Click here to get back home

Does the SCW break Windows Firewall?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Does the SCW break Windows Firewall? news 08-18-2005
Posted by news on August 18, 2005, 1:49 am
Please log in for more thread options
 Win2003 Standard SP1. Member of workgroup. No IPSec enabled.

If I use the windows firewall to disable "File and Printer Sharing",
then as expected, port 445 becomes unavailable to the network. So far
so good.

However, if I run the SCW and just leave all the settings as default,
the "File and Printer Sharing" option in the Windows Firewall stops
working. I.e. whether I leave the option ticked or unticked, port 445
is still open and indeed I can map drives to the server. Interestingly:
1. All other options in the windows firewall (e.g. port 80) still work
as expected - it's only the "File and Printer Sharing" option that
seems to "break".
2. If I check the firewall status with netsh firewall, it thinks that
port 445 is closed if unticked and open if ticked, i.e. it believes the
firewall settings.

Before I do an exhaustive test of my configuration and go through each
SCW option in detail, I thought I'd post a question in case someone has
come across this before - it'll save me days of work!



Posted by news on August 22, 2005, 9:58 am
Please log in for more thread options
 Was this one of those questions that is soooo basic and stupid that no
one wanted to tell me to go away and RTFM? Or was it one of those that
makes one think "no, the firewall can't be that bad or Microsoft would
have found it, so he _must_ be doing something wrong"? :)

Well, I can't find which SCW option causes this problem: simply running
the SCW seems to cause Windows Firewall to break with any options I
select. I've repeated this on two servers now. Resetting the firewall
using netsh fixes it, though it does then "undo" some of the SCW
settings.

Dare I ask: anyone have any ideas?

Cheers
Mark



Posted by David Beder [MSFT] on August 23, 2005, 1:05 am
Please log in for more thread options
SCW is likely enabling the Remote Administration feature of the firewall.
This feature effectively enables tcp 135 and 445, though it is not quite the
same as enabling tcp 445 in the File and Printer settings option.
To verify, at a command prompt type:
netsh firewall show state

You're likely to see:
Remote admin mode = Enable
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


> Was this one of those questions that is soooo basic and stupid that no
> one wanted to tell me to go away and RTFM? Or was it one of those that
> makes one think "no, the firewall can't be that bad or Microsoft would
> have found it, so he _must_ be doing something wrong"? :)
>
> Well, I can't find which SCW option causes this problem: simply running
> the SCW seems to cause Windows Firewall to break with any options I
> select. I've repeated this on two servers now. Resetting the firewall
> using netsh fixes it, though it does then "undo" some of the SCW
> settings.
>
> Dare I ask: anyone have any ideas?
>
> Cheers
> Mark
>




Posted by news on August 23, 2005, 8:55 am
Please log in for more thread options
Thank you David for your reply. Indeed you are right: Remote admin mode
was enabled. Disabling it prevented drive mapping.

IMHO, it is worrying that the File and Printer sharing can be unticked
in the firewall leaving many users and admins thinking that the
firewall was now preventing drive mapping to their server / desktop,
whereas the remote admin mode "overrides" this and allows drive mapping
- a bit like a backdoor into the system. (I would have succumbed to
this myself had I not been penetration testing in a lab. Just goes to
show how important it is to lab test before going into production!)



Posted by David Beder [MSFT] on August 25, 2005, 1:27 am
Please log in for more thread options
Yes, this feature was difficult to work with. The initial design was on
XPsp2 where we didn't want home users (we advocate that corporate machines
be managed via group policy) accidentally enabling the setting due to how
big a surface area it potentially opens. Advanced users who had researched
the affects of enabling it are expected to implement via command line or
group policy. Such a user is likely to prefer the richness of the command
line output for monitoring the system so would be reminded often that the
setting was in affect.

When we moved to WS03sp1 we still weren't sure that this should be exposed
in the control panel for the server admin to quickly access. My worry was
that quick access could too easily lead to quick enabling, and with the move
to documentation being only on-line, it might be inappropriately used.
Compared with XP, the RPC exposure is typically a lot higher on servers so
the ramifations of turning it on when you shouldn't seemed pretty bad. I was
also worried (silly as it might sound) for English versions of the OS, where
we'd gotten a lot of beta feedback that Remote Administration was getting
confused with Remote Assistance.

This issue is still being periodically discussed, but I don't know whether a
change will eventually be made.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


> Thank you David for your reply. Indeed you are right: Remote admin mode
> was enabled. Disabling it prevented drive mapping.
>
> IMHO, it is worrying that the File and Printer sharing can be unticked
> in the firewall leaving many users and admins thinking that the
> firewall was now preventing drive mapping to their server / desktop,
> whereas the remote admin mode "overrides" this and allows drive mapping
> - a bit like a backdoor into the system. (I would have succumbed to
> this myself had I not been penetration testing in a lab. Just goes to
> show how important it is to lab test before going into production!)
>




Similar ThreadsPosted
ftp + windows firewall September 20, 2006, 6:02 am
Firewall of Windows 2003 October 2, 2005, 1:31 am
What's wrong with Windows 2k3 firewall? HELP ME PLEASE! October 9, 2005, 6:53 pm
i want to enable the windows firewall on a DC October 28, 2005, 5:37 am
Windows 2003 firewall November 22, 2005, 12:09 pm
windows firewall / ICS service October 2, 2006, 4:04 pm
Windows firewall spontaneously changes profiles June 27, 2005, 2:56 pm
DHCP Management and Windows Firewall January 3, 2006, 3:39 pm
Is Windows 2003 firewall safe? March 23, 2006, 8:28 am
Windows Firewall and File Sharing July 21, 2006, 5:41 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap