Firewall Settings
Windows Firewall Settings with the Command Line
The installation of Windows XP SP2 and later includes the Windows Firewall which blocks all remote access by default. Use the "Netsh" command to set up Windows Firewall. The "Netsh" command is a command line scripting tool which works together with other operating system components over dynamic library files (DLL). The following paragraphs describe how to configure Firewall settings with the "Netsh" command.
- Without Agent – enable Remote Admin. The Remote Admin service must be enabled to allow communication between Collector and the machine to be detected. The Remote Admin is disabled in Windows Firewall by default.
Use the following command to enable Remote Admin over the command line (Cmd.exe) on a local workstation
netsh firewall set service RemoteAdmin enable subnet
If you need to enable Remote Admin remotely, you can use the firewall utility PsExec together with the command line Cmd.exe. Basic PsExec syntax:
psexec [\\computer[,computer[,...]] [-u user] [-p pswd]] cmd
Parameters:
- \\computer – the machine on which the cmd command will be executed. If you use \\* the cmd command will be executed on all machines in the current domain.
- -u – the account under which the command will be executed.
- -p – the password to the above account.
- cmd – the program to be executed.
Example 2. PsExec – enabling Remote Admin
We need to enable Remote Admin with the network name PCOFFICE. Remote Admin will be enabled from the entire local network.
psexec \\pcoffice -u administrator_account_name -p administrator_account_password netsh firewall set service remoteadmin enable subnet
Example 3. PsExec – enabling Remote Admin
We need to enable Remote Admin on all machines in the current domain. Remote Admin will be enabled from the entire local network.
psexec \\* -u domain_administrator_account_name -p domain_administrator_account_password netsh firewall set service remoteadmin enable subnet
Example 4. PsExec – enabling Remote Admin
We need to enable Remote Admin on all machines in the current domain. The account from which PsExec has been executed will be used. The Remote Admin will only be enabled from the machine 192.168.10.21.
psexec \\* netsh firewall set service remoteadmin enable custom 192.168.10.21
- Agent over TCP/IP – enable port – the Agent needs access over a port of the Windows Firewall to communicate with the Collector. The default Agent port is port 760.
Example 5. Opening a port
We need to open port 760 over command line (Cmd) on a local workstation. Remote Admin will be enabled from the entire local network.
netsh firewall set portopening TCP 760 ALC_EP enable subnet
Example 6. PsExec – opening a port
We will use the PsExec utility to enable the port 760 remotely on all machines in the current domain. Remote Admin will be enabled from the entire local network.
psexec \\* –u administrator_account_name -p administrator_account_password netsh firewall set portopening TCP 760 ALC_EP enable subnet
Windows Firewall Settings with Group Policies in Active Directory
The installation of Windows XP SP2 and later includes the Windows Firewall which blocks all remote access by default. Use the Group Policy to set up Windows Firewall.
Windows Firewall can be set up over Group Policy in Active Directory only in networks with Windows 2003 Server Service Pack 2003 SP1 (SBS 2003) or later as the domain server.
- Without Agent – enable Remote Admin – workflow to enable Remote Admin over Group Policy in Active Directory.
- Open Start – Run – mmc
- In the tree, select the item Local Machine - -Policy - -Computer Configuration - -Administrative Templates - -Network - -Network Connections - -Windows Firewall - -Domain Profile
- In the list, select the item Windows Firewall: Allow remote administration exception and switch it to Enabled. If you need a higher security level, fill the Enabled sources of unsolicited messages with the IP or subnetwork address from which you wish to enable receiving messages.
- Agent over TCP/IP – enable port – workflow to enable port 760 over Group Policy in Active Directory. Remote Admin will be enabled from the entire local network.
- Open Start – Run – mmc
- In the tree, select the item Local Computer - -Policies- - Computer Configuration- - Administrative Templates- - Network - -Network Connections- - Windows Firewall- - Domain Profile
- In the list, select the item Windows Firewall: Define port exceptions and switch it to Enabled. This will activate the View button. Please click on it. A new window will open. Click on the Add button and enter the following value: "760:TCP:Localsubnet:enabled:ALC_EP"
Warning: If you have set up all settings over Group Policy in Active Directory, these settings can now only be changed again in the Group Policy, but no longer over the command line!
Did not find what you were looking for? Ask our technical support team.
|