Share via

Can I use powershell to open firewall ports remotely

Brandon Fogliano 136 Reputation points
2022-12-19T21:15:44.98+00:00

I'm pretty sure I know the answer now but I want to ask the experts. We have software platform that lets me assess Windows environments but there are 2 firewall ports that need to be opened on PCs and a registry key that needs to be inserted. I know this can be done from AD but is there any way to walk into an environment without AD or where these items weren't pushed through GPO and run a script through Powershell to do this? I know that I can run the three commands with the Invoke function but prior to that it seems you have to enable PS remoting to use Invoke. Is there anyway to set this up remotely or are we stuck going machine to machine in a workgroup?

Thanks,

Brandon

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,238 questions
0 comments

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ali AlEnezi 1,081 Reputation points
    2022-12-20T19:49:42.093+00:00

    Hello @Brandon Fogliano ,

    It is possible to use PowerShell to configure firewall ports and registry keys on PCs that are not joined to an Active Directory domain. However, you will need to have administrator privileges on the target PCs and ensure that the PowerShell Remoting feature is enabled on those PCs.

    To enable PowerShell Remoting on a target PC, you can use the Enable-PSRemoting cmdlet. This cmdlet performs the following tasks:

    1. Enables the Windows Remote Management (WinRM) service and sets it to start automatically.
    2. Configures the WinRM listener to accept remote connections.
    3. Creates an exception in the Windows Firewall to allow incoming connections on the WinRM port (TCP 5985).

    To enable PowerShell Remoting on a target PC, you can use the following command:

    Enable-PSRemoting -Force

    Once PowerShell Remoting is enabled on the target PCs, you can use the Invoke-Command cmdlet to execute a script or run individual commands on those PCs. For example, you can use the following command to open firewall ports and set registry keys on a target PC:

    Invoke-Command -ComputerName <target_pc> -ScriptBlock {
    New-NetFirewallRule -DisplayName "Allow Port XYZ" -Protocol TCP -LocalPort XYZ -Action Allow
    New-ItemProperty -Path "HKLM:\SOFTWARE\MySoftware" -Name "RegistryKey" -Value "Value" -PropertyType String
    }

    Keep in mind that you will need to provide the appropriate values for the <target_pc> parameter and the firewall ports and registry keys that you want to configure.

    Good luck!

  2. Brandon Fogliano 136 Reputation points
    2022-12-21T14:27:57.91+00:00

    Hi Alenezi,

    After a bit more work I got PS Remoting to turn no remotely using a different script, but not I'm getting the following when trying to run the Invoke command

    Connecting to remote server 192.168.15.22 failed with the following error message : The WinRM client cannot process the request. Default authentication
    may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are
    provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set
    TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo : OpenError: (192.168.15.22:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : CannotUseIPAddress,PSSessionStateBroken

    Is there a way to fix this remotely?

    0 comments
  3. Brandon Fogliano 136 Reputation points
    2022-12-21T15:54:13.873+00:00

    I have tried to use the following command

    winrm s winrm/config/client '@{TrustedHosts="*"}'

    I have used this on the host machine I'm working from and on the remote machine (which defeats the purpose, because I want to achieve all of this 100% remotely).

    Any thoughts?

    0 comments
  4. Brandon Fogliano 136 Reputation points
    2022-12-21T16:03:18.483+00:00

    I have checked the listener on the target and these are the results

    Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 169.254.108.52, 169.254.126.67, 169.254.143.210, 169.254.159.130, 169.254.251.169, 192.168.15.22, ::1, fe80::1549:bebf:4b:46fb%14, fe80::2085:8769:b214:8cf4%21, fe80::31fa:e249:2f34:13d2%4, fe80::8133:223f:aa88:3cb3%18, fe80::b346:823b:11e4:aff3%11, fe80::b3d6:1c9:339d:c840%22

    0 comments
  5. Brandon Fogliano 136 Reputation points
    2022-12-21T16:04:19.95+00:00

    Tried testing the connection with the UseSSL switch and got the following error

    PS C:\Users\bfogliano> enter-pssession Brandon-HP -UseSSL
    enter-pssession : Connecting to remote server Brandon-HP failed with the following error message : The client cannot
    connect to the destination specified in the request. Verify that the service on the destination is running and is
    accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most
    commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to
    analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
    about_Remote_Troubleshooting Help topic.
    At line:1 char:1

    • enter-pssession Brandon-HP -UseSSL
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidArgument: (Brandon-HP:String) [Enter-PSSession], PSRemotingTransportException
    • FullyQualifiedErrorId : CreateRemoteRunspaceFailed
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.