SP2 Firewall mods via Login Script

I'm trying open certain ports in the XP SP2 firewall using a script at user
login. The opened ports will allow use of the Diskeeper Corp. Sitekeeper
program to inventory/install software on the target machines. Sitekeepers
tech support provides a script to do this, however, when run by a
non-privileged user, the script does not function/returns access denied. I
have over a hundred machines that need this, so
"application-by-walking-around" is not desired.. Is there a way to allow the
script to run using the system credentials? or a run-as workaround??
Sitekeeper's tech support basically said "we provide the script as-is, don't
ask us how to use it...".. Since these machines are members of an old-style
NT4 domain, not AD, I can't (as far as I know) use a policy to make the f/w
mods... Any assistance/pointers to assistance would be appreciated...

Thanks
Dave Frandin
dave[AT]frandin[.]org

The script is as follows:

@echo off

SETLOCAL
rem If SP1 the following returns 1
netsh firewall ""
if ERRORLEVEL 1 GOTO Exit
netsh firewall set service type = FILEANDPRINT mode = ENABLE scope = ALL
netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31041 name =
SitekeeperRPC mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31040 name =
PIServerRPC mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31042 name = SKAgentRPC
mode = ENABLE scope = ALL
netsh firewall set portopening protocol = UDP port = 4500 name = SKIPSec4500
mode = ENABLE scope = ALL
netsh firewall set portopening protocol = UDP port = 500 name = SKIPSec500
mode = ENABLE scope = ALL
netsh firewall set allowedprogram program = "SKAgent.exe" name = SKAgent
mode = ENABLE scope = ALL
:Exit
ENDLOCAL

Hi,

Different RunAs products listed here, some free and some not, some
with encryption option for the password as well:

http://groups.google.co.uk/groups?se...75%40hydro.com

Other ones not mentioned in the link above:

SUperior SU (free, has a command line iterface)
http://www.stefan-kuhr.de/supsu/main.php3

Supercrypt (as well as LSrunas/LSrunasE)
http://www.lansweeper.com/ls/lsrunas.aspx

Runasspc
http://www.robotronic.de/runasspcEn.html


You may also want to check out PolicyMaker Application Security
(previously NeoExec), the main difference is that it does not require
the use of a second account, as most other RunAs derivatives requires.

PolicyMaker Application Security
http://www.desktopstandard.com/Polic...nSecurity.aspx



LVDave wrote:

> I'm trying open certain ports in the XP SP2 firewall using a script at user
> login. The opened ports will allow use of the Diskeeper Corp. Sitekeeper
> program to inventory/install software on the target machines. Sitekeepers
> tech support provides a script to do this, however, when run by a
> non-privileged user, the script does not function/returns access denied. I
> have over a hundred machines that need this, so
> "application-by-walking-around" is not desired.. Is there a way to allow the
> script to run using the system credentials? or a run-as workaround??
> Sitekeeper's tech support basically said "we provide the script as-is, don't
> ask us how to use it...".. Since these machines are members of an old-style
> NT4 domain, not AD, I can't (as far as I know) use a policy to make the f/w
> mods... Any assistance/pointers to assistance would be appreciated...
>
> Thanks
> Dave Frandin
> dave[AT]frandin[.]org
>
> The script is as follows:
>
> @echo off
>
> SETLOCAL
> rem If SP1 the following returns 1
> netsh firewall ""
> if ERRORLEVEL 1 GOTO Exit
> netsh firewall set service type = FILEANDPRINT mode = ENABLE scope = ALL
> netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = ALL
> netsh firewall set portopening protocol = TCP port = 31041 name =
> SitekeeperRPC mode = ENABLE scope = ALL
> netsh firewall set portopening protocol = TCP port = 31040 name =
> PIServerRPC mode = ENABLE scope = ALL
> netsh firewall set portopening protocol = TCP port = 31042 name = SKAgentRPC
> mode = ENABLE scope = ALL
> netsh firewall set portopening protocol = UDP port = 4500 name = SKIPSec4500
> mode = ENABLE scope = ALL
> netsh firewall set portopening protocol = UDP port = 500 name = SKIPSec500
> mode = ENABLE scope = ALL
> netsh firewall set allowedprogram program = "SKAgent.exe" name = SKAgent
> mode = ENABLE scope = ALL
> :Exit
> ENDLOCAL
>
>


--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Thank you very much! Will check these links out....

Dave Frandin
dave[AT]frandin[.]org


"Torgeir Bakken (MVP)" wrote:

> Hi,
>
> Different RunAs products listed here, some free and some not, some
> with encryption option for the password as well:
>
> http://groups.google.co.uk/groups?se...75%40hydro.com
>
> Other ones not mentioned in the link above:
>
> SUperior SU (free, has a command line iterface)
> http://www.stefan-kuhr.de/supsu/main.php3
>
> Supercrypt (as well as LSrunas/LSrunasE)
> http://www.lansweeper.com/ls/lsrunas.aspx
>
> Runasspc
> http://www.robotronic.de/runasspcEn.html
>
>
> You may also want to check out PolicyMaker Application Security
> (previously NeoExec), the main difference is that it does not require
> the use of a second account, as most other RunAs derivatives requires.
>
> PolicyMaker Application Security
> http://www.desktopstandard.com/Polic...nSecurity.aspx
>
>
>
> LVDave wrote:
>
> > I'm trying open certain ports in the XP SP2 firewall using a script at user
> > login. The opened ports will allow use of the Diskeeper Corp. Sitekeeper
> > program to inventory/install software on the target machines. Sitekeepers
> > tech support provides a script to do this, however, when run by a
> > non-privileged user, the script does not function/returns access denied. I
> > have over a hundred machines that need this, so
> > "application-by-walking-around" is not desired.. Is there a way to allow the
> > script to run using the system credentials? or a run-as workaround??
> > Sitekeeper's tech support basically said "we provide the script as-is, don't
> > ask us how to use it...".. Since these machines are members of an old-style
> > NT4 domain, not AD, I can't (as far as I know) use a policy to make the f/w
> > mods... Any assistance/pointers to assistance would be appreciated...
> >
> > Thanks
> > Dave Frandin
> > dave[AT]frandin[.]org
> >
> > The script is as follows:
> >
> > @echo off
> >
> > SETLOCAL
> > rem If SP1 the following returns 1
> > netsh firewall ""
> > if ERRORLEVEL 1 GOTO Exit
> > netsh firewall set service type = FILEANDPRINT mode = ENABLE scope = ALL
> > netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = ALL
> > netsh firewall set portopening protocol = TCP port = 31041 name =
> > SitekeeperRPC mode = ENABLE scope = ALL
> > netsh firewall set portopening protocol = TCP port = 31040 name =
> > PIServerRPC mode = ENABLE scope = ALL
> > netsh firewall set portopening protocol = TCP port = 31042 name = SKAgentRPC
> > mode = ENABLE scope = ALL
> > netsh firewall set portopening protocol = UDP port = 4500 name = SKIPSec4500
> > mode = ENABLE scope = ALL
> > netsh firewall set portopening protocol = UDP port = 500 name = SKIPSec500
> > mode = ENABLE scope = ALL
> > netsh firewall set allowedprogram program = "SKAgent.exe" name = SKAgent
> > mode = ENABLE scope = ALL
> > :Exit
> > ENDLOCAL
> >
> >
>
>
> --
> torgeir, Microsoft MVP Scripting, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scr...r/default.mspx
>