Re: SQL Server Specific Windows Firewall Exception

Most corporate environments don't use Microsoft Windows
Firewall - not because it's too complicated but because it's
too simple and doesn't support the needs of a corporate
environment. They only turn them off on PCs as it's not
really needed in their environment - they use other
appliances to protect the corporate infrastructure. The
firewalls being used are different so having some
"automatically open nnn port" may not be realistic. If
someone had Express on their PC and allowed remote
connections which opened up the ports on corporate
firewalls, you'd have problems.
Although I understand your frustration with trying to figure
out what ports to open when and why, the efforts required
come from a place of having learned some hard lessons with
issues like Blaster, Slammer, etc. Microsoft deals with
trying to best support the needs of all environments. I
think most users appreciate that to some degree.
Automatically opening up firewall ports is something they
have been blasted for in the past...and still are but to a
lesser degree. It just is not a good practice to
automatically expose ports or open up vulnerabilities.

-Sue

On Sun, 5 Aug 2007 22:36:01 -0700, Andrew Hayes
<AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Generally. That is true. And I'm quite happy with the default out-of-box
configuration. At least for local machine purposes.

However, if I've gone into the Surface Area Configuration and enabled remote
Named Pipes and TCP/IP connections then obviously something is going to be
connecting to it remotely (otherwise, why would I bother?).

At this point it should install the Exceptions that are needed, even if it
doesn't enable them, so when I go to Windows Firewall I don't have to mess
about browsing for EXE's or adding new ports, and ending up with a mess of
exceptions that are a pain to deal with.

I spend far too much time trawling through "HOWTO: blah blah blah through
Windows Firewall" articles than I would like.

Why introduce a firewall that is so complicated to configure in a corporate
environment that most SE's I know just turn it off?

And no. Using the GPO isn't a realistic approach as you would have to have
several policies to open different ports and/or point at different EXE's
depending on what the server is used for, and then setup WMI filtering so
that the policies only apply to the correct servers.

"Sue Hoegemeier" wrote:

You generally don't want something that installs and
automatically opens up ports - that's been a huge problem in
the past. So things are intentionally designed to be secure
by default now with the newer Microsoft services. There are
applications that use only local, nonremote connections to
SQL Server so automatically opening up ports in such cases
would unnecessarily increase the surface area of exposure to
threats, hacks.

-Sue

On Sun, 29 Jul 2007 18:30:01 -0700, Andrew Hayes
<AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

If you edit File and Print Sharing in Windows Firewall, you'll see that it
lists 2 UDP ports and 2 TCP ports.

This is something that cannot be done normally but is offered through the
XPSP2 resource DLL. You can see this by looking at the registry entry for
GloballyOpenPorts under HKLM.

"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"

My question is - when will such a DLL or other method become available for
SQL Server 2005 so that we don't have to add a number of different program
and port exceptions to get remote connections and administration to work
through Windows Firewall?

Or possibly have it install the exceptions for us, such as Office 2007 does
for Groove, OneNote and Outlook? The SQL Server Surface Area Configuration
tool is the best place for such firewall changes to be chosen.




.

Relevant Pages

  • Re: DCOM 10009 errors on SBS2008 with NAS
    ... make a specific GP rule that allows the ports to that NAS unit. ... The DCOM event id 10009 will occur when a client workstation has a miss-configured firewall or other issues affecting its network communications within the domain, for example if the workstation is not managed by an SBS GPO. ... Depending on your firewall solution this might be implemented or might require opening several ports. ... If the workstation is on a different subnet than the SBS server and it is running Windows XP SP2 or higher, the firewall exceptions provided by the SBS group policies will not properly allow the required connectivity. ...
    (microsoft.public.windows.server.sbs)
  • Re: XP SP2 and ports required to view a remote event log
    ... So for Windows XP SP2 with an enabled firewall, to handle this, ... Group Policy Settings Reference for Windows XP Professional Service Pack 2 ... Windows Firewall: Allow remote administration exception ... TCP ports 135 and 445. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: [fw-wiz] how prevelant
    ... over the same few ports), and the tendency of script kiddies to run ... Windows attack tools, I tend to suggest that if you open your firewall up ... > it amazing they were passing domain information across the internet. ...
    (Firewall-Wizards)
  • Re: Windows Firewall on Domain Controllers
    ... Are you talking about Windows 2003 or Windows XP? ... confgured for all the AD ports and you do some voodoo with RPC ports. ... Don't use firewall on a DC, use a diferent machine, if you can don't join ... Global Catalog Server TCP 3269 ...
    (microsoft.public.windows.server.active_directory)
  • Re: NETFW.INF, Preconfigured Firewall settings and dialogs
    ... it is Windows Server 2003 SP1 firewall that i'm using. ... Using the document '832017 Port Requirements for the Microsoft Windows ... > to achieve the following goal: some ports are open by default and others ...
    (microsoft.public.windows.server.networking)