WS2003 SP1 Firewall Rules for a DC (svchost.exe not working)

I have the following Firewall rules in place on my test DCs. Everything is
working ok, EXCEPT that the svchost.exe exception does not seem to be
working. I have it in the group policy rules list, but when I open the
Firewall applet it is not listed. And when I turn on the firewall SQL
Kerberos authentication fails because port 1025 is not open. After some
research, I found the process svchost.exe is what listens on port 1025. In
the group policy I also have enabled 'remote administration exception' which
specifically says it adds svchost.exe and lssas.exe to the exception list.
But that does not seem to be the case.

Any ideas?

--------

123:UDP:*:Enabled123 UDP) NTP
135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
161:UDP:*:Enabled161 UDP) SNMP
162:UDP:*:Enabled162 UDP) SNMP Traps
389:TCP:*:Enabled389 TCP) LDAP
389:UDP:*:Enabled389 UDP) LDAP Discovery
464:TCP:*:Enabled464 TCP) Kerberos Password Change
464:UDP:*:Enabled464 UDP) Kerberos Password Change
445:TCP:*:Enabled445 TCP) SMB
3268:TCP:*:Enabled3268 TCP) Global Catalog
3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
53:TCP:*:Enabled53 TCP) DNS
53:UDP:*:Enabled53 UDP) DNS
53438:TCP:*:Enabled53438 TCP) AD Replication
636:TCP:*:Enabled636 TCP) LDAP over SSL
88:TCP:*:Enabled88 TCP) Kerberos
88:UDP:*:Enabled88 UDP) Kerberos
2381:TCP:*:Enabled2381 TCP) HP Management
2701:TCP:*:Enabled2701 TCP) SMS General Contact

C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
(SMS Client)

First I'd suggest giving the Security Configuration Wizard a shot
(add/remove windows components). You can create a DC policy and then use
the scwcmd.exe command line tool to generate a GPO with the windows firewall
settings that you can examine. That way you can be sure you have all of the
required port exemptions. DCs are tricky to firewall.

Svchost.exe is a special case in WF. You have to use the "remote
administration exception" to allow random RPC ports opened by svchost
through the firewall (I don't believe it opens lsass, at one point it did
but that changed and I don't remember it changing back). Since you've done
that, it looks like it should be working. Are you running RTM of SP1 or a
prior RC?

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm


"Derek" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have the following Firewall rules in place on my test DCs. Everything is
>working ok, EXCEPT that the svchost.exe exception does not seem to be
>working. I have it in the group policy rules list, but when I open the
>Firewall applet it is not listed. And when I turn on the firewall SQL
>Kerberos authentication fails because port 1025 is not open. After some
>research, I found the process svchost.exe is what listens on port 1025. In
>the group policy I also have enabled 'remote administration exception'
>which specifically says it adds svchost.exe and lssas.exe to the exception
>list. But that does not seem to be the case.
>
> Any ideas?
>
> --------
>
> 123:UDP:*:Enabled123 UDP) NTP
> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
> 161:UDP:*:Enabled161 UDP) SNMP
> 162:UDP:*:Enabled162 UDP) SNMP Traps
> 389:TCP:*:Enabled389 TCP) LDAP
> 389:UDP:*:Enabled389 UDP) LDAP Discovery
> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
> 445:TCP:*:Enabled445 TCP) SMB
> 3268:TCP:*:Enabled3268 TCP) Global Catalog
> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
> 53:TCP:*:Enabled53 TCP) DNS
> 53:UDP:*:Enabled53 UDP) DNS
> 53438:TCP:*:Enabled53438 TCP) AD Replication
> 636:TCP:*:Enabled636 TCP) LDAP over SSL
> 88:TCP:*:Enabled88 TCP) Kerberos
> 88:UDP:*:Enabled88 UDP) Kerberos
> 2381:TCP:*:Enabled2381 TCP) HP Management
> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>
> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
> (SMS Client)
>
>
>
>
>
>
>

I actually ran the SCW to see what the resulting firewall rule set looked
liked in the wizard. I did not actually have it implemenent the policy and
then run the command like tools that you mentioned. I will try that and see
what happens.

The server has the gold release of SP1 and did not have any prior versions
of the service pack applied.

Derek

"Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> First I'd suggest giving the Security Configuration Wizard a shot
> (add/remove windows components). You can create a DC policy and then use
> the scwcmd.exe command line tool to generate a GPO with the windows
> firewall settings that you can examine. That way you can be sure you have
> all of the required port exemptions. DCs are tricky to firewall.
>
> Svchost.exe is a special case in WF. You have to use the "remote
> administration exception" to allow random RPC ports opened by svchost
> through the firewall (I don't believe it opens lsass, at one point it did
> but that changed and I don't remember it changing back). Since you've
> done that, it looks like it should be working. Are you running RTM of SP1
> or a prior RC?
>
> N
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Any opinions or policies stated within are my own and do not
> necessarily constitute those of my employer. Use of included script
> samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Derek" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I have the following Firewall rules in place on my test DCs. Everything is
>>working ok, EXCEPT that the svchost.exe exception does not seem to be
>>working. I have it in the group policy rules list, but when I open the
>>Firewall applet it is not listed. And when I turn on the firewall SQL
>>Kerberos authentication fails because port 1025 is not open. After some
>>research, I found the process svchost.exe is what listens on port 1025. In
>>the group policy I also have enabled 'remote administration exception'
>>which specifically says it adds svchost.exe and lssas.exe to the exception
>>list. But that does not seem to be the case.
>>
>> Any ideas?
>>
>> --------
>>
>> 123:UDP:*:Enabled123 UDP) NTP
>> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
>> 161:UDP:*:Enabled161 UDP) SNMP
>> 162:UDP:*:Enabled162 UDP) SNMP Traps
>> 389:TCP:*:Enabled389 TCP) LDAP
>> 389:UDP:*:Enabled389 UDP) LDAP Discovery
>> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
>> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
>> 445:TCP:*:Enabled445 TCP) SMB
>> 3268:TCP:*:Enabled3268 TCP) Global Catalog
>> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
>> 53:TCP:*:Enabled53 TCP) DNS
>> 53:UDP:*:Enabled53 UDP) DNS
>> 53438:TCP:*:Enabled53438 TCP) AD Replication
>> 636:TCP:*:Enabled636 TCP) LDAP over SSL
>> 88:TCP:*:Enabled88 TCP) Kerberos
>> 88:UDP:*:Enabled88 UDP) Kerberos
>> 2381:TCP:*:Enabled2381 TCP) HP Management
>> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>>
>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
>> (SMS Client)
>>
>>
>>
>>
>>
>>
>>
>
>

