Open-AudIT
http://www.open-audit.org/phpBB3/

[help] [solved] Firewall - W7 - blocking OA
http://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6051
Page 1 of 1

Author:  algcstech [ Mon Mar 25, 2013 11:39 pm ]
Post subject:  [help] [solved] Firewall - W7 - blocking OA

Hi all. Ran into an issue with the firewall blocking OA. I found it odd that I couldn't find anyone here who had this issue; else I am blind, dumb, or both.
From the cmd line of the server (a 32bit XP VM), auditing works fine, with FW off, at targets in workgroups (W7 x64).
Firewall on, no go, and a pretty useless error appears:

Problem Authenticating (1) to 10.x.x.x
Error Number: 424
Error Description: Object required

Firewall off, no problem authenticating. (tested admin shares, mounted drives, yada yada - all good)
A little network sniff sussed it out.
What was required was a firewall rule on the target machines.
I needed to allow the RPC protocol with dynamic port ranges.

The quick fix (not locked down, but useable)-
Control Panel > Windows Firewall > Advanced > New Rule
Rule Type - Port > Next
TCP - All Local Ports > Next
Allow > Next
Choose Networks > Next
Name your new rule > Finish.

Now open your new rule (that you named appropriately) and select the Protocols and Ports Tab.
Under Local Port, select from the drop down menu " RPC Dynamic Ports" > Apply and Save.

The reason is, RPC listens on port 135, and then generates random unassigned ports for the rest of the communication.
If this has been answered, apologies for another post it, it just stumped me for a bit.

If anyone has the time, or the inclination, bonus points for accomplishing the above using netsh advfirewall.
Apologies, I just don't have the time right now.

Edit: Precise error description after replicating error again.

Author:  jpa [ Tue Mar 26, 2013 1:15 am ]
Post subject:  Re: Firewall - W7 - blocking OA - Fixed

Maybe something like this?
Code:
netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Although in a Domain environment you'd probably want to use Group Policy.
Code:
Windows Firewall: Allow remote administration exception

Author:  algcstech [ Tue Mar 26, 2013 1:26 am ]
Post subject:  Re: Firewall - W7 - blocking OA - Fixed

Ahhh, no. It will be much more detailed...

Again, apologies for not investigating this. Time.
For my networks, I need only this 1 extra rule...
Thus exporting/importing the whole firewall rule set is easiest/quickest for me.

Author:  algcstech [ Tue Mar 26, 2013 4:25 am ]
Post subject:  Re: Firewall - W7 - blocking OA - Fixed

jpa wrote:
Maybe something like this?
Code:
netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes


Well done! That does work, however, it "updates" 12 existing rules. Just tested.
I am not sure which is best/more restrictive...your 2 lines of code, or my manual method.
Good job anyhow, jpa.
What I find odd - you set 2 new rules - yet when run, it updates 4 and 8 rules respectively.

Although in a Domain environment you'd probably want to use Group Policy.
Code:
Windows Firewall: Allow remote administration exception


Yes, GP or a log in script...not feasible for me unfortunately.
I have a very strange setup. On purpose.

Author:  jpa [ Tue Mar 26, 2013 4:34 am ]
Post subject:  Re: Firewall - W7 - blocking OA - Fixed

Those lines are the equivalent of checking a couple boxes in the "Allow a program or feature through Windows Firewall" Control Panel. You could do this manually on your computer as well.

Author:  algcstech [ Tue Mar 26, 2013 5:31 am ]
Post subject:  Re: Firewall - W7 - blocking OA - Fixed

Yes, I realize that jpa, it's just, I need to be a little paranoid here.
I do not know advfirewall code all that well. Apart from creating a few that turn on/off the FW, or allow a specific port or range.
As I mentioned, your code actually updates 12 rules.
My concern is that perhaps it is too general, and may allow some other hook into the system.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/