[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Enabling remoteadmin through Windows Firewall

Posted on 2009-02-16
5
Medium Priority
?
8,799 Views
Last Modified: 2012-08-13
Hi, I am having a problem enabling remote administration on a number Windows XP Professional SP3 computers that are running the Windows Personal Firewall. What I want to do is run a WMI application called SpiceWorks to collect inventory information - this requires that the windows firewall has the remote administration exception enabled. I know that spiceworks works OK because it works when the firewall is disabled and does not work when it is enabled. (aside: I also had to enable TCP port 135 to make Spiceworks work).

On the target computer I run these two commands:
C:\>netsh firewall set service remoteadmin enable
Ok.
C:\>netsh firewall show state
Firewall status:
-------------------------------------------------------------------
Profile                           = Domain
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Disable
** edited - I have given the full output below **
C:\>

In the firewall exceptions configuration I made sure that the scope is "*".

The line "Remote admin mode = Disable" tells me that even though I ran "netsh firewall set service remoteadmin enable" and received the response "Ok.", that I did not succeed in enabling remote administration.

This is a corporate network with Active Directory. My Default Domain Policy has "Windows Firewall: Allow remote administration exception" enabled on both the Domain Profile and the Standard Profile and the scope is "*" in each case.
Default Domain Policy - Computer Configuration - Administrative Templates - Network - Network Connections - Windows Firewall - Domain and Standard Profiles

I ran Resultant Set of Policy (rsop.msc) on the target machine and it agrees with the Default Domain Policy, showing "Windows Firewall: Allow remote administration exception" enabled on both the Domain Profile and the Standard Profile with a scope  of "*" in each case.

I am stuck now - I have never seen the command "netsh firewall show state" give the response "Remote admin mode = Enable".  For reference I pasted the verbose output into the code section of this question

Does anyone have any suggestions as to how I can move forward with this?

Thank you

C:\>netsh firewall show state verbose=enable
 
Firewall status:
-------------------------------------------------------------------
Profile                           = Domain
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Disable
        Scope: *
 
Local exceptions allowed by group policy:
-------------------------------------------------------------------
Open ports       = Enable
Allowed programs = Enable
 
Log settings:
-------------------------------------------------------------------
File location   = C:\WINDOWS\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Enable
Connections     = Enable
 
Service settings:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          File and Printer Sharing
        Scope: *
Enable   No          UPnP Framework
        Scope: *
Enable   No          Remote Desktop
        Scope: *
 
Program exceptions:
Mode     Local policy  Name / Program
-------------------------------------------------------------------
Enable   Yes           Microsoft Management Console / C:\WINDOWS\system32\mmc.ex
e
        Scope: *
Enable   Yes           Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
        Scope: *
 
Port exceptions:
Port   Protocol  Local policy  Mode     Name / Service type
-------------------------------------------------------------------
135    TCP       Yes           Enable   Spiceworks 135 / None
        Scope: *
137    UDP       Yes           Enable   NetBIOS Name Service / File and Printer
Sharing
        Scope: *
138    UDP       Yes           Enable   NetBIOS Datagram Service / File and Prin
ter Sharing
        Scope: *
139    TCP       Yes           Enable   NetBIOS Session Service / File and Print
er Sharing
        Scope: *
139    UDP       Yes           Enable   Spiceworks 139 UDP / None
        Scope: *
162    TCP       Yes           Enable   Spiceworks 162 TCP / None
        Scope: *
162    UDP       Yes           Enable   Spiceworks 162 UDP / None
        Scope: *
445    TCP       Yes           Enable   SMB over TCP / File and Printer Sharing
        Scope: *
1900   UDP       Yes           Enable   SSDP Component of UPnP Framework / UPnP
Framework
        Scope: *
2869   TCP       Yes           Enable   UPnP Framework over TCP / UPnP Framework
 
        Scope: *
3389   TCP       Yes           Enable   Remote Desktop / Remote Desktop
        Scope: *
 
Ports on which programs want to receive incoming connections:
Port   Protocol  Version  PID       Type  Wildcarded  Forced  Name / Program
-------------------------------------------------------------------
500    UDP       IPv4     716       App   No          No      (null) / C:\WINDOW
S\system32\lsass.exe
        Scope: *
4500   UDP       IPv4     716       App   No          No      (null) / C:\WINDOW
S\system32\lsass.exe
        Scope: *
123    UDP       IPv4     1040      App   No          No      (null) / C:\WINDOW
S\system32\svchost.exe
        Scope: *
1900   UDP       IPv4     1252      App   No          No      (null) / C:\WINDOW
S\system32\svchost.exe
        Scope: *
1279   TCP       IPv4     1040      RPC   No          No      (null) / C:\WINDOW
S\system32\svchost.exe
        Scope: *
135    TCP       IPv4     1040      RPC   No          No      (null) / C:\WINDOW
S\system32\svchost.exe
        Scope: *
 