I looked at the firewall rules from the SCW and they match what I put into
the GPO. Any more ideas why I svchost.exe doesn't seem to be allowed in the
firewall? I also find it disappointing that even though I have the 'remote
administration' GPO option turned on, in the Firewall applet I see no entry
for it. I would at least expect to see something in there showing that the
feature is turned on.

Derek

"Derek" <(E-Mail Removed)> wrote in message
news:e%(E-Mail Removed)...
>I actually ran the SCW to see what the resulting firewall rule set looked
>liked in the wizard. I did not actually have it implemenent the policy and
>then run the command like tools that you mentioned. I will try that and see
>what happens.
>
> The server has the gold release of SP1 and did not have any prior versions
> of the service pack applied.
>
> Derek
>
> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> First I'd suggest giving the Security Configuration Wizard a shot
>> (add/remove windows components). You can create a DC policy and then use
>> the scwcmd.exe command line tool to generate a GPO with the windows
>> firewall settings that you can examine. That way you can be sure you
>> have all of the required port exemptions. DCs are tricky to firewall.
>>
>> Svchost.exe is a special case in WF. You have to use the "remote
>> administration exception" to allow random RPC ports opened by svchost
>> through the firewall (I don't believe it opens lsass, at one point it did
>> but that changed and I don't remember it changing back). Since you've
>> done that, it looks like it should be working. Are you running RTM of
>> SP1 or a prior RC?
>>
>> N
>>
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. Any opinions or policies stated within are my own and do not
>> necessarily constitute those of my employer. Use of included script
>> samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>>
>> "Derek" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I have the following Firewall rules in place on my test DCs. Everything
>>>is working ok, EXCEPT that the svchost.exe exception does not seem to be
>>>working. I have it in the group policy rules list, but when I open the
>>>Firewall applet it is not listed. And when I turn on the firewall SQL
>>>Kerberos authentication fails because port 1025 is not open. After some
>>>research, I found the process svchost.exe is what listens on port 1025.
>>>In the group policy I also have enabled 'remote administration exception'
>>>which specifically says it adds svchost.exe and lssas.exe to the
>>>exception list. But that does not seem to be the case.
>>>
>>> Any ideas?
>>>
>>> --------
>>>
>>> 123:UDP:*:Enabled123 UDP) NTP
>>> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
>>> 161:UDP:*:Enabled161 UDP) SNMP
>>> 162:UDP:*:Enabled162 UDP) SNMP Traps
>>> 389:TCP:*:Enabled389 TCP) LDAP
>>> 389:UDP:*:Enabled389 UDP) LDAP Discovery
>>> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
>>> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
>>> 445:TCP:*:Enabled445 TCP) SMB
>>> 3268:TCP:*:Enabled3268 TCP) Global Catalog
>>> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
>>> 53:TCP:*:Enabled53 TCP) DNS
>>> 53:UDP:*:Enabled53 UDP) DNS
>>> 53438:TCP:*:Enabled53438 TCP) AD Replication
>>> 636:TCP:*:Enabled636 TCP) LDAP over SSL
>>> 88:TCP:*:Enabled88 TCP) Kerberos
>>> 88:UDP:*:Enabled88 UDP) Kerberos
>>> 2381:TCP:*:Enabled2381 TCP) HP Management
>>> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>>>
>>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
>>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
>>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
>>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
>>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
>>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
>>> (SMS Client)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>

Have you configured both the Standard and Domain profiles for the Windows
Firewall? One of the things that SCW does is configures both identically,
otherwise you might switch from one profile to the other (or not be using
the one you expect) and become vulnerable.

Are your settings coming down from the domain properly? The domain WF
settings propagate under HKLM\Software\policies\microsoft\windowsfirewall.

Have you rebooted after the settings have applied? There's a scenario where
this is required. If the sharedaccess service (which handles the WF) isn't
running, but later started and configured with application exemptions, it
hasn't actually seen the prior ports opening so it doesn't realize it needs
to let certain traffic through. Port 1025 (or another similar ranged random
port) is typically opened by lsass during a server's boot sequence so it
falls into this scenario.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm


