Just like on a full server installation, the firewall is on by default in a Server Core installation and most inbound traffic is blocked at the end of setup. There are then three scenarios for remote management via MMC:
Server Roles – when a server role is installed, the appropriate ports are opened to allow the role to function as well as to allow remote management, so no additional configuration is required. Using the Remote Server Administration Tools (RSAT) feature on a full server installation, you can install just the MMC snap-ins for a role and use them to remotely manage the role on Server Core.
Domain joined – Once domain joined, the firewall profile is changed to the domain profile which allows remote management. Again, no additional configuration is required.
Workgroup server – This is the scenario in which you may need to make firewall configuration changes to allow remote management. If you just want all remote management to work you can use:
Netsh advfirewall firewall set rule group="remote administration" new enable=yes
However, it is possible to be more granular and only allow certain MMC snap-ins to remotely manage the box.
Note that the other methods of remote management are either enabled out of the box, such as WMI, or when enabled the firewall is configured to allow them, such as Terminal Server remote administration mode.
As mentioned you can simply enable the Remote Administration firewall rules to allow pretty much any MMC to connect (a few require additional configuration as discussed below). However, there may be situations where you only want to allow certain MMCs to connect for remote administration. Not every MMC snap-in has a firewall group, here are those that do:
MMC Snap-in --> Rule Group
------------------------------------------------------------------------
Event Viewer --> Remote Event Log Management
Services Remote --> Service Management
Shared Folders --> File and Printer Sharing
Task Scheduler --> Remote Scheduled Tasks Management
Reliability and Performance --> "Performance Logs and Alerts" and "File and Printer Sharing"
Disk Management --> Remote Volume Management
Windows Firewall with Advanced Security --> Windows Firewall Remote Management
On the Server Core box you can enable these by running:
Netsh advfirewall firewall set rule group=
Where
You can remotely enable these using the Windows Firewall with Advanced Security MMC snap-in, after you have locally on the Server Core box enabled the rule group to allow it to connect.
MMC Snap-ins without a Rule Group
Not every MMC snap-in has a rule group to allow it access through the firewall, however many of them use the same ports for management as those that do. Therefore, you will find that enabling the rules for Event Viewer, Services, or Shared Folders will allow most other MMC snap-ins to connect. Of course, you can also simply enable the remote administration rule group (see my last post).
MMC Snap-ins that Require Addition Configuration
In addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:
* Device Manager
To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy:
1. On a Windows Vista or full Server installation, start the Group Policy Object MMC snap-in
2. Connect to the Server Core installation
3. Navigate to Computer Configuration\Administrative Templates\Device Installation
4. Enable “Allow remote access to the PnP interface”
5. Restart the Server Core installation
* Disk Management
1.You must first start the Virtual Disk Service (VDS) on the Server Core installation
2.You must enable the "Remote Volume Management" firewall group in both Server and Client
* IPSec Mgmt
On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:
Cscript \windows\system32\scregedit.wsf /im 1
Examples
netsh advfirewall firewall set rule group="Remote Administration" new enable=yes
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
netsh advfirewall firewall set rule group="Performance Logs and Alerts" new enable=yes
Netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes
Netsh advfirewall firewall set rule group="Remote Scheduled Tasks Management" new enable=yes
netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable =yes
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable =yes
sc config vds start= auto
net start vds
How to disable the firewall
netsh advfirewall set allprofiles state off
How to enable the firewall
netsh advfirewall set allprofiles state on
No comments:
Post a Comment