XP Firewall setting for AD

Hi All.
In process of testing XP SP2 on Windows 2003 AD.
Been testing with wireless XP machine with firewall on, default
settings.
Is there a knowledge base or recommended settings for the firewall to
let AD work.
Without configuration, Group Policies aren't being applied, WSUS also
can't connect.
I've enable all ICMP packets to be allowed, this seems to have helped
somewhat but still unable to manage the computer from GPMC.
If I turn off the firewall everything works fine.


Thanks

Generally you don't configure the Windows Firewall on the domain controllers
on domain controllers or WSUS server but it should not interfere with Group
Policy if configured on domain client computers though often there is an
exception for file and print sharing and remote administration from
computers used for domain administration and domain controllers if you are
using Computer Management to manage computers, scanning with MBSA, or
running RSOP on them. One thing that often helps is to enable the firewall
log on a couple affected computers and then looking in the firewall logs for
dropped traffic that would show from what IP address/port/protocol. Group
Policy is pulled by domain computers when foreground or background refresh
is done and the Windows Firewall should not interfere since it is stateful
and traffic in response to what they initiated would not be blocked . ---
Steve


<striffy@gmail.com> wrote in message
news:1132543152.477776.243690@g44g2000cwa.googlegr oups.com...
> Hi All.
> In process of testing XP SP2 on Windows 2003 AD.
> Been testing with wireless XP machine with firewall on, default
> settings.
> Is there a knowledge base or recommended settings for the firewall to
> let AD work.
> Without configuration, Group Policies aren't being applied, WSUS also
> can't connect.
> I've enable all ICMP packets to be allowed, this seems to have helped
> somewhat but still unable to manage the computer from GPMC.
> If I turn off the firewall everything works fine.
>
>
> Thanks
>

striffy@gmail.com wrote:

> Hi All.
> In process of testing XP SP2 on Windows 2003 AD.
> Been testing with wireless XP machine with firewall on, default
> settings.
> Is there a knowledge base or recommended settings for the firewall to
> let AD work.
> Without configuration, Group Policies aren't being applied, WSUS also
> can't connect.

That is not normal, both those is supposed to work without needing
to configure anything on the FW.


> I've enable all ICMP packets to be allowed, this seems to have helped
> somewhat but still unable to manage the computer from GPMC.
> If I turn off the firewall everything works fine.

To be able to do remote admin against a computer with the WinXP SP2
firewall enabled:

Policy path:
Computer Configuration\Administrative Templates\Network\
Network Connections\Windows Firewall\<Domain|Standard> Profile\

Policy name:
Windows Firewall: Allow remote administration exception

From PolicySettings.xls available here:

Group Policy Settings Reference for Windows XP Professional
Service Pack 2
http://www.microsoft.com/downloads/d...displaylang=en

<quote>
Administrative Templates\Network\Network Connections\Windows Firewall
\<some> Profile
Windows Firewall: Allow remote administration exception

Allows remote administration of this computer using administrative
tools such as the Microsoft Management Console (MMC) and Windows
Management Instrumentation (WMI). To do this, Windows Firewall opens
TCP ports 135 and 445. Services typically use these ports to
communicate using remote procedure calls (RPC) and Distributed
Component Object Model (DCOM). This policy setting also allows
SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
and allows hosted services to open additional dynamically-assigned
ports, typically in the range of 1024 to 1034. If you enable this
policy setting, Windows Firewall allows the computer to receive the
unsolicited incoming messages associated with remote administration.
You must specify the IP addresses or subnets from which these
incoming messages are allowed. If you disable or do not configure
this policy setting, Windows Firewall does not open TCP port 135 or
445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
receiving unsolicited incoming messages, and prevents hosted
services from opening additional dynamically-assigned ports. Because
disabling this policy setting does not block TCP port 445, it does
not conflict with the Windows Firewall: Allow file and printer
sharing exception policy setting. Note: Malicious users often
attempt to attack networks and computers using RPC and DCOM. We
recommend that you contact the manufacturers of your critical
programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
or if they require RPC and DCOM communication. If they do not, then
do not enable this policy setting. Note: If any policy setting
opens TCP port 445, Windows Firewall allows inbound ICMP echo
request messages (the message sent by the Ping utility), even if the
Windows Firewall: Allow ICMP exceptions policy setting would block
them. Policy settings that can open TCP port 445 include Windows
Firewall: Allow file and printer sharing exception, Windows Firewall:
Allow remote administration exception, and Windows Firewall: Define
port exceptions.

