Enabling windows firewall on 2003 server remotely

TheMSsForum.com: The Microsoft Software Forum

Hi,

I have windows 2003 SP1 server that is colocated, managed thru PCAnywhere
and terminal services only (I do not have physical access to the box). I
also do not have another 2003 box locally that i can test this on. Im
wondering when the firewall starts when I enable it. At the moment if I
attempt to go into the Windows Firewall section of the control panel, it asks
me to start the Internet Connection Sharing service and Im reluctant as Im
not sure if this will block me out of Terminal Services.

Can anyone tell me if I start this service, will I have a chance to add
exceptions before the firewall starts? So that I can add a terminal services
exception to allow me to manage the server remotely without having to make a
call to the ISP while the server is down.

Thank you,
Jason
Top

RE: Enabling windows firewall on 2003 server remotely by Ian

Ian
Wed Dec 28 03:09:02 CST 2005

The firewall exceptions are controlled by registry keys. They take the
general form:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"<PORT>:TCP"="<PORT>:TCP:*:Enabled:PC Anywhere"

Where 'PORT' is replaced by the port number.

Therefore it should in principle be possible to set an exception on one
machine, examine the registry entry it creates, and transfer it via a .reg
file before the firewall is activated. AFAIK XP Pro has the same rules.
(unless anyone knows otherwise)

HST do be prepared for the risk of losing your connection, better to do this
kind of thing onsite!


Top

RE: Enabling windows firewall on 2003 server remotely by Jason

Jason
Wed Dec 28 12:49:03 CST 2005

Ian,

Thanks - I probably will go that route and unfortunately there is no way to
be physically at the server. I think I also might try and snag an evaluation
copy of 2003 server and test it out.

Thanks for the ideas though,
Jason

"Ian" wrote:

> The firewall exceptions are controlled by registry keys. They take the
> general form:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
> "<PORT>:TCP"="<PORT>:TCP:*:Enabled:PC Anywhere"
>
> Where 'PORT' is replaced by the port number.
>
> Therefore it should in principle be possible to set an exception on one
> machine, examine the registry entry it creates, and transfer it via a .reg
> file before the firewall is activated. AFAIK XP Pro has the same rules.
> (unless anyone knows otherwise)
>
> HST do be prepared for the risk of losing your connection, better to do this
> kind of thing onsite!
>
>
Top

Re: Enabling windows firewall on 2003 server remotely by Steven

Steven
Wed Dec 28 13:35:41 CST 2005

Most likely you will be locked out once you enable the firewall assuming
there is no exception for TS [port 3389 TCP] which most likely there will
not be. Two possibilities come to mind. You could try using the Security
Configuration Wizard [see link below] to configure and then enable the
Windows Firewall or configure local Group Policy being sure to configure the
exceptions first. Either way I would want to test any solution out on a test
server I have access to if it is going to be a big problem if you lock
yourself out. --- Steve

http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx

"Jason" <Jason@discussions.microsoft.com> wrote in message
news:C564D7C6-E1F1-4B88-8C0A-C7FB911D02DC@microsoft.com...
> Hi,
>
> I have windows 2003 SP1 server that is colocated, managed thru PCAnywhere
> and terminal services only (I do not have physical access to the box). I
> also do not have another 2003 box locally that i can test this on. Im
> wondering when the firewall starts when I enable it. At the moment if I
> attempt to go into the Windows Firewall section of the control panel, it
> asks
> me to start the Internet Connection Sharing service and Im reluctant as Im
> not sure if this will block me out of Terminal Services.
>
> Can anyone tell me if I start this service, will I have a chance to add
> exceptions before the firewall starts? So that I can add a terminal
> services
> exception to allow me to manage the server remotely without having to make
> a
> call to the ISP while the server is down.
>
> Thank you,
> Jason


Top