"Derek" <(E-Mail Removed)> wrote in message
news:u7WE9%(E-Mail Removed)...
>I looked at the firewall rules from the SCW and they match what I put into
>the GPO. Any more ideas why I svchost.exe doesn't seem to be allowed in the
>firewall? I also find it disappointing that even though I have the 'remote
>administration' GPO option turned on, in the Firewall applet I see no entry
>for it. I would at least expect to see something in there showing that the
>feature is turned on.
>
> Derek
>
> "Derek" <(E-Mail Removed)> wrote in message
> news:e%(E-Mail Removed)...
>>I actually ran the SCW to see what the resulting firewall rule set looked
>>liked in the wizard. I did not actually have it implemenent the policy and
>>then run the command like tools that you mentioned. I will try that and
>>see what happens.
>>
>> The server has the gold release of SP1 and did not have any prior
>> versions of the service pack applied.
>>
>> Derek
>>
>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> First I'd suggest giving the Security Configuration Wizard a shot
>>> (add/remove windows components). You can create a DC policy and then
>>> use the scwcmd.exe command line tool to generate a GPO with the windows
>>> firewall settings that you can examine. That way you can be sure you
>>> have all of the required port exemptions. DCs are tricky to firewall.
>>>
>>> Svchost.exe is a special case in WF. You have to use the "remote
>>> administration exception" to allow random RPC ports opened by svchost
>>> through the firewall (I don't believe it opens lsass, at one point it
>>> did but that changed and I don't remember it changing back). Since
>>> you've done that, it looks like it should be working. Are you running
>>> RTM of SP1 or a prior RC?
>>>
>>> N
>>>
>>> --
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights. Any opinions or policies stated within are my own and do not
>>> necessarily constitute those of my employer. Use of included script
>>> samples are subject to the terms specified at
>>> http://www.microsoft.com/info/cpyright.htm
>>>
>>>
>>> "Derek" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>>I have the following Firewall rules in place on my test DCs. Everything
>>>>is working ok, EXCEPT that the svchost.exe exception does not seem to be
>>>>working. I have it in the group policy rules list, but when I open the
>>>>Firewall applet it is not listed. And when I turn on the firewall SQL
>>>>Kerberos authentication fails because port 1025 is not open. After some
>>>>research, I found the process svchost.exe is what listens on port 1025.
>>>>In the group policy I also have enabled 'remote administration
>>>>exception' which specifically says it adds svchost.exe and lssas.exe to
>>>>the exception list. But that does not seem to be the case.
>>>>
>>>> Any ideas?
>>>>
>>>> --------
>>>>
>>>> 123:UDP:*:Enabled123 UDP) NTP
>>>> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
>>>> 161:UDP:*:Enabled161 UDP) SNMP
>>>> 162:UDP:*:Enabled162 UDP) SNMP Traps
>>>> 389:TCP:*:Enabled389 TCP) LDAP
>>>> 389:UDP:*:Enabled389 UDP) LDAP Discovery
>>>> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
>>>> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
>>>> 445:TCP:*:Enabled445 TCP) SMB
>>>> 3268:TCP:*:Enabled3268 TCP) Global Catalog
>>>> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
>>>> 53:TCP:*:Enabled53 TCP) DNS
>>>> 53:UDP:*:Enabled53 UDP) DNS
>>>> 53438:TCP:*:Enabled53438 TCP) AD Replication
>>>> 636:TCP:*:Enabled636 TCP) LDAP over SSL
>>>> 88:TCP:*:Enabled88 TCP) Kerberos
>>>> 88:UDP:*:Enabled88 UDP) Kerberos
>>>> 2381:TCP:*:Enabled2381 TCP) HP Management
>>>> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>>>>
>>>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
>>>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
>>>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
>>>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
>>>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
>>>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
>>>> (SMS Client)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

I configured the same rule set for domain and standard. I then rebooted as
you suggested, and it appears all is now working. But I am still concerned
in the Firewall control panel applet that I do not see the 'allow remote
administration' rule listed, even though I have it enabled in the GPO. Isn't
the applet supposed to list all rules? If it doesn't, how can I be certain
what really is and is not being allowed?

Derek

"Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Have you configured both the Standard and Domain profiles for the Windows
> Firewall? One of the things that SCW does is configures both identically,
> otherwise you might switch from one profile to the other (or not be using
> the one you expect) and become vulnerable.
>
> Are your settings coming down from the domain properly? The domain WF
> settings propagate under HKLM\Software\policies\microsoft\windowsfirewall.
>
> Have you rebooted after the settings have applied? There's a scenario
> where this is required. If the sharedaccess service (which handles the
> WF) isn't running, but later started and configured with application
> exemptions, it hasn't actually seen the prior ports opening so it doesn't
> realize it needs to let certain traffic through. Port 1025 (or another
> similar ranged random port) is typically opened by lsass during a server's
> boot sequence so it falls into this scenario.
>
> N
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Any opinions or policies stated within are my own and do not
> necessarily constitute those of my employer. Use of included script
> samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Derek" <(E-Mail Removed)> wrote in message
> news:u7WE9%(E-Mail Removed)...
>>I looked at the firewall rules from the SCW and they match what I put into
>>the GPO. Any more ideas why I svchost.exe doesn't seem to be allowed in
>>the firewall? I also find it disappointing that even though I have the
>>'remote administration' GPO option turned on, in the Firewall applet I see
>>no entry for it. I would at least expect to see something in there showing
>>that the feature is turned on.
>>
>> Derek
>>
>> "Derek" <(E-Mail Removed)> wrote in message
>> news:e%(E-Mail Removed)...
>>>I actually ran the SCW to see what the resulting firewall rule set looked
>>>liked in the wizard. I did not actually have it implemenent the policy
>>>and then run the command like tools that you mentioned. I will try that
>>>and see what happens.
>>>
>>> The server has the gold release of SP1 and did not have any prior
>>> versions of the service pack applied.
>>>
>>> Derek
>>>
>>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> First I'd suggest giving the Security Configuration Wizard a shot
>>>> (add/remove windows components). You can create a DC policy and then
>>>> use the scwcmd.exe command line tool to generate a GPO with the windows
>>>> firewall settings that you can examine. That way you can be sure you
>>>> have all of the required port exemptions. DCs are tricky to firewall.
>>>>
>>>> Svchost.exe is a special case in WF. You have to use the "remote
>>>> administration exception" to allow random RPC ports opened by svchost
>>>> through the firewall (I don't believe it opens lsass, at one point it
>>>> did but that changed and I don't remember it changing back). Since
>>>> you've done that, it looks like it should be working. Are you running
>>>> RTM of SP1 or a prior RC?
>>>>
>>>> N
>>>>
>>>> --
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights. Any opinions or policies stated within are my own and do not
>>>> necessarily constitute those of my employer. Use of included script
>>>> samples are subject to the terms specified at
>>>> http://www.microsoft.com/info/cpyright.htm
>>>>
>>>>
>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>>I have the following Firewall rules in place on my test DCs. Everything
>>>>>is working ok, EXCEPT that the svchost.exe exception does not seem to
>>>>>be working. I have it in the group policy rules list, but when I open
>>>>>the Firewall applet it is not listed. And when I turn on the firewall
>>>>>SQL Kerberos authentication fails because port 1025 is not open. After
>>>>>some research, I found the process svchost.exe is what listens on port
>>>>>1025. In the group policy I also have enabled 'remote administration
>>>>>exception' which specifically says it adds svchost.exe and lssas.exe to
>>>>>the exception list. But that does not seem to be the case.
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> --------
>>>>>
>>>>> 123:UDP:*:Enabled123 UDP) NTP
>>>>> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
>>>>> 161:UDP:*:Enabled161 UDP) SNMP
>>>>> 162:UDP:*:Enabled162 UDP) SNMP Traps
>>>>> 389:TCP:*:Enabled389 TCP) LDAP
>>>>> 389:UDP:*:Enabled389 UDP) LDAP Discovery
>>>>> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
>>>>> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
>>>>> 445:TCP:*:Enabled445 TCP) SMB
>>>>> 3268:TCP:*:Enabled3268 TCP) Global Catalog
>>>>> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
>>>>> 53:TCP:*:Enabled53 TCP) DNS
>>>>> 53:UDP:*:Enabled53 UDP) DNS
>>>>> 53438:TCP:*:Enabled53438 TCP) AD Replication
>>>>> 636:TCP:*:Enabled636 TCP) LDAP over SSL
>>>>> 88:TCP:*:Enabled88 TCP) Kerberos
>>>>> 88:UDP:*:Enabled88 UDP) Kerberos
>>>>> 2381:TCP:*:Enabled2381 TCP) HP Management
>>>>> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>>>>>
>>>>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
>>>>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
>>>>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
>>>>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
>>>>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
>>>>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
>>>>> (SMS Client)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

