Remote Scripting for SP2

Is Windows XP SP2 bringing your remote admin scripts down? Mr. Script has the answer you've been looking for.

It was inevitable. For months—nay, years—I have been extolling the virtues of remote scripting. Indeed, Windows Management Instrumentation (WMI) and the Active Directory Services Interface (ADSI) are frequently recurring themes in these pages. You just can’t beat good, solid remote administration.

Then, with Windows XP SP2, Microsoft comes along and (finally!) introduces a stateful firewall into the Windows operating system that, by default, disallows remote administration. Raise your hand if you think I received more than just a few cards and letters from dedicated scripters wondering if I had any idea why some script of mine they’ve been using for months no longer works. Oh yes, they’re still pouring in.

Now, far be it for me to complain about additional security. But it would have been nice if Microsoft had given us scripters some clear instructions for how to prepare, so we wouldn’t have to find out the hard way (i.e. when our scripts broke).

The Good News
Allow me to pick up where Microsoft left off, by explaining what we need to do to enable our remote admin scripts to work again on XP machines. And wouldn’t you know it, I’ve built a script to handle it. But first, let’s review how and why SP2 broke our scripts.

With SP2, the default setting for the Windows Firewall is "On," with exceptions allowed. In other words, all unsolicited traffic from outside the computer is blocked, but you can set it to ignore (read: Not drop) traffic for certain programs and/or traffic that uses certain ports. You can also turn it off completely if you wish, but this isn’t recommended (except as noted below).

This default configuration is stored in C:\%windir%\inf\netfw.inf. This file never changes (on its own) and is read whenever you reset the firewall by executing c:\>netsh firewall reset. It’s this file we’ll be changing to enable remote administration.

The Windows Firewall also supports two profiles: Standard and Domain. Domain is self-explanatory—it applies to the computer only when connected to the domain (which, of course, only applies to computers that are members of a domain).

When not connected to the Domain, the Standard profile applies. You can, for instance, disable the firewall in the Domain profile if you’re content that your corporate firewall provides sufficient protection. For each profile, you can also establish a scope of authorized networks and IP addresses able to perform remote administration.

By definition, resetting the firewall deletes any previously created exceptions. We can save these Registry keys manually, or simply repeat the process of enabling them as we did when we first installed SP2.

As an example, I’ll take you through the reset process to enable Remote Administration for the Domain profile.

package>
 job>
  
  RemoteFW.wsf
  This script runs locally to reset the Windows Firewall to allow   remote administration. Configuration settings are stored in a   text file that is passed as the FILE argument
  

 runtime>
  named
   name="File"
   helpstring="Name of netfw config file"
   type="string"
   required="true"
  />
  example>
  c:\>cscript RemoteFW.wsf /File:c:\netfw.v1
  /example>
  /runtime>
  object
   id="objFSO"
   progid="Scripting.FileSystemObject"
   reference
  />
object
 id="objShell"
 progid="WScript.Shell"
 reference
/>
  script language="VBScript">
  Option Explicit
  Dim strWinDir, strSourceFile

  strWinDir=objShell.ExpandEnvironmentStrings("%WinDir%")
  strSourceFile=WScript.Arguments.Named.Item("File")

  'Copy the new netfw.inf file
  objFSO.CopyFile _
  strSourceFile, strWinDir & "\inf\netfw.inf", True
  'Reset the firewall
  objShell.Run "netsh firewall reset", 0, True
  /script>
 /job>
/package>

How It Works
The script takes a single command-line argument: File—which specifies the netfw.Vx file which contains the appropriate configuration for said computer. (This would probably be on a floppy disk or CD, as you have to go from desk to desk to complete this task.)

File Listing 1 shows the netfw.V1 file that we use. This gives us maximum flexibility. If you only need one or two different firewall configurations, you need only create one or two different template files. On the other hand, if your organization consists of a combination of desktop and notebook computers spread across several subnets, this could quickly get complicated. With the approach we’ve taken, you’ve got room to grow.

File Listing 1:
[version]
Signature = "$Windows NT$"
DriverVer =07/01/2001,5.1.2600.2180

[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile

[ICF.AddReg.DomainProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\DomainProfile\
AuthorizedApplications\List","%windir%\system32\
sessmgr.exe",0x00000000,"%windir%\system32\
sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
HKLM,"SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\DomainProfile\
RemoteAdminSettings","Enabled",0x00010001,
1HKLM,"SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\DomainProfile\
RemoteAdminSettings","RemoteAddresses",
0x00000000,"*"

[ICF.AddReg.StandardProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List","%windir%\system32\
sessmgr.exe",0x00000000,"%windir%\system32\
sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

The Catch-22
Using this script, you can configure the remote admin setting on any computer in your organization. It must, however, be run locally. You could accomplish the same thing remotely using WMI to directly change the Registry and copy the proper default netfw.inf file to the remote computer, except for one problem: If the Windows Firewall is enabled (the default), you can’t use WMI to change it because you can’t connect in the first place.

If you haven’t yet upgraded your XP machines to SP2, I highly recommend configuring the firewall prior to installation. You’ll save yourself a big headache. The file on the CD is called netfw.in_ and is in the i386 directory. The easiest solution is to copy the CD to a network share and edit this file to an appropriate configuration, such as allowing access in the Domain profile for specific IP addresses (yours and the other admins). You can then connect remotely via WMI to create custom configurations for specific machines to finish locking them down.

Featured