Re: WMI and XP SP2 remote connection problem !!
- From: "Jim Vierra" <jvierra@xxxxxxx>
- Date: Tue, 7 Jun 2005 16:39:40 -0400
There are some notes on the GP SDK info site that indicate a certain amount
of programmability for changing GP. I don't think it is a complete API fro
GP management. Much is about building extensions for GP processing.
The firewall has an API but I haven't seen any indication that it can be
used remotely. A remote script could call the SP2 FW object and adjust the
firewall.
GP is the best an easiest place to do this in my experience so I have not
pursued other information since implementing GP with SP2 Firewall.
Opening the management ports in GP always allows WMI to work in three
domains. 1 W2K/XP 2. W3K/XP 3. W2K3 (3 servers.)
Sometimes a DC will balk at connections. Checking remoting on DCOM may be a
help. WMI Proxy must always be set by allowing a host for "Delegation".
Application from the Control Panel. (MMC) work by remoting MMC. Separate
setting on the firewall.
--
Jim Vierra
"HondaHRV" <HondaHRV@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4D2A51DE-54B9-4466-B498-1606F6EECEC4@xxxxxxxxxxxxxxxx
> Is there a way to do this programmatically ?
>
>
>
> "Torgeir Bakken (MVP)" wrote:
>
>> HondaHRV wrote:
>>
>> > I know that XP SP2 blocks the WMI remote connections, but why Microsoft
>> > applications from Control Panel which uses WMI still work !!????
>> >
>> > What can be done in order to connect on remote XP SP2 machines without
>> > having to change the firewall settings manually ?
>> Hi,
>>
>> There is a Group Policy setting to open for Microsoft Management
>> Console (MMC) (see further down in this post for a command line that
>> opens up for it):
>>
>> Policy path:
>> Computer Configuration\Administrative Templates\Network\
>> Network Connections\Windows Firewall\<Domain|Standard> Profile\
>>
>> Policy name:
>> Windows Firewall: Allow remote administration exception
>>
>> From PolicySettings.xls available here:
>>
>> Group Policy Settings Reference for Windows XP Professional
>> Service Pack 2
>> http://www.microsoft.com/downloads/details.aspx?familyid=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en
>>
>> <quote>
>> Administrative Templates\Network\Network Connections\Windows Firewall
>> \<some> Profile
>> Windows Firewall: Allow remote administration exception
>>
>> Allows remote administration of this computer using administrative
>> tools such as the Microsoft Management Console (MMC) and Windows
>> Management Instrumentation (WMI). To do this, Windows Firewall opens
>> TCP ports 135 and 445. Services typically use these ports to
>> communicate using remote procedure calls (RPC) and Distributed
>> Component Object Model (DCOM). This policy setting also allows
>> SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
>> and allows hosted services to open additional dynamically-assigned
>> ports, typically in the range of 1024 to 1034. If you enable this
>> policy setting, Windows Firewall allows the computer to receive the
>> unsolicited incoming messages associated with remote administration.
>> You must specify the IP addresses or subnets from which these
>> incoming messages are allowed. If you disable or do not configure
>> this policy setting, Windows Firewall does not open TCP port 135 or
>> 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
>> receiving unsolicited incoming messages, and prevents hosted
>> services from opening additional dynamically-assigned ports. Because
>> disabling this policy setting does not block TCP port 445, it does
>> not conflict with the Windows Firewall: Allow file and printer
>> sharing exception policy setting. Note: Malicious users often
>> attempt to attack networks and computers using RPC and DCOM. We
>> recommend that you contact the manufacturers of your critical
>> programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
>> or if they require RPC and DCOM communication. If they do not, then
>> do not enable this policy setting. Note: If any policy setting
>> opens TCP port 445, Windows Firewall allows inbound ICMP echo
>> request messages (the message sent by the Ping utility), even if the
>> Windows Firewall: Allow ICMP exceptions policy setting would block
>> them. Policy settings that can open TCP port 445 include Windows
>> Firewall: Allow file and printer sharing exception, Windows Firewall:
>> Allow remote administration exception, and Windows Firewall: Define
>> port exceptions.
>>
>> </quote>
>>
>>
>> Using netsh.exe, you can configure the "Allow for remote administration"
>> setting from command line as well, like this:
>>
>> netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
>> profile=domain
>>
>> If not a domain computer, you need to change to 'profile=standard'
>> (or 'profile=all'). Scope can also be set to 'custom' and then you
>> can add ip ranges to the command line as well.
>>
>> The netsh.exe syntax is documented in WF_XPSP2.doc.
>>
>> WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
>> Windows XP with Service Pack 2" is downloadable from
>> http://www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a-bdcd-499f73a637d1
>>
>>
>> --
>> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
>> Administration scripting examples and an ONLINE version of
>> the 1328 page Scripting Guide:
>> http://www.microsoft.com/technet/scriptcenter/default.mspx
>>
.
- References:
- WMI and XP SP2 remote connection problem !!
- From: HondaHRV
- Re: WMI and XP SP2 remote connection problem !!
- From: Torgeir Bakken \(MVP\)
- Re: WMI and XP SP2 remote connection problem !!
- From: HondaHRV
- WMI and XP SP2 remote connection problem !!
- Prev by Date: Re: WMI and XP SP2 remote connection problem !!
- Next by Date: Re: DCOM Settings
- Previous by thread: Re: WMI and XP SP2 remote connection problem !!
- Next by thread: Re: WMI and XP SP2 remote connection problem !!
- Index(es):
Relevant Pages
|
