group policy, firewall, exceotions.

is there a way to use group policy to diftribute an exception to windwos firewall?
I.E add Real VNC as an exception to windwos firewall...

i have this as an exception on my machine but considering we have 8 offices around the contry i just want to find a way to do this via GP
i found a possible way in the policy editor but it is worded quiet difficult...

any help guys?

Leon TealePenetration TesterAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It will be best to set this by creating a new grouppolicy then assigning the policy to specific OUs.  
Once the Policy is created, go to Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. Locate the domain Profile and the last setting is Allow local port Exceptions.  Enable this setting.   Next is the setting above, enable this setting and add the VNC port that you use (5900 i think) and then the subnet that your VNC server is on.  Allowing all networks is very risky as this will allow any remote user w/ access to your network legimiate or hacked to take control over the PC. I highly suggest using an alternate port for VNC as well.  

5900 is the port
TCP is the protocol is the subnet your VNC server is on
enabled: is well.. it  is on
VNC: is a description for this port number.

Make sure DNS and firewall port forwarding is setup between all your routers as well for proper port forwarding.

How about giving a batch file that configures thesingle computer wich is ran on?

netsh firewall add allowedprogram program = C:\path\to\vnc.exe name = VNC mode = ENABLE scope = CUSTOM [specify the incoming IPs, in the form of subnets, like ],LocalSubnet

This allows a single computer firewall to pass the vnc connection.

To disable, type in the batch script

netsh firewall delete allowedprogram program = C:\path\to\vnc.exe

Otherwise, if you think that PCs should do the PCs and the office firewalls should do the filtering, apply just this rule on the office firewalls and disable the individual firewalls on the single PCs. What good are they going to do if there is a much better and bigger working firewall behind the wall office?
Leon TealePenetration TesterAuthor Commented:
im afraid it doesnt seem to be worjking, here is my code

netsh firewall add allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = vnc mode = ENABLE

and tried..

netsh add firewall allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = vnc mode = ENABLE scope = ALL addresses = localsubnet
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

this should work
netsh firewall add allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = VNC mode = ENABLE scope = all

this enable all vnc connections on this machine
Leon TealePenetration TesterAuthor Commented:
'the sytax for this is not a valid command'
what os are we on?
Leon TealePenetration TesterAuthor Commented:
sgrunt, the commands differ from xp to vista. try these, will open the good ports
netsh firewall set portopening TCP 5800 vnc-http
netsh firewall set portopening TCP 5900 vnc
netsh firewall set portopening TCP 5901 vnc

Open in new window

Leon TealePenetration TesterAuthor Commented:
thats perfect it works :)


i would however ask if you could help put this into a format which i can simply place into a batch file. or would it simply work just by putting 'netsh firewall set portopening TCP 5900 vnc' in a batch file?

would privalages effect this? woudl a standard user be able to add an exception to windows firewall using cmd? or does admin privalages have to be instated.
it's a command and you can put it in a batch file without problems (test it, if you don't belive :))
unfortunately, netsh demands administrator privileges, so a normal user can't run this script

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Leon TealePenetration TesterAuthor Commented:
many thanks :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.