Windows Tip Sheet

Up and Over the Windows Firewall

Skirting the built-in, protective barrier known as Windows XP SP 2.

I installed Windows XP Service Pack 2 on my test system a few weeks ago and started playing with it. A lot of what I call "playing" entails remote administration and management. I wanted to see what SP2—especially the much-hyped new Windows Firewall—would do for (or to) remote management. Naturally, it pretty much broke everything.

The first thing I noticed was the constant warnings that my XP system wasn't running an antivirus package. For legal purposes, Microsoft made XP SP2 complain incessantly until you installed antivirus software, which you had to purchase from another software company. I'm OK with that. We should all be running antivirus software and I don't mind being reminded.

But the minute I tried to Remote Desktop into my newly service-packed machine, I was stymied. Nothing connected. Windows Firewall, it turns out, works spectacularly. You just can't touch a remote XP box once that firewall is running. This is somewhat irritating when I've got several clients making heavy use of remote management scripts that are now, essentially, useless. I know I can control the Windows Firewall through some Group Policy settings, but my test XP box isn't a domain member, so I wanted to look at alternatives.

I found the start of a solution on the blog of a Microsoft Scripting Guy. Seems Windows Firewall is accessible to VBScript. He provides the following four lines of code to set the firewall to allow RPC connections, which is what Windows Management Instrumentation WMI and many other remote management scripts need to operate:

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

Set objAdminSettings = objPolicy.RemoteAdminSettings
objAdminSettings.Enabled = TRUE

Problem is, you have to first get the script onto the machine, which is near impossible with Windows Firewall running. In a domain, you might assign the script as a logon script or startup script and it'd take care of business. You can do a better job with Group Policy, allowing incoming RPC connections only from the local subnet, for example, if that's where you'll be running management scripts.

Obviously, you need to use a script like this with some caution. Make sure you're not opening a hole bigger than you need—the firewall exists to help protect client machines and if you indiscriminately shut it off or punch it full of holes you're defeating that protection.

Micro Tip Sheet

The NETSH command has been updated in XP SP2 to provide Windows Firewall configuration capabilities. SP2 also installs IPv6 and firewalls it automatically; there have been suspicions that forthcoming exploits may focus on the IPv6 stack, which most users and administrators completely ignore even though some companies install it in their default XP images. SP2 nips that in the bud by activating the firewall by default on IPv6.

More Resources
The Scripting Guys’ First Blog:

Bill Boswell's article on XP SP2's security features:

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Thu, Sep 16, 2004 Anonymous Anonymous

well like the above posts ssay, just look into the config and its a simple check box to enable remote desktop. easy as that

Tue, Sep 14, 2004 Anonymous Anonymous

There's a very obvious checkbox in the advanced settings of the firewall to enable Remote Desktop...I checked it and can remote the same as I did pre-SP2. Research before publishing!

Tue, Sep 14, 2004 Techno-geek Anonymous

How did this article ever get published? What a joke! Every firewall I've ever setup need to be configured, why would the XPsp2 windows firewall be any different? Dude, don't quite your day job!

Mon, Aug 30, 2004 Anonymous Anonymous

This article just scares people who don't know any better. Remote access is easily turned on in the advanced settings of the new firewall.

Wed, Aug 25, 2004 Anonymous Anonymous

I am still in an NT4 domain so GP isn't an option. I am not a scripting sort, so I just reconfigured the Firewall .inf to allow the remote admin ports as well as RDP and a few others. I created a simple batch file to copy the reconfigured .inf file to the SP2 machines and speaking of netsh, the batch file also contains the "netsh firewall reset" command to finish the work. It still will require visiting each machine individually, sort of.....As it turns out, all of our XP machines have Remote Desktop enabled and the final version of the SP (not the beta or RC versions) doesn't turn it off if it's already on. Therefore we could use Remote Desktop to avoid visiting each machine physically.
We can't use logon scripts to run the batch file since our users are not Administrators. Not having completed the AD migration is beginning to be a problem.

Wed, Aug 25, 2004 Bob Rath Tampa

We had no problems with configuring the firewall. Our primary configuration was performed through GPO. But we also tested just opening up the port by activating the Remote Desktop option without any problems. We have been testing all of our software for compatability and planning for our deployment within the next week.

Wed, Aug 25, 2004 Jason Boche Minneapolis

I recall reading several weeks ago that the Windows Firewall would be available via WSH so mass scripting of firewall settings for rollout or whatever is possible if you don't want to do it via GPO.

I'm on board with nagging anti-virus messages. I'm also on board with difficulty getting into remote systems because the firewall broke stuff. That's the nature of a firewall and SOMETHING HAS GOT TO BE DONE about the rampant crap that it ruining the internet experience (trojans, virus, back doors, hacking, etc.).

You can't make an omlet without breaking a few eggs.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.