[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

group policy, firewall, exceotions.

Posted on 2008-11-03
11
Medium Priority
?
1,603 Views
Last Modified: 2013-11-30
is there a way to use group policy to diftribute an exception to windwos firewall?
I.E add Real VNC as an exception to windwos firewall...

i have this as an exception on my machine but considering we have 8 offices around the contry i just want to find a way to do this via GP
i found a possible way in the policy editor but it is worded quiet difficult...

any help guys?

-HEX
0
Comment
Question by:Leon Teale
  • 5
  • 5
11 Comments
 
LVL 1

Expert Comment

by:webfullcircle
ID: 22950879
It will be best to set this by creating a new grouppolicy then assigning the policy to specific OUs.  
Once the Policy is created, go to Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. Locate the domain Profile and the last setting is Allow local port Exceptions.  Enable this setting.   Next is the setting above, enable this setting and add the VNC port that you use (5900 i think) and then the subnet that your VNC server is on.  Allowing all networks is very risky as this will allow any remote user w/ access to your network legimiate or hacked to take control over the PC. I highly suggest using an alternate port for VNC as well.  

5900:TCP:192.168.1.0/24:enabled:VNC
5900 is the port
TCP is the protocol
192.168.1.0/24 is the subnet your VNC server is on
enabled: is well.. it  is on
VNC: is a description for this port number.

Make sure DNS and firewall port forwarding is setup between all your routers as well for proper port forwarding.

0
 
LVL 16

Expert Comment

by:ai_ja_nai
ID: 22976612
How about giving a batch file that configures thesingle computer wich is ran on?

netsh firewall add allowedprogram program = C:\path\to\vnc.exe name = VNC mode = ENABLE scope = CUSTOM [specify the incoming IPs, in the form of subnets, like 166.1.1.0/24 ],LocalSubnet

This allows a single computer firewall to pass the vnc connection.

To disable, type in the batch script

netsh firewall delete allowedprogram program = C:\path\to\vnc.exe

Otherwise, if you think that PCs should do the PCs and the office firewalls should do the filtering, apply just this rule on the office firewalls and disable the individual firewalls on the single PCs. What good are they going to do if there is a much better and bigger working firewall behind the wall office?
0
 
LVL 6

Author Comment

by:Leon Teale
ID: 23795611
im afraid it doesnt seem to be worjking, here is my code

netsh firewall add allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = vnc mode = ENABLE

and tried..

netsh add firewall allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = vnc mode = ENABLE scope = ALL addresses = localsubnet
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 16

Expert Comment

by:ai_ja_nai
ID: 23796280
this should work
netsh firewall add allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = VNC mode = ENABLE scope = all

this enable all vnc connections on this machine
0
 
LVL 6

Author Comment

by:Leon Teale
ID: 23796368
'the sytax for this is not a valid command'
0
 
LVL 16

Expert Comment

by:ai_ja_nai
ID: 23796748
what os are we on?
0
 
LVL 6

Author Comment

by:Leon Teale
ID: 23796828
xp
0
 
LVL 16

Expert Comment

by:ai_ja_nai
ID: 23815489
sgrunt, the commands differ from xp to vista. try these, will open the good ports
netsh firewall set portopening TCP 5800 vnc-http
netsh firewall set portopening TCP 5900 vnc
netsh firewall set portopening TCP 5901 vnc

Open in new window

0
 
LVL 6

Author Comment

by:Leon Teale
ID: 23835233
thats perfect it works :)

thanks,

i would however ask if you could help put this into a format which i can simply place into a batch file. or would it simply work just by putting 'netsh firewall set portopening TCP 5900 vnc' in a batch file?

would privalages effect this? woudl a standard user be able to add an exception to windows firewall using cmd? or does admin privalages have to be instated.
0
 
LVL 16

Accepted Solution

by:
ai_ja_nai earned 2000 total points
ID: 23835980
it's a command and you can put it in a batch file without problems (test it, if you don't belive :))
unfortunately, netsh demands administrator privileges, so a normal user can't run this script
0
 
LVL 6

Author Closing Comment

by:Leon Teale
ID: 31512755
many thanks :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As an IT person for a call center we are always looking for tools to make our jobs easier. Well I found the ultimate application for the job. SmartCode VNC Manager gets the job done. Its easy to get up and running just run the wizard to pul…
Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question