Mr. Script

Remote Scripting for SP2

Is Windows XP SP2 bringing your remote admin scripts down? Mr. Script has the answer you've been looking for.

It was inevitable. For months—nay, years—I have been extolling the virtues of remote scripting. Indeed, Windows Management Instrumentation (WMI) and the Active Directory Services Interface (ADSI) are frequently recurring themes in these pages. You just can’t beat good, solid remote administration.

Then, with Windows XP SP2, Microsoft comes along and (finally!) introduces a stateful firewall into the Windows operating system that, by default, disallows remote administration. Raise your hand if you think I received more than just a few cards and letters from dedicated scripters wondering if I had any idea why some script of mine they’ve been using for months no longer works. Oh yes, they’re still pouring in.

Now, far be it for me to complain about additional security. But it would have been nice if Microsoft had given us scripters some clear instructions for how to prepare, so we wouldn’t have to find out the hard way (i.e. when our scripts broke).

The Good News
Allow me to pick up where Microsoft left off, by explaining what we need to do to enable our remote admin scripts to work again on XP machines. And wouldn’t you know it, I’ve built a script to handle it. But first, let’s review how and why SP2 broke our scripts.

With SP2, the default setting for the Windows Firewall is "On," with exceptions allowed. In other words, all unsolicited traffic from outside the computer is blocked, but you can set it to ignore (read: Not drop) traffic for certain programs and/or traffic that uses certain ports. You can also turn it off completely if you wish, but this isn’t recommended (except as noted below).

This default configuration is stored in C:\%windir%\inf\netfw.inf. This file never changes (on its own) and is read whenever you reset the firewall by executing c:\>netsh firewall reset. It’s this file we’ll be changing to enable remote administration.

The Windows Firewall also supports two profiles: Standard and Domain. Domain is self-explanatory—it applies to the computer only when connected to the domain (which, of course, only applies to computers that are members of a domain).

When not connected to the Domain, the Standard profile applies. You can, for instance, disable the firewall in the Domain profile if you’re content that your corporate firewall provides sufficient protection. For each profile, you can also establish a scope of authorized networks and IP addresses able to perform remote administration.

By definition, resetting the firewall deletes any previously created exceptions. We can save these Registry keys manually, or simply repeat the process of enabling them as we did when we first installed SP2.

As an example, I’ll take you through the reset process to enable Remote Administration for the Domain profile.

package>
 job>
  
  RemoteFW.wsf
  This script runs locally to reset the Windows Firewall to allow   remote administration. Configuration settings are stored in a   text file that is passed as the FILE argument
  

 runtime>
  named
   name="File"
   helpstring="Name of netfw config file"
   type="string"
   required="true"
  />
  example>
  c:\>cscript RemoteFW.wsf /File:c:\netfw.v1
  /example>
  /runtime>
  object
   id="objFSO"
   progid="Scripting.FileSystemObject"
   reference
  />
object
 id="objShell"
 progid="WScript.Shell"
 reference
/>
  script language="VBScript">
  Option Explicit
  Dim strWinDir, strSourceFile

  strWinDir=objShell.ExpandEnvironmentStrings("%WinDir%")
  strSourceFile=WScript.Arguments.Named.Item("File")

  'Copy the new netfw.inf file
  objFSO.CopyFile _
  strSourceFile, strWinDir & "\inf\netfw.inf", True
  'Reset the firewall
  objShell.Run "netsh firewall reset", 0, True
  /script>
 /job>
/package>

How It Works
The script takes a single command-line argument: File—which specifies the netfw.Vx file which contains the appropriate configuration for said computer. (This would probably be on a floppy disk or CD, as you have to go from desk to desk to complete this task.)

File Listing 1 shows the netfw.V1 file that we use. This gives us maximum flexibility. If you only need one or two different firewall configurations, you need only create one or two different template files. On the other hand, if your organization consists of a combination of desktop and notebook computers spread across several subnets, this could quickly get complicated. With the approach we’ve taken, you’ve got room to grow.

File Listing 1:
[version]
Signature = "$Windows NT$"
DriverVer =07/01/2001,5.1.2600.2180

[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile

[ICF.AddReg.DomainProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\DomainProfile\
AuthorizedApplications\List","%windir%\system32\
sessmgr.exe",0x00000000,"%windir%\system32\
sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
HKLM,"SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\DomainProfile\
RemoteAdminSettings","Enabled",0x00010001,
1HKLM,"SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\DomainProfile\
RemoteAdminSettings","RemoteAddresses",
0x00000000,"*"

[ICF.AddReg.StandardProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List","%windir%\system32\
sessmgr.exe",0x00000000,"%windir%\system32\
sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

The Catch-22
Using this script, you can configure the remote admin setting on any computer in your organization. It must, however, be run locally. You could accomplish the same thing remotely using WMI to directly change the Registry and copy the proper default netfw.inf file to the remote computer, except for one problem: If the Windows Firewall is enabled (the default), you can’t use WMI to change it because you can’t connect in the first place.

If you haven’t yet upgraded your XP machines to SP2, I highly recommend configuring the firewall prior to installation. You’ll save yourself a big headache. The file on the CD is called netfw.in_ and is in the i386 directory. The easiest solution is to copy the CD to a network share and edit this file to an appropriate configuration, such as allowing access in the Domain profile for specific IP addresses (yours and the other admins). You can then connect remotely via WMI to create custom configurations for specific machines to finish locking them down.

comments powered by Disqus

Reader Comments:

Thu, Aug 4, 2005 Anonymous Anonymous

What are the exact reg entries? I can push those out much easier than going from machine to machine. You can email me @
j$$nolandAT$$uabDOTedu

Take out the $$'s and AT @ DOT .

Wed, Mar 2, 2005 JV NJ

In a 200x Domain use GPMS from an XP SP2 workstation to set the firewall settings on all domain computers. They will then get setup with Admin Port open on next reboot or after a few refreshes and new machine will automatically get set.

FOr standalone the above batch file is probably the easiest or a WMI script run from a network share or floppyt by an admin.

Mon, Dec 6, 2004 Charlie Boston

I'm not a scripter, but I did essentially the same thing by configuring the netfw.inf file to open up the appropriate apps and subnets and by creating a simple batch file that renames the original inf (just in case), copies the new inf and runs the netsh firewall reset command.
Anyway, my point is that I don't see how you can use either method to reset the firewall before installing SP2, because those settings don't even exist in the pre-SP2 Firewall.
Let me know if I'm incorrect, as this would be extremely helpful, just as you said.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.