What are the implications of "Do you want to allow your PC to be discoverable by other PCs and devices on this network?" on AWS EC2?

Question

When a Windows Server EC2 is started, it immediately prompts

Do you want to allow your pc to be discoverable by other pcs and devices on this network?

I can also see how to turn it on/off here

My question is, are there implications (security or otherwise) for Windows Server EC2 instances? In layman's terms, what does it mean I can/cannot do?

Answer 1

By enabling this you will be discover-able to all Windows instances in your current subnet assuming security group permissions are there.

For your security group it is important that you keep the scope as limited as you can do, for example allowing 0.0.0.0/0 (which allows inbound access for anyone) is considered bad practice.

Instead create a dedicated security group of Network Discovery and for each port you add to it, add the source as the Network Discovery security group. By referencing a logical resource instead of specifying a CIDR range you can limit the scope of discoverable instances to a specific subset of your instances.

Ultimately I would suggest that you leave this off unless you specifically want to use certain features like Windows Folder Sharing.

You can still perform a standard Windows folder share which is accessible outside of the subnet, but this will require your other machine to be able to connect to your Windows server with valid credentials for that server witht the correct permissions.

By selecting No the only functionality disabled is that other hosts on the same subnet as you cannot automatically discover your Windows host.

Answer 2

Windows Network Discovery actually opens a bunch of different inbound/outbound ports on the Windows Server instance. A (somewhat) outdated list is available in some scientific publications and books, e.g. [1]:

Inbound

■ Network Discovery (LLMNR-UDP-In) Creates an inbound rule to allow Link Local Multicast Name Resolution on UDP port 5355.

■ Network Discovery (NB-Datagram-ln) Creates an inbound rule to allow NetBIOS Datagram transmission and reception on UDP port 138.

■ Network Discovery (NB-Name-In) Creates an inbound rule to allow NetBIOS Name Resolution on UDP port 137.

■ Network Discovery (Pub-WSD-In) Creates an inbound rule to discover devices via Function Discovery on UDP port 3702.

■ Network Discovery (SSDP-In) Creates an inbound rule to allow use of the Simple Service Discovery Protocol on UDP port 1900.

■ Network Discovery (UPnP-In) Creates an inbound rule to allow use of Universal Plug and Play on TCP port 2869.

■ Network Discovery (WSD Events-In) Creates an inbound rule to allow WSDAPI Events via Function Discovery on TCP port 5357.

■ Network Discovery (WSD EventsSecure-In) Creates an inbound rule to allow Secure WSDAPI Events via Function Discovery on TCP port 5358.

■ Network Discovery (WSD-In) Creates an inbound rule to discover devices via Function Discovery on UDP port 3702.

Outbound

■ Network Discovery (LLMNR-TCP-Out) Creates an outbound rule to allow LLMNIL on TCP port 5355.

■ Network Discovery (LLMNR-UDP-Out) Creates an outbound rule to allow LLMNR on UDP port 5355.

■ Network Discovery (NB-Datagram-Out) Creates an outbound rule to allow NetBIOS Datagram transmission and reception on UDP port 138.

■ Network Discovery (NB-Name-Out) Creates an outbound rule to allow NetBIOS Name Resolution on UDP port 137.

■ Network Discovery (Pub WSD-Out) Creates an outbound rule to discover devices via Function Discovery on UDP port 3702.

■ Network Discovery (SSDP-Out) Creates an outbound rule to allow use of the Simple Service Discovery Protocol on UDP port 1900.

■ Network Discovery (UPnPHost-Out) Creates an outbound rule to allow the use of Universal Plug and Play over TCP (all ports).

■ Network Discovery (UPnP-Out) Creates a second outbound rule to allow the use of Universal Plug and Play over TCP (all ports).

■ Network Discovery (WSD Events-Out) Creates an outbound rule to allow WSDAPI Events via Function Discovery on TCP port 5357.

■ Network Discovery (WSD EventsSecure-Out) Creates an outbound rule to allow for Secure WSDAPI Events via Function Discovery on TCP port 5358.

■ Network Discovery (WSD-Out) Creates an outbound rule to discover devices via Function Discovery on UDP port 3702.

If your security groups for the EC2 instance are set up correctly, there should probably be no real security implications. Inbound ports used by several network discovery features should be blocked by AWS Security Groups by default.

What I honestly do not know: Whether the Windows services create outbound traffic which makes the EC2 instance visible to other instances inside the same VPC subnet. That is definitely possible... Maybe there is someone reading this thread and knows this for sure??

Btw.: I found two discussions on the offical AWS forums. Maybe they are useful to someone reading this thead: [2][3].

References

[1] Google Books: How to Cheat at Microsoft Vista Administration
[2] https://forums.aws.amazon.com/thread.jspa?threadID=62760
[3] https://forums.aws.amazon.com/thread.jspa?threadID=110844