Re: SP2 firewall/remote management
- From: "Andy Collado" <andy@xxxxxxxxxx>
- Date: Wed, 31 Aug 2005 10:49:21 -0500
Right, and when that setting is applied, running >netsh firewall show port
will yield the results I posted earlier, at least that's what they did when
I enabled that setting.
Has anyone else run into an issue like this? I can remotely manage other
Win2k and WinXP sp1 computers from an XP/SP2 pc, but they cannot be managed
remotely by anything else. I have even turned the firewall off and still
cannot manage those workstations remotely.
Thanks,
Andy
"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@xxxxxxxxx> wrote in message
news:%23mFUWDkrFHA.3720@xxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> I would think you need to apply this policy setting on the remote
> computer to open for this:
>
> Policy path:
> Computer Configuration\Administrative Templates\Network\
> Network Connections\Windows Firewall\<Domain|Standard> Profile\
>
> Policy name:
> Windows Firewall: Allow remote administration exception
>
> From PolicySettings.xls available here:
>
> Group Policy Settings Reference for Windows XP Professional
> Service Pack 2
> http://www.microsoft.com/downloads/details.aspx?familyid=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en
>
> <quote>
> Administrative Templates\Network\Network Connections\Windows Firewall
> \<some> Profile
> Windows Firewall: Allow remote administration exception
>
> Allows remote administration of this computer using administrative
> tools such as the Microsoft Management Console (MMC) and Windows
> Management Instrumentation (WMI). To do this, Windows Firewall opens
> TCP ports 135 and 445. Services typically use these ports to
> communicate using remote procedure calls (RPC) and Distributed
> Component Object Model (DCOM). This policy setting also allows
> SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
> and allows hosted services to open additional dynamically-assigned
> ports, typically in the range of 1024 to 1034. If you enable this
> policy setting, Windows Firewall allows the computer to receive the
> unsolicited incoming messages associated with remote administration.
> You must specify the IP addresses or subnets from which these
> incoming messages are allowed. If you disable or do not configure
> this policy setting, Windows Firewall does not open TCP port 135 or
> 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
> receiving unsolicited incoming messages, and prevents hosted
> services from opening additional dynamically-assigned ports. Because
> disabling this policy setting does not block TCP port 445, it does
> not conflict with the Windows Firewall: Allow file and printer
> sharing exception policy setting. Note: Malicious users often
> attempt to attack networks and computers using RPC and DCOM. We
> recommend that you contact the manufacturers of your critical
> programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
> or if they require RPC and DCOM communication. If they do not, then
> do not enable this policy setting. Note: If any policy setting
> opens TCP port 445, Windows Firewall allows inbound ICMP echo
> request messages (the message sent by the Ping utility), even if the
> Windows Firewall: Allow ICMP exceptions policy setting would block
> them. Policy settings that can open TCP port 445 include Windows
> Firewall: Allow file and printer sharing exception, Windows Firewall:
> Allow remote administration exception, and Windows Firewall: Define
> port exceptions.
>
> </quote>
>
>
> Using netsh.exe, you can configure the "Allow for remote administration"
> setting from command line as well, like this:
>
> netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
> profile=domain
>
> If not a domain computer, you need to change to 'profile=standard'
> (or 'profile=all'). Scope can also be set to 'custom' and then you
> can add ip ranges to the command line as well.
>
> The netsh.exe syntax is documented in WF_XPSP2.doc.
>
> WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
> Windows XP with Service Pack 2" is downloadable from
> http://www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a-bdcd-499f73a637d1
>
>
>
> Andy Collado wrote:
>
>> We are working with some XP/SP2 workstations and cannot get the remote
>> management tools to work properly with them. We are a Win2k AD. Remote
>> management works with Win2k Pro and Pre-sp2 XP workstations. How can we
>> connect our remote management tools (eventvwr, regedit, computer
>> management, default shares) to work with the new firewalls? Here is a
>> netsh firewall show port from an SP2 machine:
>>
>> Port configuration for Domain profile:
>> Port Protocol Mode Name
>> -------------------------------------------------------------------
>> 135 TCP Enable Name
>> 139 TCP Enable NetBIOS Session Service
>> 445 TCP Enable SMB over TCP
>> 137 UDP Enable NetBIOS Name Service
>> 138 UDP Enable NetBIOS Datagram Service
>> 3389 TCP Enable Remote Desktop
>>
>> this configuration should allow remote administration, should it not?
>>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
.
- References:
- Re: SP2 firewall/remote management
- From: Torgeir Bakken \(MVP\)
- Re: SP2 firewall/remote management
- Prev by Date: Re: SP2 firewall/remote management
- Next by Date: Re: Identifying versions of XP and their CD key
- Previous by thread: Re: SP2 firewall/remote management
- Next by thread: E:/I386/asms. Error message
- Index(es):
Relevant Pages
|
