Windows Tip Sheet

Up and Over the Windows Firewall

Skirting the built-in, protective barrier known as Windows XP SP 2.

I installed Windows XP Service Pack 2 on my test system a few weeks ago and started playing with it. A lot of what I call "playing" entails remote administration and management. I wanted to see what SP2—especially the much-hyped new Windows Firewall—would do for (or to) remote management. Naturally, it pretty much broke everything.

The first thing I noticed was the constant warnings that my XP system wasn't running an antivirus package. For legal purposes, Microsoft made XP SP2 complain incessantly until you installed antivirus software, which you had to purchase from another software company. I'm OK with that. We should all be running antivirus software and I don't mind being reminded.

But the minute I tried to Remote Desktop into my newly service-packed machine, I was stymied. Nothing connected. Windows Firewall, it turns out, works spectacularly. You just can't touch a remote XP box once that firewall is running. This is somewhat irritating when I've got several clients making heavy use of remote management scripts that are now, essentially, useless. I know I can control the Windows Firewall through some Group Policy settings, but my test XP box isn't a domain member, so I wanted to look at alternatives.

I found the start of a solution on the blog of a Microsoft Scripting Guy. Seems Windows Firewall is accessible to VBScript. He provides the following four lines of code to set the firewall to allow RPC connections, which is what Windows Management Instrumentation WMI and many other remote management scripts need to operate:

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

Set objAdminSettings = objPolicy.RemoteAdminSettings
objAdminSettings.Enabled = TRUE

Problem is, you have to first get the script onto the machine, which is near impossible with Windows Firewall running. In a domain, you might assign the script as a logon script or startup script and it'd take care of business. You can do a better job with Group Policy, allowing incoming RPC connections only from the local subnet, for example, if that's where you'll be running management scripts.

Obviously, you need to use a script like this with some caution. Make sure you're not opening a hole bigger than you need—the firewall exists to help protect client machines and if you indiscriminately shut it off or punch it full of holes you're defeating that protection.

Micro Tip Sheet

The NETSH command has been updated in XP SP2 to provide Windows Firewall configuration capabilities. SP2 also installs IPv6 and firewalls it automatically; there have been suspicions that forthcoming exploits may focus on the IPv6 stack, which most users and administrators completely ignore even though some companies install it in their default XP images. SP2 nips that in the bud by activating the firewall by default on IPv6.

More Resources
The Scripting Guys’ First Blog: http://blogs.msdn.com/gstemp/

Bill Boswell's article on XP SP2's security features: http://mcpmag.com/columns/article.asp?EditorialsID=716

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.