Network Administrator Knowledgebase

Apr 27 2008   3:35PM GMT

Configuring the Firewall on Server Core for Remote Management



Posted by: Michael Khanin
Tags:
Microsoft Windows

On all Windows 2008 Editions, the firewall is on by default. This true in a Server Core as well. Many IT Pro loves a new Windows 2008 Server Core Edition, but friendly speaking manage it from a command line for many Administrators is not so easy. Yes, We can manage Windows 2008 Core remotely, but we have to configure Firewall on the Core box. There are then three scenarios for remote management via MMC:

  1. Server Roles – when a server role is installed, the appropriate ports are opened to allow the role to function as well as to allow remote management, so no additional configuration is required. Using the Remote Server Administration Tools (RSAT) feature on a full server installation, we can install just the MMC snap-ins for a role and use them to remotely manage the role on Server Core.
  2. Domain joined – Once domain joined, the firewall profile is changed to the domain profile which allows remote management. Again, no additional configuration is required.
  3. Workgroup server – This is the scenario (is most popular when IT Pro demonstrates or tests a new Windows 2008) in which We may need to make firewall configuration changes to allow remote management. If we want all remote managements to work, we can use:

Netsh advfirewall firewall set rule group=“remote administration” new enable=yes

However, there may be situations where we only want to allow certain MMCs to connect for remote administration. Not every MMC snap-in has a firewall group, here are those that do:

MMC Snap-in

Rule Group

Event Viewer

Remote Event Log Management

Services

Remote Service Management

Shared Folders

File and Printer Sharing

Task Scheduler

Remote Scheduled Tasks Management

Reliability and Performance

“Performance Logs and Alerts” and “File and Printer Sharing”

Disk Management

Remote Volume Management

Windows Firewall with Advanced Security

Windows Firewall Remote Management

On the Server Core box we can enable these by running:

Netsh advfirewall firewall set rule group=“<rule group>” new enable=yes

Where <rule group> is the name in the above table.

Not every MMC snap-in has a rule group to allow it access through the firewall.

MMC Snap-ins that Require Addition Configuration
In addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:

  • Device Manager
    To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy

    1. On a Windows Vista or full Server installation, start the Group Policy Object MMC snap-in
    2. Connect to the Server Core installation
    3. Navigate to Computer Configuration\Administrative Templates\Device Installation
    4. Enable “Allow remote access to the PnP interface”
    5. Restart the Server Core installation
  • Disk Management
    You must first start the Virtual Disk Service (VDS) on the Server Core installation
  • IPSec Mgmt
    On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:

Cscript \windows\system32\scregedit.wsf /im 1/span>

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: