group policy, firewall, exceotions.

is there a way to use group policy to diftribute an exception to windwos firewall?
I.E add Real VNC as an exception to windwos firewall...

i have this as an exception on my machine but considering we have 8 offices around the contry i just want to find a way to do this via GP
i found a possible way in the policy editor but it is worded quiet difficult...

any help guys?

-HEX
LVL 6
Leon TealePenetration TesterAsked:
Who is Participating?
 
ai_ja_naiConnect With a Mentor Commented:
it's a command and you can put it in a batch file without problems (test it, if you don't belive :))
unfortunately, netsh demands administrator privileges, so a normal user can't run this script
0
 
webfullcircleCommented:
It will be best to set this by creating a new grouppolicy then assigning the policy to specific OUs.  
Once the Policy is created, go to Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. Locate the domain Profile and the last setting is Allow local port Exceptions.  Enable this setting.   Next is the setting above, enable this setting and add the VNC port that you use (5900 i think) and then the subnet that your VNC server is on.  Allowing all networks is very risky as this will allow any remote user w/ access to your network legimiate or hacked to take control over the PC. I highly suggest using an alternate port for VNC as well.  

5900:TCP:192.168.1.0/24:enabled:VNC
5900 is the port
TCP is the protocol
192.168.1.0/24 is the subnet your VNC server is on
enabled: is well.. it  is on
VNC: is a description for this port number.

Make sure DNS and firewall port forwarding is setup between all your routers as well for proper port forwarding.

0
 
ai_ja_naiCommented:
How about giving a batch file that configures thesingle computer wich is ran on?

netsh firewall add allowedprogram program = C:\path\to\vnc.exe name = VNC mode = ENABLE scope = CUSTOM [specify the incoming IPs, in the form of subnets, like 166.1.1.0/24 ],LocalSubnet

This allows a single computer firewall to pass the vnc connection.

To disable, type in the batch script

netsh firewall delete allowedprogram program = C:\path\to\vnc.exe

Otherwise, if you think that PCs should do the PCs and the office firewalls should do the filtering, apply just this rule on the office firewalls and disable the individual firewalls on the single PCs. What good are they going to do if there is a much better and bigger working firewall behind the wall office?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Leon TealePenetration TesterAuthor Commented:
im afraid it doesnt seem to be worjking, here is my code

netsh firewall add allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = vnc mode = ENABLE

and tried..

netsh add firewall allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = vnc mode = ENABLE scope = ALL addresses = localsubnet
0
 
ai_ja_naiCommented:
this should work
netsh firewall add allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = VNC mode = ENABLE scope = all

this enable all vnc connections on this machine
0
 
Leon TealePenetration TesterAuthor Commented:
'the sytax for this is not a valid command'
0
 
ai_ja_naiCommented:
what os are we on?
0
 
Leon TealePenetration TesterAuthor Commented:
xp
0
 
ai_ja_naiCommented:
sgrunt, the commands differ from xp to vista. try these, will open the good ports
netsh firewall set portopening TCP 5800 vnc-http
netsh firewall set portopening TCP 5900 vnc
netsh firewall set portopening TCP 5901 vnc

Open in new window

0
 
Leon TealePenetration TesterAuthor Commented:
thats perfect it works :)

thanks,

i would however ask if you could help put this into a format which i can simply place into a batch file. or would it simply work just by putting 'netsh firewall set portopening TCP 5900 vnc' in a batch file?

would privalages effect this? woudl a standard user be able to add an exception to windows firewall using cmd? or does admin privalages have to be instated.
0
 
Leon TealePenetration TesterAuthor Commented:
many thanks :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.