply remove firewall rules
  • Local NTFS permissions remain intact with both methods
  • Firewall method allows quicker toggling (seconds vs service restart minutes)
  • Remember to document which method was used for the rollback team