Group Policy and Remote Assistant

  • Thread starter Thread starter Mark B.
  • Start date Start date
M

Mark B.

We want to enable Remote Assistant on our XP machines, but don't want to
over-write existing local firewall settings, just add to them to allow
remote assistance. We tried to set a group policy domain wide to allow
remote assistant and it worked, but also over-wrote all local settings for
the firewall, which means no additions can be made by the user. Since we
have people that require different firewall ports because of specific
applications, we just want to add the port locally. Any ideas of how to do
this other than selecting all of the ports on campus required and putting it
into a group policy? Note: We just want to add to the local firewall
settings so none are over-writtten.
 
I have not messed that much with the Group Policy Firewall settings but take
a look at the "Allow local port exceptions" to see if that will do what you
want. I don't know if it will initially override the local defined settings
and then allow users to make exceptions or preserve existing settings. It
would be easy enough to test out. Another possibility is a Group Policy
"startup" script that uses the netsh command to modify the port list such as
the add port option. The links below explain more. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngwfw.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2apb.mspx#EFAA
http://www.jsiinc.com/SUBP/tip7900/rh7908.htm
 
Hi Mark,

Thanks for Steven's suggestions.

You may also check the following registry key directly.

The domain applied ports are applied here:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter
s\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

For example, if we want to open port TCP 3389, a line will be:

"3389:TCP"="3389:TCP:*:Enabled:@xpsp2res.dll,-22009"

You may configure it on a machine and check it in the registry for what
ever you want to apply.

Export that registry file and remove all the other lines related to other
ports.

Just leave the port you want to deploy.

Add the line like below to the machine log on script.

regedit -s \\server\share\Enable_TCP_3389.reg

HTH.

Best Regards,

Jeff Qiu
Microsoft Online Partner Support
MCSE 2k/2k3, MCSA 2k/2k3, MCDBA
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
 
In the your GPO, set:

Computer Configuration
Administrative Templates
Network
Network Connections
Windows Firewall
[Domain|Standard] Profile
Windows Firewall: Allow local program exceptions: Enabled
Windows Firewall: Allow local port exceptions: Enabled

Any locally set exceptions will then stay in place and be honoured.
 
Back
Top