Skip Navigation LinksALVAO 8.2ALVAO Asset ManagementSystem Implementation in an OrganizationHardware and Software DetectionFirewall Settings Skip Navigation Links. Skip Navigation Links Skip Navigation Links.


Firewall Settings

Windows Firewall Settings with the Command Line

The installation of Windows XP SP2 and later includes the Windows Firewall which blocks all remote access by default. Use the "Netsh" command to set up Windows Firewall. The "Netsh" command is a command line scripting tool which works together with other operating system components over dynamic library files (DLL). The following paragraphs describe how to configure Firewall settings with the "Netsh" command.

  • Without Agent – enable Remote Admin. The Remote Admin service must be enabled to allow communication between Collector and the machine to be detected. The Remote Admin is disabled in Windows Firewall by default.

    Use the following command to enable Remote Admin over the command line (Cmd.exe) on a local workstation

    netsh firewall set service RemoteAdmin enable subnet

    If you need to enable Remote Admin remotely, you can use the firewall utility PsExec together with the command line Cmd.exe. Basic PsExec syntax:

    psexec [\\computer[,computer[,...]] [-u user] [-p pswd]] cmd

    Parameters:

    • \\computer – the machine on which the cmd command will be executed. If you use \\* the cmd command will be executed on all machines in the current domain.
    • -u – the account under which the command will be executed.
    • -p – the password to the above account.
    • cmd – the program to be executed.

    Example 2. PsExec – enabling Remote Admin

    We need to enable Remote Admin with the network name PCOFFICE. Remote Admin will be enabled from the entire local network.

    psexec \\pcoffice -u administrator_account_name -p administrator_account_password netsh firewall set service remoteadmin enable subnet 

    Example 3. PsExec – enabling Remote Admin

    We need to enable Remote Admin on all machines in the current domain. Remote Admin will be enabled from the entire local network.

    psexec \\* -u domain_administrator_account_name  -p domain_administrator_account_password netsh firewall set service remoteadmin enable subnet 

    Example 4. PsExec – enabling Remote Admin

    We need to enable Remote Admin on all machines in the current domain. The account from which PsExec has been executed will be used. The Remote Admin will only be enabled from the machine 192.168.10.21.

    psexec \\* netsh firewall set service remoteadmin enable custom 192.168.10.21
  • Agent over TCP/IP – enable port – the Agent needs access over a port of the Windows Firewall to communicate with the Collector. The default Agent port is port 760.

    Example 5. Opening a port

    We need to open port 760 over command line (Cmd) on a local workstation. Remote Admin will be enabled from the entire local network.

    netsh firewall set portopening TCP 760 ALC_EP enable subnet

    Example 6. PsExec – opening a port

    We will use the PsExec utility to enable the port 760 remotely on all machines in the current domain. Remote Admin will be enabled from the entire local network.

    psexec \\* –u administrator_account_name -p administrator_account_password netsh firewall set portopening TCP 760 ALC_EP enable subnet

Windows Firewall Settings with Group Policies in Active Directory

The installation of Windows XP SP2 and later includes the Windows Firewall which blocks all remote access by default. Use the Group Policy to set up Windows Firewall.

Windows Firewall can be set up over Group Policy in Active Directory only in networks with Windows 2003 Server Service Pack 2003 SP1 (SBS 2003) or later as the domain server.

  • Without Agent – enable Remote Admin – workflow to enable Remote Admin over Group Policy in Active Directory.
    1. Open Start – Run – mmc
    2. In the tree, select the item Local Machine - -Policy - -Computer Configuration - -Administrative Templates - -Network - -Network Connections - -Windows Firewall - -Domain Profile
    3. In the list, select the item Windows Firewall: Allow remote administration exception and switch it to Enabled. If you need a higher security level, fill the Enabled sources of unsolicited messages with the IP or subnetwork address from which you wish to enable receiving messages.
  • Agent over TCP/IP – enable port – workflow to enable port 760 over Group Policy in Active Directory. Remote Admin will be enabled from the entire local network.
    1. Open Start – Run – mmc
    2. In the tree, select the item Local Computer - -Policies- - Computer Configuration- - Administrative Templates- - Network - -Network Connections- - Windows Firewall- - Domain Profile
    3. In the list, select the item Windows Firewall: Define port exceptions and switch it to Enabled. This will activate the View button. Please click on it. A new window will open. Click on the Add button and enter the following value: "760:TCP:Localsubnet:enabled:ALC_EP"
Warning:
If you have set up all settings over Group Policy in Active Directory, these settings can now only be changed again in the Group Policy, but no longer over the command line!

 

Did not find what you were looking for? Ask our technical support team.