I'm unsure why that setting doesn't show up in the firewall UI. You can run
"netsh firewall show state" to see its configuration.

N

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms specified at http://www.microsoft.com/info/cpyright.htm


"Derek" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I configured the same rule set for domain and standard. I then rebooted as
>you suggested, and it appears all is now working. But I am still concerned
>in the Firewall control panel applet that I do not see the 'allow remote
>administration' rule listed, even though I have it enabled in the GPO.
>Isn't the applet supposed to list all rules? If it doesn't, how can I be
>certain what really is and is not being allowed?
>
> Derek
>
> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Have you configured both the Standard and Domain profiles for the Windows
>> Firewall? One of the things that SCW does is configures both
>> identically, otherwise you might switch from one profile to the other (or
>> not be using the one you expect) and become vulnerable.
>>
>> Are your settings coming down from the domain properly? The domain WF
>> settings propagate under
>> HKLM\Software\policies\microsoft\windowsfirewall.
>>
>> Have you rebooted after the settings have applied? There's a scenario
>> where this is required. If the sharedaccess service (which handles the
>> WF) isn't running, but later started and configured with application
>> exemptions, it hasn't actually seen the prior ports opening so it doesn't
>> realize it needs to let certain traffic through. Port 1025 (or another
>> similar ranged random port) is typically opened by lsass during a
>> server's boot sequence so it falls into this scenario.
>>
>> N
>>
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. Any opinions or policies stated within are my own and do not
>> necessarily constitute those of my employer. Use of included script
>> samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>>
>> "Derek" <(E-Mail Removed)> wrote in message
>> news:u7WE9%(E-Mail Removed)...
>>>I looked at the firewall rules from the SCW and they match what I put
>>>into the GPO. Any more ideas why I svchost.exe doesn't seem to be allowed
>>>in the firewall? I also find it disappointing that even though I have the
>>>'remote administration' GPO option turned on, in the Firewall applet I
>>>see no entry for it. I would at least expect to see something in there
>>>showing that the feature is turned on.
>>>
>>> Derek
>>>
>>> "Derek" <(E-Mail Removed)> wrote in message
>>> news:e%(E-Mail Removed)...
>>>>I actually ran the SCW to see what the resulting firewall rule set
>>>>looked liked in the wizard. I did not actually have it implemenent the
>>>>policy and then run the command like tools that you mentioned. I will
>>>>try that and see what happens.
>>>>
>>>> The server has the gold release of SP1 and did not have any prior
>>>> versions of the service pack applied.
>>>>
>>>> Derek
>>>>
>>>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> First I'd suggest giving the Security Configuration Wizard a shot
>>>>> (add/remove windows components). You can create a DC policy and then
>>>>> use the scwcmd.exe command line tool to generate a GPO with the
>>>>> windows firewall settings that you can examine. That way you can be
>>>>> sure you have all of the required port exemptions. DCs are tricky to
>>>>> firewall.
>>>>>
>>>>> Svchost.exe is a special case in WF. You have to use the "remote
>>>>> administration exception" to allow random RPC ports opened by svchost
>>>>> through the firewall (I don't believe it opens lsass, at one point it
>>>>> did but that changed and I don't remember it changing back). Since
>>>>> you've done that, it looks like it should be working. Are you running
>>>>> RTM of SP1 or a prior RC?
>>>>>
>>>>> N
>>>>>
>>>>> --
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights. Any opinions or policies stated within are my own and do not
>>>>> necessarily constitute those of my employer. Use of included script
>>>>> samples are subject to the terms specified at
>>>>> http://www.microsoft.com/info/cpyright.htm
>>>>>
>>>>>
>>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>>> news:(E-Mail Removed)...
>>>>>>I have the following Firewall rules in place on my test DCs.
>>>>>>Everything is working ok, EXCEPT that the svchost.exe exception does
>>>>>>not seem to be working. I have it in the group policy rules list, but
>>>>>>when I open the Firewall applet it is not listed. And when I turn on
>>>>>>the firewall SQL Kerberos authentication fails because port 1025 is
>>>>>>not open. After some research, I found the process svchost.exe is what
>>>>>>listens on port 1025. In the group policy I also have enabled 'remote
>>>>>>administration exception' which specifically says it adds svchost.exe
>>>>>>and lssas.exe to the exception list. But that does not seem to be the
>>>>>>case.
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>> --------
>>>>>>
>>>>>> 123:UDP:*:Enabled123 UDP) NTP
>>>>>> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
>>>>>> 161:UDP:*:Enabled161 UDP) SNMP
>>>>>> 162:UDP:*:Enabled162 UDP) SNMP Traps
>>>>>> 389:TCP:*:Enabled389 TCP) LDAP
>>>>>> 389:UDP:*:Enabled389 UDP) LDAP Discovery
>>>>>> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
>>>>>> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
>>>>>> 445:TCP:*:Enabled445 TCP) SMB
>>>>>> 3268:TCP:*:Enabled3268 TCP) Global Catalog
>>>>>> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
>>>>>> 53:TCP:*:Enabled53 TCP) DNS
>>>>>> 53:UDP:*:Enabled53 UDP) DNS
>>>>>> 53438:TCP:*:Enabled53438 TCP) AD Replication
>>>>>> 636:TCP:*:Enabled636 TCP) LDAP over SSL
>>>>>> 88:TCP:*:Enabled88 TCP) Kerberos
>>>>>> 88:UDP:*:Enabled88 UDP) Kerberos
>>>>>> 2381:TCP:*:Enabled2381 TCP) HP Management
>>>>>> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>>>>>>
>>>>>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
>>>>>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
>>>>>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
>>>>>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
>>>>>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
>>>>>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
>>>>>> (SMS Client)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

