Announcement

Collapse
No announcement yet.

GPO exception for WMI in Vista firewall on SBS 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO exception for WMI in Vista firewall on SBS 2003

    Hi,

    As it is pointed out in title, I have SBS2003 DC and some Vista Business clients in the network. I inherited the system and there are some Extra Registry settings in firewall configuration GPO for Vista, but WMI exception is not included in configuration.

    I have network audit program to collect SW and HW info on computers, but it requres Windows Management Instrumentation exception in Vista firewall. Since SBS 2003 does not handle Vista adm(x) files, I have no idea how to configure GPO and/or extra registry settings to make WMI exception on all Vista clients in network.

    Appreciate your help! TNX!

  • #2
    Re: GPO exception for WMI in Vista firewall on SBS 2003

    I don't know about SBS2003, but normally the policies to configure for this would be:

    Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
    - Windows Firewall: "Allow remote administration exception"
    - Windows Firewall: "Allow ICMP exceptions"
    - Windows Firewall: "Allow Remote Desktop exception"
    Additional Policy on VISTA:
    Administrative Templates\System\Device Installation
    - "Allow remote access to the PnP interface"


    You can try the following netsh.exe command line in a computer start-up-script applied to the clients.
    (http://msdn.microsoft.com/en-us/libr...54(VS.85).aspx)
    Code:
    @netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

    \Rems

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: GPO exception for WMI in Vista firewall on SBS 2003

      Rems,

      thank you for your answer. Yes, I know normally that would be the procedure, but as far as I know SBS2003 can't display Vista GP settings, because it can't handle admx files. So I'm stuck with dozens of Extra registry settings like:

      Software\Policies\Microsoft\WindowsFirewall\Firewa llRules\CoreNet-DHCP-In v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=17|P rofile=Domain|LPort=68|RPort=67|App=%SystemRoot%\s ystem32\svchost.exe|Svc=dhcp|[email protected] ,-25301|[email protected],-25303|[email protected],-25000|AutoGenIPsec=FALSE|Edge=FALSE| Small Business Server - Windows Vista policy

      Software\Policies\Microsoft\WindowsFirewall\Firewa llRules\CoreNet-DHCP-Out v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=17| Profile=Domain|LPort=68|RPort=67|App=%SystemRoot%\ system32\svchost.exe|Svc=dhcp|[email protected] l,-25302|[email protected],-25303|[email protected],-25000|AutoGenIPsec=FALSE|Edge=FALSE| Small Business Server - Windows Vista policy

      And so on...

      I can't find these settings in GPO editor and I can't set new ones (like WMI exception to Vista Firewall).

      I like the netsh solution and startup script,. But I would rather figure something by using nonpersistent/true policy or persistent policy than running startup script on every logon.

      Please, if you have any ideas, I would really appreciate your input.

      Comment


      • #4
        Re: GPO exception for WMI in Vista firewall on SBS 2003

        Use RSAT to manage GP from a Vista machine?
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: GPO exception for WMI in Vista firewall on SBS 2003

          Hmm, Windows Server 2003 Administration Tools Pack? Or do I need RSAT for SBS2003, I don't have 2008? I'm reading RSAT is for 2008 administration. But then again, does Windows Server 2003 Administration Tools Pack include Vista management ability?

          Me likes it. Do I get Vista admx with it, or do I have to install that separately?

          And... Although I like it, I'm still interested in alternatives, since I work from XP machine. Using Admin pack or RSAT means I need to install it on one of Vista machines, which means normal users... Me not like that.

          Comment


          • #6
            Re: GPO exception for WMI in Vista firewall on SBS 2003

            You wouldn't install it on a user's workstation, you'd install it on a machine or VM used by you, with Vista on it.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: GPO exception for WMI in Vista firewall on SBS 2003

              Well no such machine. We're a small firm, all DSP, no Volume licensing.

              Comment


              • #8
                Re: GPO exception for WMI in Vista firewall on SBS 2003

                Maybe swap your machine for one of the Vista PCs, or upgrade your OS?
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: GPO exception for WMI in Vista firewall on SBS 2003

                  gforceindustries,

                  that's your idea of solving problems with GPO? Great, thanks.

                  Does anyone else has an alternative solution? Would appreciate it very much.

                  Comment


                  • #10
                    Re: GPO exception for WMI in Vista firewall on SBS 2003

                    There's no need to be rude. You asked for suggestions, I suggested RSAT. It has requirements, I suggested a way for you to meet them while maintaining the security and manageability of your system. If you don't like the suggestion, then that's fine.
                    Last edited by gforceindustries; 4th February 2009, 14:04.
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment


                    • #11
                      Re: GPO exception for WMI in Vista firewall on SBS 2003

                      gforceindustries,

                      my intention wasn't to be rude, I apologize if I you find my statement rude. I pointed out switching OSes and PC isn't an option, but you insisted.

                      RSAT is an option, but it requires Vista machine, which is at least inconvenient because I'd had to occupy one of my coworkers' PC. So I'm still waiting for an alternative.

                      You seem like an expert, so I suppose you have some alternatives under your hat? I'm cool with Extra registy settings, as long as I know what change.

                      Comment

                      Working...
                      X