Windows Tip Sheet
Up and Over the Windows Firewall
Skirting the built-in, protective barrier known as Windows XP SP 2.
I installed Windows XP Service Pack 2 on my test system a few weeks
ago and started playing with it. A lot of what I call "playing"
entails remote administration and management. I wanted to see what
SP2—especially the much-hyped new Windows Firewall—would
do for (or to) remote management. Naturally, it pretty much broke
The first thing I noticed was the constant warnings that my XP
system wasn't running an antivirus package. For legal purposes,
Microsoft made XP SP2 complain incessantly until you installed antivirus
software, which you had to purchase from another software company.
I'm OK with that. We should all be running antivirus software and
I don't mind being reminded.
But the minute I tried to Remote Desktop into my newly service-packed
machine, I was stymied. Nothing connected. Windows Firewall, it
turns out, works spectacularly. You just can't touch a remote XP
box once that firewall is running. This is somewhat irritating when
I've got several clients making heavy use of remote management scripts
that are now, essentially, useless. I know I can control the Windows
Firewall through some Group Policy settings, but my test XP box
isn't a domain member, so I wanted to look at alternatives.
I found the start of a solution on the blog of a Microsoft Scripting
Guy. Seems Windows Firewall is accessible to VBScript. He provides
the following four lines of code to set the firewall to allow RPC
connections, which is what Windows Management Instrumentation WMI
and many other remote management scripts need to operate:
Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
Set objAdminSettings = objPolicy.RemoteAdminSettings
objAdminSettings.Enabled = TRUE
Problem is, you have to first get the script onto the machine,
which is near impossible with Windows Firewall running. In a domain,
you might assign the script as a logon script or startup script
and it'd take care of business. You can do a better job with Group
Policy, allowing incoming RPC connections only from the local subnet,
for example, if that's where you'll be running management scripts.
Obviously, you need to use a script like this with some caution.
Make sure you're not opening a hole bigger than you need—the
firewall exists to help protect client machines and if you indiscriminately
shut it off or punch it full of holes you're defeating that protection.
The NETSH command has been updated in
XP SP2 to provide Windows Firewall configuration capabilities.
SP2 also installs IPv6 and firewalls it automatically;
there have been suspicions that forthcoming exploits
may focus on the IPv6 stack, which most users and administrators
completely ignore even though some companies install
it in their default XP images. SP2 nips that in the
bud by activating the firewall by default on IPv6.
The Scripting Guys’ First Blog: http://blogs.msdn.com/gstemp/
Bill Boswell's article on XP SP2's security features: http://mcpmag.com/columns/article.asp?EditorialsID=716
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.