Configuring the Firewall on Server Core for Remote Management

As you already know by now, in Windows Server 2008, Server Core installation does not include the traditional full graphical user interface (GUI). Read more about Server Core on my “Understanding Windows Server 2008 Server Core” article.

Once you have configured the server, you can only manage it locally at a command prompt, or remotely using a Terminal Server connection. A third management option is to manage the server remotely using the Microsoft Management Console (MMC) or command-line tools that support remote use. Read more about remote management of Server Core on my “Managing Windows 2008 Server Core through RDP“, “Remotely Managing Windows 2008 Server Core Settings through MMC Snap-ins” and “Remotely Managing Windows 2008 Server Core Firewall” articles.

The Server Core blog has published a nice guide on how to configure the Server Core firewall for remote management in various scenarios.

Just like on a full Windows Server 2008 installation, the Windows Firewall is on by default, and most inbound traffic is blocked out-of-the-box. However, since the main reason for a “server” is to “serve” something (be it a service, a file, or anything else that needs to be accessible through the network), you will need to enable certain network traffic through the firewall.

One of the reasons for enabling incoming traffic through the firewall is remote management. As mentioned in previous articles, you can manage Server Core via the local  command prompt, remotely with the usual MMC-based snap-in Administration tools, through WinRM and WinRS, and even through Remote Desktop (although all you’ll get is a nice command prompt window…)

In most cases, after the initial configuration of the server, you’ll find yourself wanting to manage some of the roles and features installed on the server, and then you’ll probably go to the MMC-based snap-in Administration tools. The Server Core blog lists three scenarios for remote management via MMC:

  • Server Roles – When a server role is installed on the server, the appropriate ports are automatically opened to allow the role to function, as well as to allow remote management. No additional configuration is required. Using the Remote Server Administration Tools (RSAT) feature on a full server installation, you can install just the MMC snap-ins for a role and use them to remotely manage the role on Server Core.
  • Domain joined server – Once the server joins a domain, the firewall profile is changed to the domain profile which allows remote management. Again, no additional configuration is required.
  • Workgroup server – This is the scenario in which you may need to make firewall configuration changes to allow remote management. If you just want all remote management to work you can use the following command:
    ​Netsh advfirewall firewall set rule group=“remote administration” new enable=yes

The above command will allow for most remote management tools to work out-of-the-box. However, in addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:

Device Manager

To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy. Read more about how to do that in my “Remotely Manage Devices on Server Core” article.

Disk Management

You must first start the Virtual Disk Service (VDS) on the Server Core installation

IPSec Management

On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:

​Cscript 'windows'system32'scregedit.wsf /im 1

So, most remote administration MMC snap-ins are now functioning by simply enabling the Remote Administration firewall rules. But, as the blog describes, it is possible to be more granular and only allow certain MMC snap-ins to remotely manage the box. There may be situations where you would only want to allow certain MMCs to connect for remote administration.

Not every MMC snap-in has a firewall group, here are those that do:

fw groups 1

On the Server Core box you can enable any of these groups by running:

​Netsh advfirewall firewall set rule group=“<rule group>” new enable=yes

Where <rule group> is the name in the above table.

You can also remotely enable these using the Windows Firewall with Advanced Security MMC snap-in. Read my “Remotely Managing Windows 2008 Server Core Firewall” article. When looking at the server’s firewall settings you’ll notice that the rules can be sorted by the Group column, making it easier for you to see which group was enabled and which one wasn’t:

remote mgmt fw 1 small

Recent Windows Server 2008 Forum threads

Got a question? Post it on our Windows Server 2008 forums!