Windows 7 Firewall Settings

I was unable to ping, establish a UNC connection or map a drive from a Windows 2008 R2 server to a Windows 7 workstation but could establish an RDP connection.  I ended up shutting the firewall completely down with this command, "netsh advfirewall set allprofiles state off" on the Windows 7 workstation. It resolved my connection issue but seemed like I killed a fly with a hand grenade.

 I would love to know why or, preferably, get some reference help where to look/read.  

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lauck99Author Commented:
Thanks Darius.  The good news is I had previously tried solutions in each of those links.  Just shutting the firewall service off didn't help.  Apparently there is additional screening still being applied with and without that service running.  So far, only the"netsh advfirewall set allprofiles state off" command cleared the issue.  

The techtalkz link may be applicable.  Although when I was in the rules view I tried some of what I thought were the obvious choices to enable/disable but never figured it out.  From my limited perspective, I think it would be helpful to know what the differences are between the netsh command above and the stopping of the WF service.  From there maybe we could narrow down what to change.
Darius GhassemCommented:
Shutting down service will not stop the firewall from actually blocking programs this is new in Windows 2008 Server and beyond.

Ports and\or services need to be enabled to allow certain services through the firewall what seems to be the problem is the ports aren't opened
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Aland CoonsSystems EngineerCommented:
Check that your LAN connection has the right profile setting.  If you are connected to a domain you should be using the DOMAIN firewall profile and not the PRIVATE or PUBLIC profile. PRIVATE is for use in
"workgroups" and the PUBLIC profile is for use at the hotel or restaurant WiFi hot spot.

See also:

Due to prevalence of malware, trojans, virus and worms operating any computer without an active host based firewall is not encouraged.
Are your receiving a access denied or host unreachable?

This command will completely turn off windows firewall for all user profiles allowing WMI access.
netsh advfirewall set allprofiles state off

Open in new window

Entering this while the firewall is up enables  remote admin rdp for "remote administration" group.
netsh advfirewall firewall set rule group="remote administration" new enable=yes

Open in new window

And this one enables the service through the firewall globally.

netsh firewall set service remoteadmin enable

Open in new window

Since RDP works for you already you dont need to use those two above. You will however need to have remote administration enabled through the firewall for WMI.

You can set the rule like this  

 netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Open in new window

Then just assign that user to this group they should be able to use UNC through the firewall using windows management(WMI).

I forgot to add
netsh advfirewall set currentprofile settings remotemanagement enable

Open in new window

very important here
lauck99Author Commented:
   This is a unique set up (at a corporation).  Some interesting attributes to this scenario that I left out so not to distract from what I thought the root issue was:
- The Windows 7 station is not in an AD/Domain and is on 10.10.10.x
- My PC is in the AD/Domain and is on 10.10.10.x
- The Windows 2k8 R2 test server is in the AD/Domain and is on 10.10.11.x
- The XP and 7 nodes can ping and map back and forth
- The XP and W2k8 server can ping and map back and forth
- The Win 7 can ping and map to the W2k8 server
- The W2k8 server cannot ping or map to the Win 7 WS

Based on that perspective how should I evaluate the profiles?
lauck99Author Commented:
  I get neither of those responses from the ping.  I (used to) get a response "timed out".  I'll enable the firewall state across all profiles and mess with the last 2 commands.  Thanks.

Aland CoonsSystems EngineerCommented:
Based on that the Windows 7 workstation firewall is the problem and should be running in WORKGROUP mode (i.e. PRIVATE). You will need to allow exceptions for ICMP (Echo Request ICMPv4-In) and all of the File and Printer Sharing options needs to be enabled for PRIVATE profile.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Aland CoonsSystems EngineerCommented:
Another thought..

If name resolution is also a problem you may need to add hard entries to DNS for the Windows 7 box. While troubleshooting just use IP address then switch to UNC names when it starts working.  DNS on a domain by default will not allow the workstation to register because it's not an authenticated member. Lowering the DNS security level to allow it to register is an option but not the best choice because of security.
lauck99Author Commented:
FYI...I cannot ping by DNS or IP address.  

PS  I'll try the mode and exception settings today or tomorrow.
Your ping is getting block by the firewall somewhere there
Aland CoonsSystems EngineerCommented:
Instead of PING use NSLOOKUP.  Is DNS working at all?  That will answer part of it.

Also try IPCONFIG /REGISTERDNS and then check your DNS server and see if there is any entry for your Windows 7 station. (You may need to add a fixed / permanent entry.)  Also, check the event log for errors (on the Win7 station).

Yes the firewall (on the Windows 7 station) is a problem. It is still blocking ICMP traffic from your LAN which should be trusted.  But there also may be a problem with the DNS registration and resolution.
lauck99Author Commented:
Alan, The nslookup shows that the DNS server has the right IP address registered.  The name has worked ins most cases and has in all cases since removing the firewall completely from Win 7 (note my initial question and comments throughout).  At one point for added measure I flushed the DNS cache.  ...file/print settings have been enabled (and disabled) multiple times, still need to try private mode and at one point had changed enabled ICMP traffic.

Russell, the problem is definitely within the Windows 7 firewall (note my initial comment/question).  I'm trying to figure out where/why.
lauck99Author Commented:
Alan is the big money winner!  With workgroup sharing on (obviously) I went into the Windows Firewall with Advanced Security settings, in the profile section, under the Private Profile tab and allowed inbound connections.  It is working as expected.  It looks like I can get even more granular but don't really have time now.

lauck99Author Commented:
Everything was correct minus the need to enable ICMP (at least I didn't have to).  I added a step by step just in case someone else runs into the same issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.