XP Pro sp2 Firewall on Corporate domain

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In a corporate environment, which ports do you need to have open on an XP
Pro machine with sp2 to allow you to remotely manage that PC?
6 answers Last reply
More about firewall corporate domain
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    TCP 3389 for Remote Desktop.

    Matt Gibson - GSEC

    "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
    news:ejqZcM3HFHA.3928@TK2MSFTNGP09.phx.gbl...
    >
    >
    > In a corporate environment, which ports do you need to have open on an XP
    > Pro machine with sp2 to allow you to remotely manage that PC?
    >
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I am aware of the port for Remote Desktop. I should have been more specific
    in my question. If you right click on "My Computer" and then click "Manage"
    you get the Computer Management snap-in. If you either right click on
    "Computer Management (Local)" or select "Action" from the menu and choose
    "Connect To Another Computer". I am able to connect to another PC this way,
    but I am unable to create a file share, view system properties, and / or
    change "Environment Variables" for an example. Remote management is handy
    this way as it doesn't require booting the user off of the system to make
    the changes. I haven't tried it yet, but I suspect remote registry changes
    are blocked too by the firewall.

    I would like to restore these capabilities w/o having to completely turn off
    the firewall.

    thanks.

    - David


    "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
    news:OAOFyo3HFHA.3428@TK2MSFTNGP10.phx.gbl...
    > TCP 3389 for Remote Desktop.
    >
    > Matt Gibson - GSEC
    >
    > "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
    > news:ejqZcM3HFHA.3928@TK2MSFTNGP09.phx.gbl...
    >>
    >>
    >> In a corporate environment, which ports do you need to have open on an XP
    >> Pro machine with sp2 to allow you to remotely manage that PC?
    >>
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I'm not sure off the top of my head.

    Have you tried turning on the logging on the XP firewall, and seeing what it
    blocks?

    Matt Gibson - GSEC

    "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
    news:O40VVX4HFHA.2704@tk2msftngp13.phx.gbl...
    >I am aware of the port for Remote Desktop. I should have been more
    >specific in my question. If you right click on "My Computer" and then
    >click "Manage" you get the Computer Management snap-in. If you either
    >right click on "Computer Management (Local)" or select "Action" from the
    >menu and choose "Connect To Another Computer". I am able to connect to
    >another PC this way, but I am unable to create a file share, view system
    >properties, and / or change "Environment Variables" for an example. Remote
    >management is handy this way as it doesn't require booting the user off of
    >the system to make the changes. I haven't tried it yet, but I suspect
    >remote registry changes are blocked too by the firewall.
    >
    > I would like to restore these capabilities w/o having to completely turn
    > off the firewall.
    >
    > thanks.
    >
    > - David
    >
    >
    > "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
    > news:OAOFyo3HFHA.3428@TK2MSFTNGP10.phx.gbl...
    >> TCP 3389 for Remote Desktop.
    >>
    >> Matt Gibson - GSEC
    >>
    >> "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
    >> news:ejqZcM3HFHA.3928@TK2MSFTNGP09.phx.gbl...
    >>>
    >>>
    >>> In a corporate environment, which ports do you need to have open on an
    >>> XP Pro machine with sp2 to allow you to remotely manage that PC?
    >>>
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    nope, hadn't thought of that one. Excellent suggestion though. I can't
    believe I didn't think of that!


    "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
    news:uR9$gT6HFHA.2276@TK2MSFTNGP15.phx.gbl...
    > I'm not sure off the top of my head.
    >
    > Have you tried turning on the logging on the XP firewall, and seeing what
    > it blocks?
    >
    > Matt Gibson - GSEC
    >
    > "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
    > news:O40VVX4HFHA.2704@tk2msftngp13.phx.gbl...
    >>I am aware of the port for Remote Desktop. I should have been more
    >>specific in my question. If you right click on "My Computer" and then
    >>click "Manage" you get the Computer Management snap-in. If you either
    >>right click on "Computer Management (Local)" or select "Action" from the
    >>menu and choose "Connect To Another Computer". I am able to connect to
    >>another PC this way, but I am unable to create a file share, view system
    >>properties, and / or change "Environment Variables" for an example.
    >>Remote management is handy this way as it doesn't require booting the user
    >>off of the system to make the changes. I haven't tried it yet, but I
    >>suspect remote registry changes are blocked too by the firewall.
    >>
    >> I would like to restore these capabilities w/o having to completely turn
    >> off the firewall.
    >>
    >> thanks.
    >>
    >> - David
    >>
    >>
    >> "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
    >> news:OAOFyo3HFHA.3428@TK2MSFTNGP10.phx.gbl...
    >>> TCP 3389 for Remote Desktop.
    >>>
    >>> Matt Gibson - GSEC
    >>>
    >>> "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
    >>> news:ejqZcM3HFHA.3928@TK2MSFTNGP09.phx.gbl...
    >>>>
    >>>>
    >>>> In a corporate environment, which ports do you need to have open on an
    >>>> XP Pro machine with sp2 to allow you to remotely manage that PC?
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    David wrote:

