Information Technology Reference
In-Depth Information
Using Group Policy
Tables 9-1 and 9-2 contain the Group Policy settings that enable remote administration
through the Windows Firewall in the domain and standard policies respectively.
Table 9-1. Configure Remote Administration Exception—Domain Profile
Computer Configuration\Administrative Templates\Network\
Network Connections\Windows Firewall\Domain Profile
Path
Policy name
Windows Firewall: Allow remote administration exception
Value
Enabled to allow remote administration through the Windows Firewall in the
Domain Profile. Disabled to disallow it.
Table 9-2. Configure Remote Administration Exception—Standard Profile
Path
Computer Configuration\Administrative Templates\Network\
Network Connections\Windows Firewall\Standard Profile
Policy name
Windows Firewall: Allow remote administration exception
Enabled to allow remote administration through the Windows Firewall in the
Standard Profile. Disabled to disallow it.
Value
How It Works
In a domain environment, you'll often want to remotely administer servers and workstations
using tools such as the Computer Management MMC and Windows Management Instrumen-
tation (WMI). This is because most of the administration tools you'll use need to make unsolicited
connections to the computer that you're trying to administer, using TCP port 445 and the
svchost.exe and lsass.exe executables.
Caution The ports and executables used by the remote administration exception are well-known attack
vectors. Be sure to only permit this exception on trusted hosts.
In order to troubleshoot remote administration on a Windows Server 2003 computer or
domain, you'll need to verify that the appropriate settings in Group Policy, the Windows Registry,
or VBScript have been enabled; you cannot make this change in the Windows Firewall Control
Panel applet.
In addition to verifying that the remote administration exception has been enabled, you
need to verify that the correct scope has been configured. The scope of an exception refers to the
IP addresses that are permitted to make remote administration connections. As with other
Windows Firewall Group Policy settings, you can use LocalSubnet to specify the local subnet, *
to specify all hosts, or a custom list of IPv4 addresses. For IPv6 addresses, you can only specify
LocalSubnet or * ; you can't create a custom exception list.
Search WWH ::




Custom Search