The remote adminstration setting is a bit scary from a security standpoint.
As such we hid the option from the UI to help ensure that only users who
actively read the documentation to pursue the feature would have it turned
on. Admins must therefor either use the command-line or group policy to
enable the setting and we felt that that would be where they'd be
comfortable looking to verify the settings were applied.

Unfortunately, at the moment, not all of the deployment and troubleshooting
documentation has been released (I think they're targeting the end of this
month) so I understand and appologize for the confusion.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


"Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I'm unsure why that setting doesn't show up in the firewall UI. You can
> run "netsh firewall show state" to see its configuration.
>
> N
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Any opinions or policies stated within are my own and do not
> necessarily constitute those of my employer. Use of included script
> samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Derek" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>>I configured the same rule set for domain and standard. I then rebooted as
>>you suggested, and it appears all is now working. But I am still concerned
>>in the Firewall control panel applet that I do not see the 'allow remote
>>administration' rule listed, even though I have it enabled in the GPO.
>>Isn't the applet supposed to list all rules? If it doesn't, how can I be
>>certain what really is and is not being allowed?
>>
>> Derek
>>
>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Have you configured both the Standard and Domain profiles for the
>>> Windows Firewall? One of the things that SCW does is configures both
>>> identically, otherwise you might switch from one profile to the other
>>> (or not be using the one you expect) and become vulnerable.
>>>
>>> Are your settings coming down from the domain properly? The domain WF
>>> settings propagate under
>>> HKLM\Software\policies\microsoft\windowsfirewall.
>>>
>>> Have you rebooted after the settings have applied? There's a scenario
>>> where this is required. If the sharedaccess service (which handles the
>>> WF) isn't running, but later started and configured with application
>>> exemptions, it hasn't actually seen the prior ports opening so it
>>> doesn't realize it needs to let certain traffic through. Port 1025 (or
>>> another similar ranged random port) is typically opened by lsass during
>>> a server's boot sequence so it falls into this scenario.
>>>
>>> N
>>>
>>> --
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights. Any opinions or policies stated within are my own and do not
>>> necessarily constitute those of my employer. Use of included script
>>> samples are subject to the terms specified at
>>> http://www.microsoft.com/info/cpyright.htm
>>>
>>>
>>> "Derek" <(E-Mail Removed)> wrote in message
>>> news:u7WE9%(E-Mail Removed)...
>>>>I looked at the firewall rules from the SCW and they match what I put
>>>>into the GPO. Any more ideas why I svchost.exe doesn't seem to be
>>>>allowed in the firewall? I also find it disappointing that even though I
>>>>have the 'remote administration' GPO option turned on, in the Firewall
>>>>applet I see no entry for it. I would at least expect to see something
>>>>in there showing that the feature is turned on.
>>>>
>>>> Derek
>>>>
>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>> news:e%(E-Mail Removed)...
>>>>>I actually ran the SCW to see what the resulting firewall rule set
>>>>>looked liked in the wizard. I did not actually have it implemenent the
>>>>>policy and then run the command like tools that you mentioned. I will
>>>>>try that and see what happens.
>>>>>
>>>>> The server has the gold release of SP1 and did not have any prior
>>>>> versions of the service pack applied.
>>>>>
>>>>> Derek
>>>>>
>>>>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>>>>> news:(E-Mail Removed)...
>>>>>> First I'd suggest giving the Security Configuration Wizard a shot
>>>>>> (add/remove windows components). You can create a DC policy and then
>>>>>> use the scwcmd.exe command line tool to generate a GPO with the
>>>>>> windows firewall settings that you can examine. That way you can be
>>>>>> sure you have all of the required port exemptions. DCs are tricky to
>>>>>> firewall.
>>>>>>
>>>>>> Svchost.exe is a special case in WF. You have to use the "remote
>>>>>> administration exception" to allow random RPC ports opened by svchost
>>>>>> through the firewall (I don't believe it opens lsass, at one point it
>>>>>> did but that changed and I don't remember it changing back). Since
>>>>>> you've done that, it looks like it should be working. Are you
>>>>>> running RTM of SP1 or a prior RC?
>>>>>>
>>>>>> N
>>>>>>
>>>>>> --
>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights. Any opinions or policies stated within are my own and do not
>>>>>> necessarily constitute those of my employer. Use of included script
>>>>>> samples are subject to the terms specified at
>>>>>> http://www.microsoft.com/info/cpyright.htm
>>>>>>
>>>>>>
>>>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>>>> news:(E-Mail Removed)...
>>>>>>>I have the following Firewall rules in place on my test DCs.
>>>>>>>Everything is working ok, EXCEPT that the svchost.exe exception does
>>>>>>>not seem to be working. I have it in the group policy rules list, but
>>>>>>>when I open the Firewall applet it is not listed. And when I turn on
>>>>>>>the firewall SQL Kerberos authentication fails because port 1025 is
>>>>>>>not open. After some research, I found the process svchost.exe is
>>>>>>>what listens on port 1025. In the group policy I also have enabled
>>>>>>>'remote administration exception' which specifically says it adds
>>>>>>>svchost.exe and lssas.exe to the exception list. But that does not
>>>>>>>seem to be the case.
>>>>>>>
>>>>>>> Any ideas?
>>>>>>>
>>>>>>> --------
>>>>>>>
>>>>>>> 123:UDP:*:Enabled123 UDP) NTP
>>>>>>> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
>>>>>>> 161:UDP:*:Enabled161 UDP) SNMP
>>>>>>> 162:UDP:*:Enabled162 UDP) SNMP Traps
>>>>>>> 389:TCP:*:Enabled389 TCP) LDAP
>>>>>>> 389:UDP:*:Enabled389 UDP) LDAP Discovery
>>>>>>> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
>>>>>>> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
>>>>>>> 445:TCP:*:Enabled445 TCP) SMB
>>>>>>> 3268:TCP:*:Enabled3268 TCP) Global Catalog
>>>>>>> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
>>>>>>> 53:TCP:*:Enabled53 TCP) DNS
>>>>>>> 53:UDP:*:Enabled53 UDP) DNS
>>>>>>> 53438:TCP:*:Enabled53438 TCP) AD Replication
>>>>>>> 636:TCP:*:Enabled636 TCP) LDAP over SSL
>>>>>>> 88:TCP:*:Enabled88 TCP) Kerberos
>>>>>>> 88:UDP:*:Enabled88 UDP) Kerberos
>>>>>>> 2381:TCP:*:Enabled2381 TCP) HP Management
>>>>>>> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>>>>>>>
>>>>>>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
>>>>>>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
>>>>>>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
>>>>>>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
>>>>>>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
>>>>>>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
>>>>>>> (SMS Client)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

