• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 610
  • Last Modified:

Group Policy FIrewall exception for Windows Remote Management not applying

Hi

I'm trying to make all Windows 7 computers in our domain manageable by WinRM, but the part of the set-up process which is hampering my progress is with the firewall rules.

I've set up a group policy object and applied it to the OU that contains my computer and the top level OU (just in case). THis GPO has the following settings:

Computer Configuration> Policies> Windows Settings>Security Settings>System Services> Windows Firewall with Advanced Security>Inbound Rules
Windows Remote Management (HTTP-In) Inbound rule for Windows Remote Management via WS-Management. [TCP 5985] 
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module  
Enabled True 
Program System 
Action Allow 
Security Require authentication 
Authorized computers  
Authorized users  
Protocol 6 
Local port 5985 
Remote port Any 
ICMP settings Any 
Local scope Any 
Remote scope Any 
Profile Public 
Network interface type All 
Service All programs and services 
Allow edge traversal False 
Group Windows Remote Management 
 
Windows Remote Management (HTTP-In) Inbound rule for Windows Remote Management via WS-Management. [TCP 5985] 
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module  
Enabled True 
Program System 
Action Allow 
Security Require authentication 
Authorized computers  
Authorized users  
Protocol 6 
Local port 5985 
Remote port Any 
ICMP settings Any 
Local scope Any 
Remote scope Any 
Profile Domain, Private 
Network interface type All 
Service All programs and services 
Allow edge traversal False 
Group Windows Remote Management 
 
Windows Remote Management - Compatibility Mode (HTTP-In) Compatibility mode inbound rule for Windows Remote Management via WS-Management. [TCP 80] 
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module  
Enabled True 
Program System 
Action Allow 
Security Require authentication 
Authorized computers  
Authorized users  
Protocol 6 
Local port 80 
Remote port Any 
ICMP settings Any 
Local scope Any 
Remote scope Any 
Profile All 
Network interface type All 
Service All programs and services 
Allow edge traversal False 
Group Windows Remote Management (Compatibility) 
 

Open in new window


However, after multiple reboots and gpupdates, my local firewall looks like this:
Firewall-Windows-Remote-Management.png
Does anyone have any ideas why it's not applying? Or what I can do to get it working?

Thanks
0
FriendlyIT
Asked:
FriendlyIT
  • 8
  • 7
  • 2
1 Solution
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Have you ran a gpresult and verified that the client is getting the firewall settings from Group Policy?
0
 
FriendlyITAuthor Commented:
Hi

Yes, I've run a gpresult and it looks like it's being applied:

COMPUTER SETTINGS
------------------
    CN=xxxxxxxxxxxxxxxxxxxx
    Last time Group Policy was applied: 29/04/2015 at 10:08:46
    Group Policy was applied from:      xxxxxxxxxxx
Group Policy slow link threshold:   500 kbps
    Domain Name:                        xxx
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Enable Powershell Remoting

Open in new window

0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Run a gpresult /h. Do the actual setting appear in the report? Here is an example on using gpresult /h: http://deployhappiness.com/gpresult-or-rsop/
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
FriendlyITAuthor Commented:
Interesting, thanks for that tip. It looks like it is being applied correctly, but for some reason isn't showing up in the firewall:

Inbound Rules
Name      Description      Winning GPO
Windows Remote Management (HTTP-In)      Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]      Enable Powershell Remoting
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module      
Enabled      True
Program      System
Action      Allow
Security      Require authentication
Authorized computers      
Authorized users      
Protocol      6
Local port      5985
Remote port      Any
ICMP settings      Any
Local scope      Any
Remote scope      Any
Profile      Domain, Private
Network interface type      All
Service      All programs and services
Allow edge traversal      False
Group      @FirewallAPI.dll,-30267
Windows Remote Management - Compatibility Mode (HTTP-In)      Compatibility mode inbound rule for Windows Remote Management via WS-Management. [TCP 80]      Enable Powershell Remoting
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module      
Enabled      True
Program      System
Action      Allow
Security      Require authentication
Authorized computers      
Authorized users      
Protocol      6
Local port      80
Remote port      Any
ICMP settings      Any
Local scope      Any
Remote scope      Any
Profile      All
Network interface type      All
Service      All programs and services
Allow edge traversal      False
Group      Windows Remote Management
Windows Remote Management (HTTP-In)      Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]      Enable Powershell Remoting
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module      
Enabled      True
Program      System
Action      Allow
Security      Require authentication
Authorized computers      
Authorized users      
Protocol      6
Local port      5985
Remote port      Any
ICMP settings      Any
Local scope      Any
Remote scope      Any
Profile      Public
Network interface type      All
Service      All programs and services
Allow edge traversal      False
Group      @FirewallAPI.dll,-30267
0
 
compdigit44Commented:
I see you have scoped the Firewall settings for the domain and private profiles. Is your workstation being detected as being part of one of these profiles?

Have you tried to see if the setting apply to a fleshed imaged workstation
0
 
FriendlyITAuthor Commented:
Hi

Thanks for your reply. I can confirm that the private profile is the one being shown as connected. I haven't tried it on a freshly imaged workstation but I have checked the settings on other workstations, which have the same symptoms

Thanks.
0
 
compdigit44Commented:
You said the private profile is being applied. If you are current connect to the domain it should be the domain profile. See if you can reassign the profile to domain, reboot then check the firewall settings.

http://windows.microsoft.com/en-us/windows/create-modify-network-profiles#1TC=windows-7
0
 
FriendlyITAuthor Commented:
Thanks very much, sorry, that was a mistake on my part. It is the domain profile which is being applied.
0
 
compdigit44Commented:
Would it be possible to upload the gpresult /v report from a workstation along with the GP settings and snapshot of the OU stucture of the workstation is a member of.

Please black out and sensitive information
0
 
FriendlyITAuthor Commented:
Hi

Thanks for your help. I've attached the requested files.

Thanks
Enable-Powershell-Remoting.htm
GPMC.png
GpresultV.txt
OU.png
0
 
compdigit44Commented:
Thanks for the post and sorry for not getting back to you.

Let put WinRM aside for a minute are you able to succesfuuly deply any fireall inbound/outbound rules to a workstation
0
 
compdigit44Commented:
In the Firewall wizard for the GP did you select create from "Program" or "Predefined" ?

If you did program trying setting it to "Predefined"
0
 
FriendlyITAuthor Commented:
Hi thanks for your response. I'm not sure what I selected, but when I look at the properties of the rule in GPMC, it says "This is a predefined rule and some of its properties cannot be modified" - so I guess it's predefined..?
0
 
compdigit44Commented:
I does hurt to delete an recreate it using Predefined and it that does work select program
0
 
FriendlyITAuthor Commented:
Hi again and thanks for all your help with this. Eventually I realised that in the GP settings there were two entries set up to manage this firewall rule. When I deleted one of those rules the policy started applying correctly.
0
 
FriendlyITAuthor Commented:
This is what I discovered was causing the problem. Once remedied, it started working correctly.
0
 
compdigit44Commented:
Nice work, I am interesting for my own knowledge to know which entries were duplicated and where...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 8
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now