Configuring Windows Firewall for use with Spiceworks Inventory

Quelle: http://community.spiceworks.com/education/projects/Windows_Firewall

Introduction

By default, the Windows Firewall included with Windows XP Service Pack 2 and Vista can block network traffic that is required by Spiceworks for discovery.

Configuring Windows Firewall

You can configure the Windows Firewall to allow Spiceworks to discover machines by running the following command on the machine in question. Note: If all of your devices are located on the same subnet as the Spiceworks computer use the “enable subnet” option to limit admin access to the local subnet.

c:\> netsh firewall set service remoteadmin enable
c:\> netsh firewall set service remoteadmin enable subnet

Windows 7 has updated the netsh command, and you need to use these two commands instead:

c:\> netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes
c:\> netsh advfirewall firewall set rule group=”remote administration” new enable=yes

The Windows Firewall can also be centrally managed via Group Policy.

The equivalent Group Policy setting is: 
  Windows Firewall: Allow remote administration exception

The setting path in Group Policy is: 
“Computer Configuration/Administrative Templates/Network/ Network Connections/Windows Firewall/Domain Profile”

If you are using Windows Vista or Server 2008 you will also need to enable ICMPv4 which is in the same Group Policy path. The setting is:    Windows Firewall: Allow ICMP exceptions

Per the Group Policy Management snap-in: Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034.

If you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subnets from which these incoming messages are allowed.

If you disable or do not configure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the “Windows Firewall: Allow file and printer sharing exception” policy setting.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Dieser Beitrag wurde unter Windows Server, Windows Vista / 7 abgelegt und mit , , , verschlagwortet. Setze ein Lesezeichen auf den Permalink.

Hinterlasse eine Antwort