But it seems that 'remote administration' is required for DCs to properly
function, no? I really don't want it turned on, but it seems that I must on
DCs? Thanks for the info.

"David Beder [MSFT]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> The remote adminstration setting is a bit scary from a security
> standpoint. As such we hid the option from the UI to help ensure that only
> users who actively read the documentation to pursue the feature would have
> it turned on. Admins must therefor either use the command-line or group
> policy to enable the setting and we felt that that would be where they'd
> be comfortable looking to verify the settings were applied.
>
> Unfortunately, at the moment, not all of the deployment and
> troubleshooting documentation has been released (I think they're targeting
> the end of this month) so I understand and appologize for the confusion.
>
> --
> David
> Microsoft Windows Networking
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> I'm unsure why that setting doesn't show up in the firewall UI. You can
>> run "netsh firewall show state" to see its configuration.
>>
>> N
>>
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. Any opinions or policies stated within are my own and do not
>> necessarily constitute those of my employer. Use of included script
>> samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>>
>> "Derek" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>>I configured the same rule set for domain and standard. I then rebooted
>>>as you suggested, and it appears all is now working. But I am still
>>>concerned in the Firewall control panel applet that I do not see the
>>>'allow remote administration' rule listed, even though I have it enabled
>>>in the GPO. Isn't the applet supposed to list all rules? If it doesn't,
>>>how can I be certain what really is and is not being allowed?
>>>
>>> Derek
>>>
>>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Have you configured both the Standard and Domain profiles for the
>>>> Windows Firewall? One of the things that SCW does is configures both
>>>> identically, otherwise you might switch from one profile to the other
>>>> (or not be using the one you expect) and become vulnerable.
>>>>
>>>> Are your settings coming down from the domain properly? The domain WF
>>>> settings propagate under
>>>> HKLM\Software\policies\microsoft\windowsfirewall.
>>>>
>>>> Have you rebooted after the settings have applied? There's a scenario
>>>> where this is required. If the sharedaccess service (which handles the
>>>> WF) isn't running, but later started and configured with application
>>>> exemptions, it hasn't actually seen the prior ports opening so it
>>>> doesn't realize it needs to let certain traffic through. Port 1025 (or
>>>> another similar ranged random port) is typically opened by lsass during
>>>> a server's boot sequence so it falls into this scenario.
>>>>
>>>> N
>>>>
>>>> --
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights. Any opinions or policies stated within are my own and do not
>>>> necessarily constitute those of my employer. Use of included script
>>>> samples are subject to the terms specified at
>>>> http://www.microsoft.com/info/cpyright.htm
>>>>
>>>>
>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>> news:u7WE9%(E-Mail Removed)...
>>>>>I looked at the firewall rules from the SCW and they match what I put
>>>>>into the GPO. Any more ideas why I svchost.exe doesn't seem to be
>>>>>allowed in the firewall? I also find it disappointing that even though
>>>>>I have the 'remote administration' GPO option turned on, in the
>>>>>Firewall applet I see no entry for it. I would at least expect to see
>>>>>something in there showing that the feature is turned on.
>>>>>
>>>>> Derek
>>>>>
>>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>>> news:e%(E-Mail Removed)...
>>>>>>I actually ran the SCW to see what the resulting firewall rule set
>>>>>>looked liked in the wizard. I did not actually have it implemenent the
>>>>>>policy and then run the command like tools that you mentioned. I will
>>>>>>try that and see what happens.
>>>>>>
>>>>>> The server has the gold release of SP1 and did not have any prior
>>>>>> versions of the service pack applied.
>>>>>>
>>>>>> Derek
>>>>>>
>>>>>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>>>>>> news:(E-Mail Removed)...
>>>>>>> First I'd suggest giving the Security Configuration Wizard a shot
>>>>>>> (add/remove windows components). You can create a DC policy and
>>>>>>> then use the scwcmd.exe command line tool to generate a GPO with the
>>>>>>> windows firewall settings that you can examine. That way you can be
>>>>>>> sure you have all of the required port exemptions. DCs are tricky
>>>>>>> to firewall.
>>>>>>>
>>>>>>> Svchost.exe is a special case in WF. You have to use the "remote
>>>>>>> administration exception" to allow random RPC ports opened by
>>>>>>> svchost through the firewall (I don't believe it opens lsass, at one
>>>>>>> point it did but that changed and I don't remember it changing
>>>>>>> back). Since you've done that, it looks like it should be working.
>>>>>>> Are you running RTM of SP1 or a prior RC?
>>>>>>>
>>>>>>> N
>>>>>>>
>>>>>>> --
>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>> rights. Any opinions or policies stated within are my own and do not
>>>>>>> necessarily constitute those of my employer. Use of included script
>>>>>>> samples are subject to the terms specified at
>>>>>>> http://www.microsoft.com/info/cpyright.htm
>>>>>>>
>>>>>>>
>>>>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>>>>> news:(E-Mail Removed)...
>>>>>>>>I have the following Firewall rules in place on my test DCs.
>>>>>>>>Everything is working ok, EXCEPT that the svchost.exe exception does
>>>>>>>>not seem to be working. I have it in the group policy rules list,
>>>>>>>>but when I open the Firewall applet it is not listed. And when I
>>>>>>>>turn on the firewall SQL Kerberos authentication fails because port
>>>>>>>>1025 is not open. After some research, I found the process
>>>>>>>>svchost.exe is what listens on port 1025. In the group policy I also
>>>>>>>>have enabled 'remote administration exception' which specifically
>>>>>>>>says it adds svchost.exe and lssas.exe to the exception list. But
>>>>>>>>that does not seem to be the case.
>>>>>>>>
>>>>>>>> Any ideas?
>>>>>>>>
>>>>>>>> --------
>>>>>>>>
>>>>>>>> 123:UDP:*:Enabled123 UDP) NTP
>>>>>>>> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
>>>>>>>> 161:UDP:*:Enabled161 UDP) SNMP
>>>>>>>> 162:UDP:*:Enabled162 UDP) SNMP Traps
>>>>>>>> 389:TCP:*:Enabled389 TCP) LDAP
>>>>>>>> 389:UDP:*:Enabled389 UDP) LDAP Discovery
>>>>>>>> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
>>>>>>>> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
>>>>>>>> 445:TCP:*:Enabled445 TCP) SMB
>>>>>>>> 3268:TCP:*:Enabled3268 TCP) Global Catalog
>>>>>>>> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
>>>>>>>> 53:TCP:*:Enabled53 TCP) DNS
>>>>>>>> 53:UDP:*:Enabled53 UDP) DNS
>>>>>>>> 53438:TCP:*:Enabled53438 TCP) AD Replication
>>>>>>>> 636:TCP:*:Enabled636 TCP) LDAP over SSL
>>>>>>>> 88:TCP:*:Enabled88 TCP) Kerberos
>>>>>>>> 88:UDP:*:Enabled88 UDP) Kerberos
>>>>>>>> 2381:TCP:*:Enabled2381 TCP) HP Management
>>>>>>>> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>>>>>>>>
>>>>>>>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
>>>>>>>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
>>>>>>>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
>>>>>>>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
>>>>>>>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
>>>>>>>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
>>>>>>>> (SMS Client)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

