SMS and Remote Administration Firewall Settings

Contents

• Overview

• Windows Firewall Group Policy settings for SMS Clients

• Other Tasks and Tools launched from the SMS Admin Console

• Windows Firewall settings for Remote Assistance

• Windows Firewall settings for the SMS Administrator Console and other MMC’s

• Scope

• Table of firewall settings required for more common SMS tasks in Word format

Overview 

Basically, the SMS Client does not require any Firewall exceptions unless you plan on utilizing some of the administrative tasks and tools that are available from the SMS Admin Console or any of the other Microsoft Management Consoles (MMC). For example, by right clicking on a Computer object or Collection and selecting All Tasks, you have up to 10 administrative tasks from the SMS Console. If you install the SMS Add-On Tools, there are 28 additional tasks that are available. Other administrative tasks like Manage, Remote Control or RSOP (logging) can be run from the Active Directory Users and Computers MMC.  Depending upon which tasks and tools you plan on using, you will need to manage the Firewall settings on both your SMS Client systems and your SMS Admin Console systems and since all of your managed systems are in a Domain, we recommend using Group Policy to mange the Firewall settings.

Windows Firewall Group Policy settings for SMS Clients

Windows Firewall Group Policy settings are located in the following GPMC path: 

• Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/ Domain Profile

 From this location, you can configure the following Group Policy settings:

• Windows Firewall: Allow authenticated Internet Protocol security (IPSec) bypass

• Windows Firewall: Protect all network connections

• Windows Firewall: Do not allow exceptions

• Windows Firewall: Define program exceptions

• Windows Firewall: Allow local program exceptions

• Windows Firewall: Allow remote administration exception *

• Windows Firewall: Allow file and print sharing exception

• Windows Firewall: Allow ICMP exceptions

• Windows Firewall: Allow Remote Desktop exception

• Windows Firewall: Allow Universal Plug and Plan (UpnP) framework exception

• Windows Firewall: Prohibit notifications

• Windows Firewall: Allow logging

• Windows Firewall: Prohibit unicast response to multicast or broadcast requests

• Windows Firewall: Define port exceptions

• Windows Firewall: Allow local port exceptions

For more information about Windows Firewall Group Policy settings, download the following white paper: Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2

*Key Group Policy Setting

The “Windows Firewall: Allow remote administration exception” setting is the single most important policy setting you need to configure in order to perform administrative tasks on your clients no matter which console you plan on using. Enabling this setting will open up all of the required ports and services necessary for the administrative tasks and tools to work properly on your client systems. Here is a brief description of the Policy. 

Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034. 

Although the above firewall policy setting takes care of most of the remote administrative tasks, there are several others Firewall settings you will need to open up on the client in order for the particular Admin task or tool to work properly.

Other Tasks and Tools launched from the SMS Admin Console

Note: The following Windows Firewall settings are still for the client system. Console settings are discussed later.

Windows Firewall settings for Remote Assistance 

Add the following entry to the Windows Firewall: Define port exceptions:

 

135:TCP:*:Enabled: Offer Remote Assistance

 

Add the following entries to the Windows Firewall: Define program exceptions:

• %WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance

• %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance

• %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance-Windows Messenger and Voice

 

Remote Assistance Group Policy settings are located in the following GPMC paths: 

• Computer Configuration/Administrative Templates/System/Remote Assistance

1.     On the Offer Remote Assistance Properties dialog box, click Enable.

 

2.     Select an option from the list to determine which of the following actions the expert users can take.  

• Allow helpers to only view the computer

• Allow helpers to remotely control the computer

Note This setting is for the entire group that is listed. The Offer Remote Assistance policy setting does not provide a way that lets one group of users view the computer, and also lets a second group of users view and control the computer. There can be only one expert group.

3.     Click Show. The Show Contents dialog box opens.

 

4.     Click Add to add the Domain Users and Domain User Groups of those who will be considered expert helpers.

 

5.     Click OK to close the Show Contents dialog box, and then click OK to close the Offer Remote Assistance Properties dialog box.

 

Important Use caution when you populate the properties of the Offer Remote Assistance Group Policy because you cannot verify the domain accounts that you enter. We recommend that you extensively test this policy setting before you perform a large policy roll out.

Windows Firewall settings for the SMS Administrator Console and other MMC’s

Note: The following Windows Firewall exceptions for the Console system should allow most admin tasks and tools to work properly.  

Add the following entry to the Windows Firewall: Define port exceptions:

 

135:TCP:*:Enabled: Remote Procedure Call

 

Add the following entry to the Windows Firewall: Define program exceptions:

 

%WINDIR%\System32\Wbem\unsecapp.exe:*:Enabled: SMS WMI Messages

%ProgramFiles%\SMSADMIN\bin\i386\statview.exe:*:Enabled: SMS Status Messages

%ProgramFiles%\SMS 2003 Toolkit 2\policyspy.exe:*:Enabled: SMS Policy Spy

Scope

Before enabling any exception, carefully consider whether the exception is needed at all. When you configure and enable an exception, you are instructing the Windows Firewall to allow specific unsolicited incoming traffic sent from the specified scope. Every enabled exception exposes your computer to attack, regardless of the scope. There is no way to guarantee invulnerability once the exception is enabled. Carefully consider and properly configure the scope of each Windows Firewall exception to minimize the associated exposure.

 

Tips:

Use Custom list when using either Group Policy Firewall Exceptions or Local Windows Firewall settings. Add the IP Addresses of the SMS Site Server and Admin Console systems that will be used to mange the clients.