</quote>


Using netsh.exe, you can configure the "Allow for remote administration"
setting from command line as well, like this:

netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
profile=domain

If not a domain computer, you need to change to 'profile=standard'
(or 'profile=all'). Scope can also be set to 'custom' and then you
can add ip ranges to the command line as well.

The netsh.exe syntax is documented in WF_XPSP2.doc.

WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
Windows XP with Service Pack 2" is downloadable from
http://www.microsoft.com/downloads/d...d-499f73a637d1



--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Thanks Mate,
I'll read this in full and give feedback with what I find out


Torgeir Bakken (MVP) wrote:
> striffy@gmail.com wrote:
>
> > Hi All.
> > In process of testing XP SP2 on Windows 2003 AD.
> > Been testing with wireless XP machine with firewall on, default
> > settings.
> > Is there a knowledge base or recommended settings for the firewall to
> > let AD work.
> > Without configuration, Group Policies aren't being applied, WSUS also
> > can't connect.
>
> That is not normal, both those is supposed to work without needing
> to configure anything on the FW.
>
>
> > I've enable all ICMP packets to be allowed, this seems to have helped
> > somewhat but still unable to manage the computer from GPMC.
> > If I turn off the firewall everything works fine.
>
> To be able to do remote admin against a computer with the WinXP SP2
> firewall enabled:
>
> Policy path:
> Computer Configuration\Administrative Templates\Network\
> Network Connections\Windows Firewall\<Domain|Standard> Profile\
>
> Policy name:
> Windows Firewall: Allow remote administration exception
>
> From PolicySettings.xls available here:
>
> Group Policy Settings Reference for Windows XP Professional
> Service Pack 2
> http://www.microsoft.com/downloads/d...displaylang=en
>
> <quote>
> Administrative Templates\Network\Network Connections\Windows Firewall
> \<some> Profile
> Windows Firewall: Allow remote administration exception
>
> Allows remote administration of this computer using administrative
> tools such as the Microsoft Management Console (MMC) and Windows
> Management Instrumentation (WMI). To do this, Windows Firewall opens
> TCP ports 135 and 445. Services typically use these ports to
> communicate using remote procedure calls (RPC) and Distributed
> Component Object Model (DCOM). This policy setting also allows
> SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages
> and allows hosted services to open additional dynamically-assigned
> ports, typically in the range of 1024 to 1034. If you enable this
> policy setting, Windows Firewall allows the computer to receive the
> unsolicited incoming messages associated with remote administration.
> You must specify the IP addresses or subnets from which these
> incoming messages are allowed. If you disable or do not configure
> this policy setting, Windows Firewall does not open TCP port 135 or
> 445. Also, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from
> receiving unsolicited incoming messages, and prevents hosted
> services from opening additional dynamically-assigned ports. Because
> disabling this policy setting does not block TCP port 445, it does
> not conflict with the Windows Firewall: Allow file and printer
> sharing exception policy setting. Note: Malicious users often
> attempt to attack networks and computers using RPC and DCOM. We
> recommend that you contact the manufacturers of your critical
> programs to determine if they are hosted by SVCHOST.exe or LSASS.exe
> or if they require RPC and DCOM communication. If they do not, then
> do not enable this policy setting. Note: If any policy setting
> opens TCP port 445, Windows Firewall allows inbound ICMP echo
> request messages (the message sent by the Ping utility), even if the
> Windows Firewall: Allow ICMP exceptions policy setting would block
> them. Policy settings that can open TCP port 445 include Windows
> Firewall: Allow file and printer sharing exception, Windows Firewall:
> Allow remote administration exception, and Windows Firewall: Define
> port exceptions.
>
> </quote>
>
>
> Using netsh.exe, you can configure the "Allow for remote administration"
> setting from command line as well, like this:
>
> netsh.exe firewall set service type=remoteadmin mode=enable scope=subnet
> profile=domain
>
> If not a domain computer, you need to change to 'profile=standard'
> (or 'profile=all'). Scope can also be set to 'custom' and then you
> can add ip ranges to the command line as well.
>
> The netsh.exe syntax is documented in WF_XPSP2.doc.
>
> WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
> Windows XP with Service Pack 2" is downloadable from
> http://www.microsoft.com/downloads/d...d-499f73a637d1
>
>
>
> --
> torgeir, Microsoft MVP Scripting, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scr...r/default.mspx