Does the SCW break Windows Firewall?

SCW is likely enabling the Remote Administration feature of the firewall.
This feature effectively enables tcp 135 and 445, though it is not quite the
same as enabling tcp 445 in the File and Printer settings option.
To verify, at a command prompt type:
netsh firewall show state

You're likely to see:
Remote admin mode = Enable
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


<news.DeleteThis@mail.adsl4less.com> wrote in message
news:1124729890.669577.56300@o13g2000cwo.googlegroups.com...
> Was this one of those questions that is soooo basic and stupid that no
> one wanted to tell me to go away and RTFM? Or was it one of those that
> makes one think "no, the firewall can't be that bad or Microsoft would
> have found it, so he _must_ be doing something wrong"?
>
> Well, I can't find which SCW option causes this problem: simply running
> the SCW seems to cause Windows Firewall to break with any options I
> select. I've repeated this on two servers now. Resetting the firewall
> using netsh fixes it, though it does then "undo" some of the SCW
> settings.
>
> Dare I ask: anyone have any ideas?
>
> Cheers
> Mark
>
 >> Stay informed about: Does the SCW break Windows Firewall? 

Thank you David for your reply. Indeed you are right: Remote admin mode
was enabled. Disabling it prevented drive mapping.

IMHO, it is worrying that the File and Printer sharing can be unticked
in the firewall leaving many users and admins thinking that the
firewall was now preventing drive mapping to their server / desktop,
whereas the remote admin mode "overrides" this and allows drive mapping
- a bit like a backdoor into the system. (I would have succumbed to
this myself had I not been penetration testing in a lab. Just goes to
show how important it is to lab test before going into production!)
 >> Stay informed about: Does the SCW break Windows Firewall? 

Yes, this feature was difficult to work with. The initial design was on
XPsp2 where we didn't want home users (we advocate that corporate machines
be managed via group policy) accidentally enabling the setting due to how
big a surface area it potentially opens. Advanced users who had researched
the affects of enabling it are expected to implement via command line or
group policy. Such a user is likely to prefer the richness of the command
line output for monitoring the system so would be reminded often that the
setting was in affect.

When we moved to WS03sp1 we still weren't sure that this should be exposed
in the control panel for the server admin to quickly access. My worry was
that quick access could too easily lead to quick enabling, and with the move
to documentation being only on-line, it might be inappropriately used.
Compared with XP, the RPC exposure is typically a lot higher on servers so
the ramifations of turning it on when you shouldn't seemed pretty bad. I was
also worried (silly as it might sound) for English versions of the OS, where
we'd gotten a lot of beta feedback that Remote Administration was getting
confused with Remote Assistance.

This issue is still being periodically discussed, but I don't know whether a
change will eventually be made.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


<news.RemoveThis@mail.adsl4less.com> wrote in message
news:1124812554.694494.163060@g49g2000cwa.googlegroups.com...
> Thank you David for your reply. Indeed you are right: Remote admin mode
> was enabled. Disabling it prevented drive mapping.
>
> IMHO, it is worrying that the File and Printer sharing can be unticked
> in the firewall leaving many users and admins thinking that the
> firewall was now preventing drive mapping to their server / desktop,
> whereas the remote admin mode "overrides" this and allows drive mapping
> - a bit like a backdoor into the system. (I would have succumbed to
> this myself had I not been penetration testing in a lab. Just goes to
> show how important it is to lab test before going into production!)
>
 >> Stay informed about: Does the SCW break Windows Firewall? 

Thank you for your explanation, David. I agree that keeping this to a
command-prompt only option ostensibly sounded like a good idea.
However, it would seem that the SCW team had other ideas(!), and in my
case, this is indeed how I enabled it in the lab environment. I guess
the counter-argument could be that those running the SCW should be
those same people who would configure the firewall from the command
prompt, though IMHO, I worry that the ease of use of the SCW and the
fact that not everyone lab tests means that there may well be servers
that are not as protected as their admins believe. Just my 2c worth.
 >> Stay informed about: Does the SCW break Windows Firewall? 

SCW attempts to create as minimal a policy as possible, however most MS
server applications/roles require dynamic RPC and/or DCOM for serving
clients and need tcp445 for management and configuration via tools like MMC
(and netsh). The point is well taken that more info should be available from
apps that enable the Remote Admin setting. I'll forward your concerns to the
SCW/Firewall team and encourage them to create a kb article as well as
enhance documentation for future releases.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


<news DeleteThis @mail.adsl4less.com> wrote in message
news:1125008109.630738.246930@g44g2000cwa.googlegroups.com...
> Thank you for your explanation, David. I agree that keeping this to a
> command-prompt only option ostensibly sounded like a good idea.
> However, it would seem that the SCW team had other ideas(!), and in my
> case, this is indeed how I enabled it in the lab environment. I guess
> the counter-argument could be that those running the SCW should be
> those same people who would configure the firewall from the command
> prompt, though IMHO, I worry that the ease of use of the SCW and the
> fact that not everyone lab tests means that there may well be servers
> that are not as protected as their admins believe. Just my 2c worth.
>
 >> Stay informed about: Does the SCW break Windows Firewall? 

Excellent. Once again, David, thanks very much.

Cheers
Mark
 >> Stay informed about: Does the SCW break Windows Firewall?