Steve's personal weblog

Interesting flotsam on programming, Java, .NET, Configuration Management, and the geek lifestyle.

Wednesday, August 25, 2004

Up and Over the Windows Firewall (copied from an email sent to me. This may be on the web somewhere, but I just copied it here for reference purposes) I installed Windows XP Service Pack 2 on my test system a few weeks ago and started playing with it. A lot of what I call "playing" entails remote administration and management. I wanted to see what SP2—especially the much-hyped new Windows Firewall— would do for (or to) remote management. Naturally, it pretty much broke everything. The first thing I noticed was the constant warnings that my XP system wasn't running an antivirus package. For legal purposes, Microsoft made XP SP2 complain incessantly until you installed antivirus software, which you had to purchase from another software company. I'm OK with that. We should all be running antivirus software and I don't mind being reminded. But the minute I tried to Remote Desktop into my newly service- packed machine, I was stymied. Nothing connected. Windows Firewall, it turns out, works spectacularly. You just can't touch a remote XP box once that firewall is running. This is somewhat irritating when I've got several clients making heavy use of remote management scripts that are now, essentially, useless. I know I can control the Windows Firewall through some Group Policy settings, but my test XP box isn't a domain member, so I wanted to look at alternatives. I found the start of a solution on the blog of a Microsoft Scripting Guy. Seems Windows Firewall is accessible to VBScript. He provides the following four lines of code to set the firewall to allow RPC connections, which is what Windows Management Instrumentation WMI and many other remote management scripts need to operate: Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile Set objAdminSettings = objPolicy.RemoteAdminSettings objAdminSettings.Enabled = TRUE Problem is, you have to first get the script onto the machine, which is near impossible with Windows Firewall running. In a domain, you might assign the script as a logon script or startup script and it'd take care of business. You can do a better job with Group Policy, allowing incoming RPC connections only from the local subnet, for example, if that's where you'll be running management scripts. Obviously, you need to use a script like this with some caution. Make sure you're not opening a hole bigger than you need—the firewall exists to help protect client machines and if you indiscriminately shut it off or punch it full of holes you're defeating that protection.--Don Jones