Compartir a través de

Configuring the Firewall for Remote Management of a Workgroup Server Core installation

  • Artículo

To follow up my last post, this one will go into more details on option 3 in that post.

As mentioned you can simply enable the Remote Administration firewall rules to allow pretty much any MMC to connect (a few require additional configuration as discussed below). However, there may be situations where you only want to allow certain MMCs to connect for remote administration. Not every MMC snap-in has a firewall group, here are those that do:

MMC Snap-in

Rule Group

Event Viewer

Remote Event Log Management

Services

Remote Service Management

Shared Folders

File and Printer Sharing

Task Scheduler

Remote Scheduled Tasks Management

Reliability and Performance

“Performance Logs and Alerts” and “File and Printer Sharing”

Disk Management

Remote Volume Management

Windows Firewall with Advanced Security

Windows Firewall Remote Management

On the Server Core box you can enable these by running:

Netsh advfirewall firewall set rule group=“<rule group>” new enable=yes

Where <rule group> is the name in the above table.

You can remotely enable these using the Windows Firewall with Advanced Security MMC snap-in, after you have locally on the Server Core box enabled the rule group to allow it to connect.

MMC Snap-ins without a Rule Group

Not every MMC snap-in has a rule group to allow it access through the firewall, however many of them use the same ports for management as those that do. Therefore, you will find that enabling the rules for Event Viewer, Services, or Shared Folders will allow most other MMC snap-ins to connect. Of course, you can also simply enable the remote administration rule group (see my last post).

MMC Snap-ins that Require Addition Configuration

In addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:

  • Device Manager

To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy

1. On a Windows Vista or full Server installation, start the Group Policy Object MMC snap-in

2. Connect to the Server Core installation

3. Navigate to Computer Configuration\Administrative Templates\Device Installation

4. Enable “Allow remote access to the PnP interface”

5. Restart the Server Core installation

  • Disk Management

You must first start the Virtual Disk Service (VDS) on the Server Core installation

  • IPSec Mgmt

On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:

Cscript \windows\system32\scregedit.wsf /im 1

Comments