Ports currently open on all network interfaces:
Port   Protocol  Version  Program
-------------------------------------------------------------------
135    TCP       IPv4     C:\WINDOWS\system32\svchost.exe
        Scope: *
137    UDP       IPv4     (null)
        Scope: *
139    TCP       IPv4     (null)
        Scope: *
138    UDP       IPv4     (null)
        Scope: *
139    UDP       IPv4     (null)
        Scope: *
162    UDP       IPv4     (null)
        Scope: *
162    TCP       IPv4     (null)
        Scope: *
3389   TCP       IPv4     (null)
        Scope: *
445    TCP       IPv4     (null)
        Scope: *
2869   TCP       IPv4     (null)
        Scope: *
1900   UDP       IPv4     C:\WINDOWS\system32\svchost.exe
        Scope: *
 
ICMP settings for all network interfaces:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big
Enable   3     Allow outbound destination unreachable
Enable   4     Allow outbound source quench
Enable   5     Allow redirect
Enable   8     Allow inbound echo request
Enable   9     Allow inbound router request
Enable   11    Allow outbound time exceeded
Enable   12    Allow outbound parameter problem
Enable   13    Allow inbound timestamp request
Enable   17    Allow inbound mask request
 
Additional ICMP settings on Local Area Connection:
Mode     Type  Description
-------------------------------------------------------------------
Disable  2     Allow outbound packet too big
Enable   3     Allow outbound destination unreachable
Enable   4     Allow outbound source quench
Enable   5     Allow redirect
Enable   8     Allow inbound echo request
Enable   9     Allow inbound router request
Enable   11    Allow outbound time exceeded
Enable   12    Allow outbound parameter problem
Enable   13    Allow inbound timestamp request
Enable   17    Allow inbound mask request
 
Local Area Connection firewall settings:
-------------------------------------------------------------------
Operational mode = Enable
Version          = IPv4
GUID             = {1B8951DB-7063-4F2B-A30C-697B05CCD6F7}
 
 
C:\>

Open in new window

0
Comment
Question by:MPRG62
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 23652882
As you want to use RPC through firewall, you have the problem that it by default take any port over 1024 and above. This can however been changed by configuring what dynamic RPC ports are allowed to use on the computer you're connecting to.
For example, use 5000-5100 for RPC dynamic ports by adding the following to registry, and create firewall rules to open the ports configured to be used.

HKLM\SOFTWARE\Microsoft\Rpc\Internet
Ports REG_MULTI_SZ =5000-5100
PortsInternetAvailable REG_SZ=Y
UseInternetPorts REG_SZ=Y

http://support.microsoft.com/kb/154596
0
 

Author Comment

by:MPRG62
ID: 23658403
Thank you henjoh09

I am a bit confused: are you saying that to get "netsh firewall show state" to give a response of "Remote admin mode = Enable" then I have to open ports higher than 1024?

I have made some progress: when I allowed "Remote Desktop" via the Group Policy, my "Remote admin mode" changed to "Enable" and I am able to scan my computer correctly.

However I do not yet know exactly what I need to put into my Group Policy to make it work company-wide.
It seems to be some combination of:
"Allow remote administration exception", "Allow remote desktop exception" and maybe "Define Port exceptions" and "allow local port exceptions", but I have to do some experiments.

Given that "Remote Desktop" seemed to have a positive effect, do I still need to look at your suggestion to make registry changes to open ports 5000-5100 for RPC dynamic ports?

Thank you for your help
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 2000 total points
ID: 23658823
RPC only uses the endpoint mapper on 135/TCP for initiating the communication and during connection changes the port to another dynamic port. The dynamic port is by default *any* random port above 1024, but can as described be changed to have a more restricted interval for the dynamic ports to make it possibly to handle with firewall rules.

As described in the explanation of the policy setting for remote administration exception, it opens port 135/TCP and 445/TCP, but does not handle the dynamic ports.
0
 
LVL 6

Expert Comment

by:oferam
ID: 26144963
The solution accepted is incorrect.
The explanation in the policy setting actually explains the opposite!

The reason the firewall can not be controlled with the netsh firewall commands is because it is in a "Domain Profile"
In "Domain profile" the definitions that comes implicitly from the domain GPO, have a higher priority then local commands.

Even further, one can actually see that those device have a firewall that is affected from the Domain GPO - according to the line "Group policy version              = Windows Firewall". If there were no definitions in the domain GPO, this line would be "Group policy version              = None"

I know it's been a while, but for the sake of those who have the same problem, please fix / remove this "Accepted solution"



0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question