Re: WS2003 SP1 Firewall Rules for a DC (svchost.exe not working)
From: Derek (dseaman_at_nospam.nospam)
Date: 04/07/05
- Next message: Steven L Umbach: "Re: Kerberos Issue"
- Previous message: Ion: "changed password and efs"
- In reply to: Nick Finco [MSFT]: "Re: WS2003 SP1 Firewall Rules for a DC (svchost.exe not working)"
- Next in thread: Nick Finco [MSFT]: "Re: WS2003 SP1 Firewall Rules for a DC (svchost.exe not working)"
- Reply: Nick Finco [MSFT]: "Re: WS2003 SP1 Firewall Rules for a DC (svchost.exe not working)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 7 Apr 2005 07:35:22 -0700
I configured the same rule set for domain and standard. I then rebooted as
you suggested, and it appears all is now working. But I am still concerned
in the Firewall control panel applet that I do not see the 'allow remote
administration' rule listed, even though I have it enabled in the GPO. Isn't
the applet supposed to list all rules? If it doesn't, how can I be certain
what really is and is not being allowed?
Derek
"Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
news:eBhQs2iOFHA.2132@TK2MSFTNGP14.phx.gbl...
> Have you configured both the Standard and Domain profiles for the Windows
> Firewall? One of the things that SCW does is configures both identically,
> otherwise you might switch from one profile to the other (or not be using
> the one you expect) and become vulnerable.
>
> Are your settings coming down from the domain properly? The domain WF
> settings propagate under HKLM\Software\policies\microsoft\windowsfirewall.
>
> Have you rebooted after the settings have applied? There's a scenario
> where this is required. If the sharedaccess service (which handles the
> WF) isn't running, but later started and configured with application
> exemptions, it hasn't actually seen the prior ports opening so it doesn't
> realize it needs to let certain traffic through. Port 1025 (or another
> similar ranged random port) is typically opened by lsass during a server's
> boot sequence so it falls into this scenario.
>
> N
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Any opinions or policies stated within are my own and do not
> necessarily constitute those of my employer. Use of included script
> samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Derek" <dseaman@nospam.nospam> wrote in message
> news:u7WE9%23fOFHA.1884@TK2MSFTNGP15.phx.gbl...
>>I looked at the firewall rules from the SCW and they match what I put into
>>the GPO. Any more ideas why I svchost.exe doesn't seem to be allowed in
>>the firewall? I also find it disappointing that even though I have the
>>'remote administration' GPO option turned on, in the Firewall applet I see
>>no entry for it. I would at least expect to see something in there showing
>>that the feature is turned on.
>>
>> Derek
>>
>> "Derek" <dseaman@nospam.nospam> wrote in message
>> news:e%230SameOFHA.2736@TK2MSFTNGP09.phx.gbl...
>>>I actually ran the SCW to see what the resulting firewall rule set looked
>>>liked in the wizard. I did not actually have it implemenent the policy
>>>and then run the command like tools that you mentioned. I will try that
>>>and see what happens.
>>>
>>> The server has the gold release of SP1 and did not have any prior
>>> versions of the service pack applied.
>>>
>>> Derek
>>>
>>> "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
>>> news:OLBhGRUOFHA.440@TK2MSFTNGP10.phx.gbl...
>>>> First I'd suggest giving the Security Configuration Wizard a shot
>>>> (add/remove windows components). You can create a DC policy and then
>>>> use the scwcmd.exe command line tool to generate a GPO with the windows
>>>> firewall settings that you can examine. That way you can be sure you
>>>> have all of the required port exemptions. DCs are tricky to firewall.
>>>>
>>>> Svchost.exe is a special case in WF. You have to use the "remote
>>>> administration exception" to allow random RPC ports opened by svchost
>>>> through the firewall (I don't believe it opens lsass, at one point it
>>>> did but that changed and I don't remember it changing back). Since
>>>> you've done that, it looks like it should be working. Are you running
>>>> RTM of SP1 or a prior RC?
>>>>
>>>> N
>>>>
>>>> --
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights. Any opinions or policies stated within are my own and do not
>>>> necessarily constitute those of my employer. Use of included script
>>>> samples are subject to the terms specified at
>>>> http://www.microsoft.com/info/cpyright.htm
>>>>
>>>>
>>>> "Derek" <dseaman@nospam.nospam> wrote in message
>>>> news:O1ypTWSOFHA.3156@TK2MSFTNGP15.phx.gbl...
>>>>>I have the following Firewall rules in place on my test DCs. Everything
>>>>>is working ok, EXCEPT that the svchost.exe exception does not seem to
>>>>>be working. I have it in the group policy rules list, but when I open
>>>>>the Firewall applet it is not listed. And when I turn on the firewall
>>>>>SQL Kerberos authentication fails because port 1025 is not open. After
>>>>>some research, I found the process svchost.exe is what listens on port
>>>>>1025. In the group policy I also have enabled 'remote administration
>>>>>exception' which specifically says it adds svchost.exe and lssas.exe to
>>>>>the exception list. But that does not seem to be the case.
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> --------
>>>>>
>>>>> 123:UDP:*:Enabled:(123 UDP) NTP
>>>>> 135:TCP:*:Enabled:(135 TCP) RPC endpoint Mapper/DCOM
>>>>> 161:UDP:*:Enabled:(161 UDP) SNMP
>>>>> 162:UDP:*:Enabled:(162 UDP) SNMP Traps
>>>>> 389:TCP:*:Enabled:(389 TCP) LDAP
>>>>> 389:UDP:*:Enabled:(389 UDP) LDAP Discovery
>>>>> 464:TCP:*:Enabled:(464 TCP) Kerberos Password Change
>>>>> 464:UDP:*:Enabled:(464 UDP) Kerberos Password Change
>>>>> 445:TCP:*:Enabled:(445 TCP) SMB
>>>>> 3268:TCP:*:Enabled:(3268 TCP) Global Catalog
>>>>> 3269:TCP:*:Enabled:(3269 TCP) Global Catalog over SSL
>>>>> 53:TCP:*:Enabled:(53 TCP) DNS
>>>>> 53:UDP:*:Enabled:(53 UDP) DNS
>>>>> 53438:TCP:*:Enabled:(53438 TCP) AD Replication
>>>>> 636:TCP:*:Enabled:(636 TCP) LDAP over SSL
>>>>> 88:TCP:*:Enabled:(88 TCP) Kerberos
>>>>> 88:UDP:*:Enabled:(88 UDP) Kerberos
>>>>> 2381:TCP:*:Enabled:(2381 TCP) HP Management
>>>>> 2701:TCP:*:Enabled:(2701 TCP) SMS General Contact
>>>>>
>>>>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS\system32\lsass.exe
>>>>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDOWS\system32\svchost.exe
>>>>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS\system32\ntfrs.exe
>>>>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDOWS\system32\scshost.exe
>>>>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDOWS\system32\sysdown.exe
>>>>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\WINDOWS\system32\CCM\CcmExec.exe
>>>>> (SMS Client)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Steven L Umbach: "Re: Kerberos Issue"
- Previous message: Ion: "changed password and efs"
- In reply to: Nick Finco [MSFT]: "Re: WS2003 SP1 Firewall Rules for a DC (svchost.exe not working)"
- Next in thread: Nick Finco [MSFT]: "Re: WS2003 SP1 Firewall Rules for a DC (svchost.exe not working)"
- Reply: Nick Finco [MSFT]: "Re: WS2003 SP1 Firewall Rules for a DC (svchost.exe not working)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