    > I am aware of the port for Remote Desktop. I should have been more specific
    > in my question. If you right click on "My Computer" and then click "Manage"
    > you get the Computer Management snap-in. If you either right click on
    > "Computer Management (Local)" or select "Action" from the menu and choose
    > "Connect To Another Computer". I am able to connect to another PC this way,
    > but I am unable to create a file share, view system properties, and / or
    > change "Environment Variables" for an example. Remote management is handy
    > this way as it doesn't require booting the user off of the system to make
    > the changes. I haven't tried it yet, but I suspect remote registry changes
    > are blocked too by the firewall.
    >
    > I would like to restore these capabilities w/o having to completely turn off
    > the firewall.
    Hi

    There is a Group Policy setting to open for this:

    Policy path:
    Computer Configuration\Administrative Templates\Network\
    Network Connections\Windows Firewall\<Domain|Standard> Profile\

    Policy name:
    Windows Firewall: Allow remote administration exception

    From PolicySettings.xls available here:

    Group Policy Settings Reference for Windows XP Professional
    Service Pack 2
    http://www.microsoft.com/downloads/details.aspx?familyid=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en

    <quote>
    Administrative Templates\Network\Network Connections\Windows Firewall
    \<some> Profile
    Windows Firewall: Allow remote administration exception

    Allows remote administration of this computer using administrative
    tools such as the Microsoft Management Console (MMC) and Windows
    Management Instrumentation (WMI). To do this, Windows Firewall opens
    TCP ports 135 and 445. Services typically use these ports to
    communicate using remote procedure calls (RPC) and Distributed
    Component Object Model (DCOM). This policy setting also allows
    SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
    and allows hosted services to open additional dynamically-assigned
    ports, typically in the range of 1024 to 1034. If you enable this
    policy setting, Windows Firewall allows the computer to receive the
    unsolicited incoming messages associated with remote administration.
    You must specify the IP addresses or subnets from which these
    incoming messages are allowed. If you disable or do not configure
    this policy setting, Windows Firewall does not open TCP port 135 or
    445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
    receiving unsolicited incoming messages, and prevents hosted
    services from opening additional dynamically-assigned ports. Because
    disabling this policy setting does not block TCP port 445, it does
    not conflict with the Windows Firewall: Allow file and printer
    sharing exception policy setting. Note: Malicious users often
    attempt to attack networks and computers using RPC and DCOM. We
    recommend that you contact the manufacturers of your critical
    programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
    or if they require RPC and DCOM communication. If they do not, then
    do not enable this policy setting. Note: If any policy setting
    opens TCP port 445, Windows Firewall allows inbound ICMP echo
    request messages (the message sent by the Ping utility), even if the
    Windows Firewall: Allow ICMP exceptions policy setting would block
    them. Policy settings that can open TCP port 445 include Windows
    Firewall: Allow file and printer sharing exception, Windows Firewall:
    Allow remote administration exception, and Windows Firewall: Define
    port exceptions.

    </quote>


    Using netsh.exe, you can configure the "Allow for remote administration"
    setting from command line as well, like this:

    netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
    profile=domain

    If not a domain computer, you need to change to 'profile=standard'
    (or 'profile=all'). Scope can also be set to 'custom' and then you
    can add ip ranges to the command line as well.

    The netsh.exe syntax is documented in WF_XPSP2.doc.

    WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
    Windows XP with Service Pack 2" is downloadable from
    http://www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a-bdcd-499f73a637d1


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I have it working now.