I disabled 'remote administration' but put lsass.exe in the program
exceptions and all seems to be well. Is this the best security I can do on a
DC?

"Derek" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> But it seems that 'remote administration' is required for DCs to properly
> function, no? I really don't want it turned on, but it seems that I must
> on DCs? Thanks for the info.
>
> "David Beder [MSFT]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> The remote adminstration setting is a bit scary from a security
>> standpoint. As such we hid the option from the UI to help ensure that
>> only users who actively read the documentation to pursue the feature
>> would have it turned on. Admins must therefor either use the command-line
>> or group policy to enable the setting and we felt that that would be
>> where they'd be comfortable looking to verify the settings were applied.
>>
>> Unfortunately, at the moment, not all of the deployment and
>> troubleshooting documentation has been released (I think they're
>> targeting the end of this month) so I understand and appologize for the
>> confusion.
>>
>> --
>> David
>> Microsoft Windows Networking
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> I'm unsure why that setting doesn't show up in the firewall UI. You can
>>> run "netsh firewall show state" to see its configuration.
>>>
>>> N
>>>
>>> --
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights. Any opinions or policies stated within are my own and do not
>>> necessarily constitute those of my employer. Use of included script
>>> samples are subject to the terms specified at
>>> http://www.microsoft.com/info/cpyright.htm
>>>
>>>
>>> "Derek" <(E-Mail Removed)> wrote in message
>>> news:%(E-Mail Removed)...
>>>>I configured the same rule set for domain and standard. I then rebooted
>>>>as you suggested, and it appears all is now working. But I am still
>>>>concerned in the Firewall control panel applet that I do not see the
>>>>'allow remote administration' rule listed, even though I have it enabled
>>>>in the GPO. Isn't the applet supposed to list all rules? If it doesn't,
>>>>how can I be certain what really is and is not being allowed?
>>>>
>>>> Derek
>>>>
>>>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> Have you configured both the Standard and Domain profiles for the
>>>>> Windows Firewall? One of the things that SCW does is configures both
>>>>> identically, otherwise you might switch from one profile to the other
>>>>> (or not be using the one you expect) and become vulnerable.
>>>>>
>>>>> Are your settings coming down from the domain properly? The domain WF
>>>>> settings propagate under
>>>>> HKLM\Software\policies\microsoft\windowsfirewall.
>>>>>
>>>>> Have you rebooted after the settings have applied? There's a scenario
>>>>> where this is required. If the sharedaccess service (which handles
>>>>> the WF) isn't running, but later started and configured with
>>>>> application exemptions, it hasn't actually seen the prior ports
>>>>> opening so it doesn't realize it needs to let certain traffic through.
>>>>> Port 1025 (or another similar ranged random port) is typically opened
>>>>> by lsass during a server's boot sequence so it falls into this
>>>>> scenario.
>>>>>
>>>>> N
>>>>>
>>>>> --
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights. Any opinions or policies stated within are my own and do not
>>>>> necessarily constitute those of my employer. Use of included script
>>>>> samples are subject to the terms specified at
>>>>> http://www.microsoft.com/info/cpyright.htm
>>>>>
>>>>>
>>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>>> news:u7WE9%(E-Mail Removed)...
>>>>>>I looked at the firewall rules from the SCW and they match what I put
>>>>>>into the GPO. Any more ideas why I svchost.exe doesn't seem to be
>>>>>>allowed in the firewall? I also find it disappointing that even though
>>>>>>I have the 'remote administration' GPO option turned on, in the
>>>>>>Firewall applet I see no entry for it. I would at least expect to see
>>>>>>something in there showing that the feature is turned on.
>>>>>>
>>>>>> Derek
>>>>>>
