In an attempt to configure a secure networking environment, it is easy to block or disable capabilities that you...
actually need. Many of these capabilities are not obviously linked to the security controls you enforced and often make troubleshooting strange occurrences quite difficult.
One such gotcha that I've encountered is attempting to harden a domain controller connected to an Internet link by disabling the File and Printer Sharing service. It seems obvious that disabling the ability of this system to share file and printer resources over the network outside of the context of IIS is a smart security implementation.
However, a problem will occur the next time you attempt to join a new client or server system to the domain. If you attempt to join using the NetBIOS name of the domain, you'll see the error message: "The following error occurred attempting to join the domain "domain name": The network path was not found." If you attempt to join using the DNS domain name for the domain, you'll see a slightly different error message: "The following error occurred attempting to join the domain "domain name": The remote computer is not available."
This means that if you plan on joining new systems to a domain, you must have the File and Printer Sharing service active on the domain controller. So, instead of disabling the entire service for the entire system, you should just disable the service over the interface connected to the Internet.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.