Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
I have it working now.
I found these to be extremely useful;
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngdepgp.mspx
and kb842933
"Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in message
news:eNdmVBBIFHA.2976@TK2MSFTNGP15.phx.gbl...
> David wrote:
>
>> I am aware of the port for Remote Desktop. I should have been more
>> specific
>> in my question. If you right click on "My Computer" and then click
>> "Manage"
>> you get the Computer Management snap-in. If you either right click on
>> "Computer Management (Local)" or select "Action" from the menu and choose
>> "Connect To Another Computer". I am able to connect to another PC this
>> way,
>> but I am unable to create a file share, view system properties, and / or
>> change "Environment Variables" for an example. Remote management is
>> handy
>> this way as it doesn't require booting the user off of the system to make
>> the changes. I haven't tried it yet, but I suspect remote registry
>> changes
>> are blocked too by the firewall.
>>
>> I would like to restore these capabilities w/o having to completely turn
>> off
>> the firewall.
> Hi
>
> There is a Group Policy setting to open for this:
>
> Policy path:
> Computer Configuration\Administrative Templates\Network\
> Network Connections\Windows Firewall\<Domain|Standard> Profile\
>
> Policy name:
> Windows Firewall: Allow remote administration exception
>
> From PolicySettings.xls available here:
>
> Group Policy Settings Reference for Windows XP Professional
> Service Pack 2
>
http://www.microsoft.com/downloads/details.aspx?familyid=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&displaylang=en
>
> <quote>
> Administrative Templates\Network\Network Connections\Windows Firewall
> \<some> Profile
> Windows Firewall: Allow remote administration exception
>
> Allows remote administration of this computer using administrative
> tools such as the Microsoft Management Console (MMC) and Windows
> Management Instrumentation (WMI). To do this, Windows Firewall opens
> TCP ports 135 and 445. Services typically use these ports to
> communicate using remote procedure calls (RPC) and Distributed
> Component Object Model (DCOM). This policy setting also allows
> SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
> and allows hosted services to open additional dynamically-assigned
> ports, typically in the range of 1024 to 1034. If you enable this
> policy setting, Windows Firewall allows the computer to receive the
> unsolicited incoming messages associated with remote administration.
> You must specify the IP addresses or subnets from which these
> incoming messages are allowed. If you disable or do not configure
> this policy setting, Windows Firewall does not open TCP port 135 or
> 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
> receiving unsolicited incoming messages, and prevents hosted
> services from opening additional dynamically-assigned ports. Because
> disabling this policy setting does not block TCP port 445, it does
> not conflict with the Windows Firewall: Allow file and printer
> sharing exception policy setting. Note: Malicious users often
> attempt to attack networks and computers using RPC and DCOM. We
> recommend that you contact the manufacturers of your critical
> programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
> or if they require RPC and DCOM communication. If they do not, then
> do not enable this policy setting. Note: If any policy setting
> opens TCP port 445, Windows Firewall allows inbound ICMP echo
> request messages (the message sent by the Ping utility), even if the
> Windows Firewall: Allow ICMP exceptions policy setting would block
> them. Policy settings that can open TCP port 445 include Windows
> Firewall: Allow file and printer sharing exception, Windows Firewall:
> Allow remote administration exception, and Windows Firewall: Define
> port exceptions.
>
> </quote>
>
>
> Using netsh.exe, you can configure the "Allow for remote administration"
> setting from command line as well, like this:
>
> netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
> profile=domain
>
> If not a domain computer, you need to change to 'profile=standard'
> (or 'profile=all'). Scope can also be set to 'custom' and then you
> can add ip ranges to the command line as well.
>
> The netsh.exe syntax is documented in WF_XPSP2.doc.
>
> WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
> Windows XP with Service Pack 2" is downloadable from
>
http://www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a-bdcd-499f73a637d1
>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
>
http://www.microsoft.com/technet/scriptcenter/default.mspx