>>>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>>>> news:e%(E-Mail Removed)...
>>>>>>>I actually ran the SCW to see what the resulting firewall rule set
>>>>>>>looked liked in the wizard. I did not actually have it implemenent
>>>>>>>the policy and then run the command like tools that you mentioned. I
>>>>>>>will try that and see what happens.
>>>>>>>
>>>>>>> The server has the gold release of SP1 and did not have any prior
>>>>>>> versions of the service pack applied.
>>>>>>>
>>>>>>> Derek
>>>>>>>
>>>>>>> "Nick Finco [MSFT]" <(E-Mail Removed)> wrote in message
>>>>>>> news:(E-Mail Removed)...
>>>>>>>> First I'd suggest giving the Security Configuration Wizard a shot
>>>>>>>> (add/remove windows components). You can create a DC policy and
>>>>>>>> then use the scwcmd.exe command line tool to generate a GPO with
>>>>>>>> the windows firewall settings that you can examine. That way you
>>>>>>>> can be sure you have all of the required port exemptions. DCs are
>>>>>>>> tricky to firewall.
>>>>>>>>
>>>>>>>> Svchost.exe is a special case in WF. You have to use the "remote
>>>>>>>> administration exception" to allow random RPC ports opened by
>>>>>>>> svchost through the firewall (I don't believe it opens lsass, at
>>>>>>>> one point it did but that changed and I don't remember it changing
>>>>>>>> back). Since you've done that, it looks like it should be working.
>>>>>>>> Are you running RTM of SP1 or a prior RC?
>>>>>>>>
>>>>>>>> N
>>>>>>>>
>>>>>>>> --
>>>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>>>> rights. Any opinions or policies stated within are my own and do
>>>>>>>> not necessarily constitute those of my employer. Use of included
>>>>>>>> script samples are subject to the terms specified at
>>>>>>>> http://www.microsoft.com/info/cpyright.htm
>>>>>>>>
>>>>>>>>
>>>>>>>> "Derek" <(E-Mail Removed)> wrote in message
>>>>>>>> news:(E-Mail Removed)...
>>>>>>>>>I have the following Firewall rules in place on my test DCs.
>>>>>>>>>Everything is working ok, EXCEPT that the svchost.exe exception
>>>>>>>>>does not seem to be working. I have it in the group policy rules
>>>>>>>>>list, but when I open the Firewall applet it is not listed. And
>>>>>>>>>when I turn on the firewall SQL Kerberos authentication fails
>>>>>>>>>because port 1025 is not open. After some research, I found the
>>>>>>>>>process svchost.exe is what listens on port 1025. In the group
>>>>>>>>>policy I also have enabled 'remote administration exception' which
>>>>>>>>>specifically says it adds svchost.exe and lssas.exe to the
>>>>>>>>>exception list. But that does not seem to be the case.
>>>>>>>>>
>>>>>>>>> Any ideas?
>>>>>>>>>
>>>>>>>>> --------
>>>>>>>>>
>>>>>>>>> 123:UDP:*:Enabled123 UDP) NTP
>>>>>>>>> 135:TCP:*:Enabled135 TCP) RPC endpoint Mapper/DCOM
>>>>>>>>> 161:UDP:*:Enabled161 UDP) SNMP
>>>>>>>>> 162:UDP:*:Enabled162 UDP) SNMP Traps
>>>>>>>>> 389:TCP:*:Enabled389 TCP) LDAP
>>>>>>>>> 389:UDP:*:Enabled389 UDP) LDAP Discovery
>>>>>>>>> 464:TCP:*:Enabled464 TCP) Kerberos Password Change
>>>>>>>>> 464:UDP:*:Enabled464 UDP) Kerberos Password Change
>>>>>>>>> 445:TCP:*:Enabled445 TCP) SMB
>>>>>>>>> 3268:TCP:*:Enabled3268 TCP) Global Catalog
>>>>>>>>> 3269:TCP:*:Enabled3269 TCP) Global Catalog over SSL
>>>>>>>>> 53:TCP:*:Enabled53 TCP) DNS
>>>>>>>>> 53:UDP:*:Enabled53 UDP) DNS
>>>>>>>>> 53438:TCP:*:Enabled53438 TCP) AD Replication
>>>>>>>>> 636:TCP:*:Enabled636 TCP) LDAP over SSL
>>>>>>>>> 88:TCP:*:Enabled88 TCP) Kerberos
>>>>>>>>> 88:UDP:*:Enabled88 UDP) Kerberos
>>>>>>>>> 2381:TCP:*:Enabled2381 TCP) HP Management
>>>>>>>>> 2701:TCP:*:Enabled2701 TCP) SMS General Contact
>>>>>>>>>
>>>>>>>>> C:\WINDOWS\system32\lsass.exe:*:Enabled:C:\WINDOWS \system32\lsass.exe
>>>>>>>>> C:\WINDOWS\system32\svchost.exe:*:Enabled:C:\WINDO WS\system32\svchost.exe
>>>>>>>>> C:\WINDOWS\system32\ntfrs.exe:*:Enabled:C:\WINDOWS \system32\ntfrs.exe
>>>>>>>>> C:\WINDOWS\system32\scshost.exe:*:Enabled:C:\WINDO WS\system32\scshost.exe
>>>>>>>>> C:\WINDOWS\system32\sysdown.exe:*:Enabled:C:\WINDO WS\system32\sysdown.exe
>>>>>>>>> C:\WINDOWS\system32\CCM\CcmExec.exe:*:Enabled:C:\W INDOWS\system32\CCM\CcmExec.exe
>>>>>>>>> (SMS Client)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>