    I found these to be extremely useful;

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngdepgp.mspx
    and kb842933


    "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
    news:eNdmVBBIFHA.2976@TK2MSFTNGP15.phx.gbl...
    > David wrote:
    >
    >> I am aware of the port for Remote Desktop. I should have been more
    >> specific
    >> in my question. If you right click on "My Computer" and then click
    >> "Manage"
    >> you get the Computer Management snap-in. If you either right click on
    >> "Computer Management (Local)" or select "Action" from the menu and choose
    >> "Connect To Another Computer". I am able to connect to another PC this
    >> way,
    >> but I am unable to create a file share, view system properties, and / or
    >> change "Environment Variables" for an example. Remote management is
    >> handy
    >> this way as it doesn't require booting the user off of the system to make
    >> the changes. I haven't tried it yet, but I suspect remote registry
    >> changes
    >> are blocked too by the firewall.
    >>
    >> I would like to restore these capabilities w/o having to completely turn
    >> off
    >> the firewall.
    > Hi
    >
    > There is a Group Policy setting to open for this:
    >
    > Policy path:
    > Computer Configuration\Administrative Templates\Network\
    > Network Connections\Windows Firewall\<Domain|Standard> Profile\
    >
    > Policy name:
    > Windows Firewall: Allow remote administration exception
    >
    > From PolicySettings.xls available here:
    >
    > Group Policy Settings Reference for Windows XP Professional
    > Service Pack 2
    > http://www.microsoft.com/downloads/details.aspx?familyid=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en
    >
    > <quote>
    > Administrative Templates\Network\Network Connections\Windows Firewall
    > \<some> Profile
    > Windows Firewall: Allow remote administration exception
    >
    > Allows remote administration of this computer using administrative
    > tools such as the Microsoft Management Console (MMC) and Windows
    > Management Instrumentation (WMI). To do this, Windows Firewall opens
    > TCP ports 135 and 445. Services typically use these ports to
    > communicate using remote procedure calls (RPC) and Distributed
    > Component Object Model (DCOM). This policy setting also allows
    > SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
    > and allows hosted services to open additional dynamically-assigned
    > ports, typically in the range of 1024 to 1034. If you enable this
    > policy setting, Windows Firewall allows the computer to receive the
    > unsolicited incoming messages associated with remote administration.
    > You must specify the IP addresses or subnets from which these
    > incoming messages are allowed. If you disable or do not configure
    > this policy setting, Windows Firewall does not open TCP port 135 or
    > 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
    > receiving unsolicited incoming messages, and prevents hosted
    > services from opening additional dynamically-assigned ports. Because
    > disabling this policy setting does not block TCP port 445, it does
    > not conflict with the Windows Firewall: Allow file and printer
    > sharing exception policy setting. Note: Malicious users often
    > attempt to attack networks and computers using RPC and DCOM. We
    > recommend that you contact the manufacturers of your critical
    > programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
    > or if they require RPC and DCOM communication. If they do not, then
    > do not enable this policy setting. Note: If any policy setting
    > opens TCP port 445, Windows Firewall allows inbound ICMP echo
    > request messages (the message sent by the Ping utility), even if the
    > Windows Firewall: Allow ICMP exceptions policy setting would block
    > them. Policy settings that can open TCP port 445 include Windows
    > Firewall: Allow file and printer sharing exception, Windows Firewall:
    > Allow remote administration exception, and Windows Firewall: Define
    > port exceptions.
    >
    > </quote>
    >
    >
    > Using netsh.exe, you can configure the "Allow for remote administration"
    > setting from command line as well, like this:
    >
    > netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
    > profile=domain
    >
    > If not a domain computer, you need to change to 'profile=standard'
    > (or 'profile=all'). Scope can also be set to 'custom' and then you
    > can add ip ranges to the command line as well.
    >
    > The netsh.exe syntax is documented in WF_XPSP2.doc.
    >
    > WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
    > Windows XP with Service Pack 2" is downloadable from
    > http://www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a-bdcd-499f73a637d1
    >
    >
    >
    > --
    > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > Administration scripting examples and an ONLINE version of
    > the 1328 page Scripting Guide:
    > http://www.microsoft.com/technet/scriptcenter/default.mspx
Ask a new question

Read More

Security Domain Firewalls Microsoft Windows XP