Re: XP SP2 and ports required to view a remote event log

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 12/02/04 

Date: Thu, 02 Dec 2004 01:14:06 +0100

FastEddie wrote:

> I need to know what ports are required to be opened on a XP SP2
> computer to remotely view its event log.
Hi

E.g. WMI (or more correctly RPC/DCOM) uses TCP ports 135 and 445 as
well as dynamically-assigned ports above 1024.

So for Windows XP SP2 with an enabled firewall, to handle this,
you need to enable "Allow remote administration exception" for
the firewall.

This can be done with gpedit.msc for a local computer, or push it
out with a AD GPO if possible. You can also use the command line
tool netsh.exe to do this, see further down for how.

 From PolicySettings.xls available here:

Group Policy Settings Reference for Windows XP Professional Service Pack 2
http://www.microsoft.com/downloads/details.aspx?familyid=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en

<quote>
Administrative Templates\Network\Network Connections\Windows Firewall
\<some> Profile
Windows Firewall: Allow remote administration exception

Allows remote administration of this computer using administrative
tools such as the Microsoft Management Console (MMC) and Windows
Management Instrumentation (WMI). To do this, Windows Firewall opens
TCP ports 135 and 445. Services typically use these ports to
communicate using remote procedure calls (RPC) and Distributed
Component Object Model (DCOM). This policy setting also allows
SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
and allows hosted services to open additional dynamically-assigned
ports, typically in the range of 1024 to 1034. If you enable this
policy setting, Windows Firewall allows the computer to receive the
unsolicited incoming messages associated with remote administration.
You must specify the IP addresses or subnets from which these
incoming messages are allowed. If you disable or do not configure
this policy setting, Windows Firewall does not open TCP port 135 or
445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
receiving unsolicited incoming messages, and prevents hosted
services from opening additional dynamically-assigned ports. Because
disabling this policy setting does not block TCP port 445, it does
not conflict with the Windows Firewall: Allow file and printer
sharing exception policy setting. Note: Malicious users often
attempt to attack networks and computers using RPC and DCOM. We
recommend that you contact the manufacturers of your critical
programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
or if they require RPC and DCOM communication. If they do not, then
do not enable this policy setting. Note: If any policy setting
opens TCP port 445, Windows Firewall allows inbound ICMP echo
request messages (the message sent by the Ping utility), even if the
Windows Firewall: Allow ICMP exceptions policy setting would block
them. Policy settings that can open TCP port 445 include Windows
Firewall: Allow file and printer sharing exception, Windows Firewall:
Allow remote administration exception, and Windows Firewall: Define
port exceptions.

</quote>

Using netsh.exe, you can configure this from command line as well,
like this:

netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
profile=domain

If not a domain computer, you need to change to 'profile=standard'
(or 'profile=all'). Scope can also be set to 'custom' and then you
can add ip ranges to the command line as well.

The netsh.exe syntax is documented in WF_XPSP2.doc.

WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
Windows XP with Service Pack 2" is downloadable from
http://www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a-bdcd-499f73a637d1 

-- 
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Relevant Pages

  • Re: DCOM 10009 errors on SBS2008 with NAS
    ... make a specific GP rule that allows the ports to that NAS unit. ... The DCOM event id 10009 will occur when a client workstation has a miss-configured firewall or other issues affecting its network communications within the domain, for example if the workstation is not managed by an SBS GPO. ... Depending on your firewall solution this might be implemented or might require opening several ports. ... If the workstation is on a different subnet than the SBS server and it is running Windows XP SP2 or higher, the firewall exceptions provided by the SBS group policies will not properly allow the required connectivity. ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] how prevelant
    ... over the same few ports), and the tendency of script kiddies to run ... Windows attack tools, I tend to suggest that if you open your firewall up ... > it amazing they were passing domain information across the internet. ...
    (Firewall-Wizards)
  • Re: Windows Firewall on Domain Controllers
    ... Are you talking about Windows 2003 or Windows XP? ... confgured for all the AD ports and you do some voodoo with RPC ports. ... Don't use firewall on a DC, use a diferent machine, if you can don't join ... Global Catalog Server TCP 3269 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Another VPN Issue...Say it aint so...
    ... click on "Services and Ports." ... Now how can I configure the firewall within ... but this time disable Firewall and redo remote access ... to make sure I get a good snap-in connection and see what goes on?!? ...
    (microsoft.public.windows.server.sbs)
  • Re: Stop Remote Manipulation When Server Needs Access
    ... connections but are protected by a firewall nonetheless. ... Continuing to develop for Windows 98 is generally a waste of time, ... prevented from accessing other users' profiles, ... Your remote control program would also have to be coded so that it does not ...
    (microsoft.public.security)