Open-AudIT

What's on your network?
It is currently Sun Jan 21, 2018 5:02 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Mon Mar 25, 2013 11:39 pm 
Offline
Newbie

Joined: Mon Feb 11, 2013 12:40 am
Posts: 4
Hi all. Ran into an issue with the firewall blocking OA. I found it odd that I couldn't find anyone here who had this issue; else I am blind, dumb, or both.
From the cmd line of the server (a 32bit XP VM), auditing works fine, with FW off, at targets in workgroups (W7 x64).
Firewall on, no go, and a pretty useless error appears:

Problem Authenticating (1) to 10.x.x.x
Error Number: 424
Error Description: Object required

Firewall off, no problem authenticating. (tested admin shares, mounted drives, yada yada - all good)
A little network sniff sussed it out.
What was required was a firewall rule on the target machines.
I needed to allow the RPC protocol with dynamic port ranges.

The quick fix (not locked down, but useable)-
Control Panel > Windows Firewall > Advanced > New Rule
Rule Type - Port > Next
TCP - All Local Ports > Next
Allow > Next
Choose Networks > Next
Name your new rule > Finish.

Now open your new rule (that you named appropriately) and select the Protocols and Ports Tab.
Under Local Port, select from the drop down menu " RPC Dynamic Ports" > Apply and Save.

The reason is, RPC listens on port 135, and then generates random unassigned ports for the rest of the communication.
If this has been answered, apologies for another post it, it just stumped me for a bit.

If anyone has the time, or the inclination, bonus points for accomplishing the above using netsh advfirewall.
Apologies, I just don't have the time right now.

Edit: Precise error description after replicating error again.


Last edited by algcstech on Tue Mar 26, 2013 3:56 am, edited 2 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 26, 2013 1:15 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
Maybe something like this?
Code:
netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Although in a Domain environment you'd probably want to use Group Policy.
Code:
Windows Firewall: Allow remote administration exception


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 26, 2013 1:26 am 
Offline
Newbie

Joined: Mon Feb 11, 2013 12:40 am
Posts: 4
Ahhh, no. It will be much more detailed...

Again, apologies for not investigating this. Time.
For my networks, I need only this 1 extra rule...
Thus exporting/importing the whole firewall rule set is easiest/quickest for me.


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 26, 2013 4:25 am 
Offline
Newbie

Joined: Mon Feb 11, 2013 12:40 am
Posts: 4
jpa wrote:
Maybe something like this?
Code:
netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes


Well done! That does work, however, it "updates" 12 existing rules. Just tested.
I am not sure which is best/more restrictive...your 2 lines of code, or my manual method.
Good job anyhow, jpa.
What I find odd - you set 2 new rules - yet when run, it updates 4 and 8 rules respectively.

Although in a Domain environment you'd probably want to use Group Policy.
Code:
Windows Firewall: Allow remote administration exception


Yes, GP or a log in script...not feasible for me unfortunately.
I have a very strange setup. On purpose.


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 26, 2013 4:34 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
Those lines are the equivalent of checking a couple boxes in the "Allow a program or feature through Windows Firewall" Control Panel. You could do this manually on your computer as well.


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 26, 2013 5:31 am 
Offline
Newbie

Joined: Mon Feb 11, 2013 12:40 am
Posts: 4
Yes, I realize that jpa, it's just, I need to be a little paranoid here.
I do not know advfirewall code all that well. Apart from creating a few that turn on/off the FW, or allow a specific port or range.
As I mentioned, your code actually updates 12 rules.
My concern is that perhaps it is too general, and may allow some other hook into the system.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group