Re: WMI and XP SP2 remote connection problem !!

Is there a way to do this programmatically ?



"Torgeir Bakken (MVP)" wrote:

> HondaHRV wrote:
>
> > I know that XP SP2 blocks the WMI remote connections, but why Microsoft
> > applications from Control Panel which uses WMI still work !!????
> >
> > What can be done in order to connect on remote XP SP2 machines without
> > having to change the firewall settings manually ?
> Hi,
>
> There is a Group Policy setting to open for Microsoft Management
> Console (MMC) (see further down in this post for a command line that
> opens up for it):
>
> Policy path:
> Computer Configuration\Administrative Templates\Network\
> Network Connections\Windows Firewall\<Domain|Standard> Profile\
>
> Policy name:
> Windows Firewall: Allow remote administration exception
>
> From PolicySettings.xls available here:
>
> Group Policy Settings Reference for Windows XP Professional
> Service Pack 2
> http://www.microsoft.com/downloads/details.aspx?familyid=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en
>
> <quote>
> Administrative Templates\Network\Network Connections\Windows Firewall
> \<some> Profile
> Windows Firewall: Allow remote administration exception
>
> Allows remote administration of this computer using administrative
> tools such as the Microsoft Management Console (MMC) and Windows
> Management Instrumentation (WMI). To do this, Windows Firewall opens
> TCP ports 135 and 445. Services typically use these ports to
> communicate using remote procedure calls (RPC) and Distributed
> Component Object Model (DCOM). This policy setting also allows
> SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
> and allows hosted services to open additional dynamically-assigned
> ports, typically in the range of 1024 to 1034. If you enable this
> policy setting, Windows Firewall allows the computer to receive the
> unsolicited incoming messages associated with remote administration.
> You must specify the IP addresses or subnets from which these
> incoming messages are allowed. If you disable or do not configure
> this policy setting, Windows Firewall does not open TCP port 135 or
> 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
> receiving unsolicited incoming messages, and prevents hosted
> services from opening additional dynamically-assigned ports. Because
> disabling this policy setting does not block TCP port 445, it does
> not conflict with the Windows Firewall: Allow file and printer
> sharing exception policy setting. Note: Malicious users often
> attempt to attack networks and computers using RPC and DCOM. We
> recommend that you contact the manufacturers of your critical
> programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
> or if they require RPC and DCOM communication. If they do not, then
> do not enable this policy setting. Note: If any policy setting
> opens TCP port 445, Windows Firewall allows inbound ICMP echo
> request messages (the message sent by the Ping utility), even if the
> Windows Firewall: Allow ICMP exceptions policy setting would block
> them. Policy settings that can open TCP port 445 include Windows
> Firewall: Allow file and printer sharing exception, Windows Firewall:
> Allow remote administration exception, and Windows Firewall: Define
> port exceptions.
>
> </quote>
>
>
> Using netsh.exe, you can configure the "Allow for remote administration"
> setting from command line as well, like this:
>
> netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
> profile=domain
>
> If not a domain computer, you need to change to 'profile=standard'
> (or 'profile=all'). Scope can also be set to 'custom' and then you
> can add ip ranges to the command line as well.
>
> The netsh.exe syntax is documented in WF_XPSP2.doc.
>
> WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
> Windows XP with Service Pack 2" is downloadable from
> http://www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a-bdcd-499f73a637d1
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>
.

Relevant Pages

  • Re: XP Pro sp2 Firewall on Corporate domain
    ... There is a Group Policy setting to open for this: ... Windows Firewall: Allow remote administration exception ... disabling this policy setting does not block TCP port 445, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: WMI and XP SP2 remote connection problem !!
    ... >> There is a Group Policy setting to open for Microsoft Management ... >> Windows Firewall: Allow remote administration exception ... >> disabling this policy setting does not block TCP port 445, ...
    (microsoft.public.win32.programmer.wmi)
  • Re: WMI and XP SP2 remote connection problem !!
    ... What can be done in order to connect on remote XP SP2 machines without having to change the firewall settings manually? ... There is a Group Policy setting to open for Microsoft Management ... Windows Firewall allows the computer to receive the ... disabling this policy setting does not block TCP port 445, ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Manage XP clients in ADUC?
    ... would think you need to apply this policy setting on the remote ... Windows Firewall allows the computer to receive the ... unsolicited incoming messages associated with remote administration. ... disabling this policy setting does not block TCP port 445, ...
    (microsoft.public.win2000.general)
  • Re: SP2 Problem on Remote Access
    ... I've checked to ensure the correct TCP port is open as ... you need to enable "Allow remote administration ... Windows Firewall: Allow remote administration exception ... policy setting, Windows Firewall allows the computer to receive the ...
    (microsoft.public.windowsxp.wmi)
Loading