Vista Firewall seems to be tattooed with Remote Administration blocking rules in local group policy
I've enabled Remote Administration and Remote assistance in Domain Group Policies. I've verified that these policies are being applied with GPresult. Everything worked in my network including remote assistance for about 2 weeks. Suddenly we couldn't remote control end-user's workstations. After extensive investigation and review of settings I discovered three entries in the local firewall. They are all listed with a source of Local Group Policy* Remote Administration (RPC-EPMAP) Port 135 block* Remote Administration (RPC) Dynamic RPC block* Remote Administration (NP-In) Port 445 BlockThese do not show up when I run gpedit.msc and review local group policy.These do not show up in my Domain Group Policies under local policies.I've attempted to add secure channels that override these blocks, but still not good.My workaround at the moment is to turn off the firewall for the Domain profile.These seem to be phantom entries that are tatooed onto all all my domain workstations.Vista Enterprise SP 1Managing the Group Policies on Server 2008. We're also using Group Policy Prefrerences.Any help locating where these are coming from would be appreciated. These three entries appear to be the only ones so I suspect some other non-firewall policy regarding Remote Administration is creating them. I just can not find anything that relates to this set with a block or denied configuration.Kenmore, WA
October 8th, 2009 1:09am
Hi,
Thank you for your post.
Based on my research, I would like to suggest the following:
1. Please manually set the rules to Allow and enable them. Then, reboot the computer and see if it will be changed back.
2. If the rules are changed, I suspect this should be related to Group Policy and please gather the following information for our further research:
1) In the GPMC, process the Group Policy Result wizard to collect the data of RSOP.
2) Right click Group Policy Results---> Group Policy Results Wizard…
3) Choose Another computer to point to the problematic client.
4) Select that problematic user account and click next to collect the group policy result data.
In the Summary tab, verify the settings in the Computer Configuration--->Policies--->Windows Settings--->Security Settings--->Windows Firewall with Advanced Security.
Please also upload the report to Windows Live SkyDrive and share its URL with us.
Thanks.
Nicholas Li
TechNet Subscriber Support in forumNicholas Li - MSFT
Free Windows Admin Tool Kit Click here and download it now
October 8th, 2009 12:48pm
Hi,
I just want to see how everything is going. If you have any questions or concerns on the recent information I've provided you, please feel free to let me know.
Thanks.
Nicholas Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd @ microsoft.com.
Nicholas Li - MSFT
October 9th, 2009 1:52pm
Nicholas, I'll try to gather the reports as indicated. The Allow rules already exist. I guess I'll try to add an overwritting rule to local group policy as a test. From what I've read blocks always win when there are two competing rules.ThanksKevinKenmore, WA
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2009 10:19pm
http://cid-ab18f6b6e4dcacd5.skydrive.live.com/browse.aspx/Support%20ReportsNicholas, Haven't used Sky Drive before. Hopefullly this link takes you to a report on an affected workstation. All workstations and users are affected by the issue. Another interesting thing I noticed when I ran GPresult on my workstation. There's a set of registry changes that I can't map to any policies I've set in the GPO. They appear to be firewall information, but can't tell what it's setting (or blocking). I'll try and trace theses entries using regedit.
Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}\BackgroundPriorityLevel
3
Default Domain Policy
Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}\NoBackgroundPolicy
0
Default Domain Policy
Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}\NoGPOListChanges
0
Default Domain Policy
Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}\NoSlowLink
0
Default Domain Policy
Software\policies\Microsoft\WindowsFirewall\ConSecRules\23c8649b-ce36-4b29-9d0e-fb9211a66c0d
v2.0|Action=DoNotSecure|Active=TRUE|EP2_4=10.1.1.0/255.255.255.0|EP2_4=10.0.0.0/255.255.255.0|EP2_4=10.5.5.0/255.255.255.0|Name=General OMWLAW bypass|Desc=|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\ConSecRules\8fbce70a-184e-4420-b9f8-32e6e135b67b
v2.0|Action=Boundary|Active=TRUE|Profile=Domain|Name=Domain connection rule|Desc=|Auth1Set=ComputerKerberos|Auth2Set=EmptySet|Crypto2Set={E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\0e36700f-122e-40d0-8eed-83408f6cb4f1
v2.0|Action=ByPass|Active=TRUE|Dir=In|Protocol=6|LPort=135|Name=DCOM port 135|Desc=Open for remote assistance|RMauth=D:(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-4293)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5287)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5623)|Security=Authenticate|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\44a5f8fb-8e01-4610-b42c-1b399c66d49b
v2.0|Action=Allow|Active=TRUE|Dir=In|App=%SystemRoot%\system32\msra.exe|Name=Remote Assistance Program|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\48d6b0b4-e077-49ed-9f47-414af2d64431
v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=2869|Name=Remote Assistance (UPnP-In)|Desc=TCP Port 2869|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\611d65be-60f3-4859-ab90-755df63107fc
v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|Name=RDP port 3389|Desc=RDP port for remote desktop and remote assistance|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\6c4e5252-8928-4139-85c7-d3ff98c669e5
v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=1900|Name=Remote Assistance (SSDP_In)|Desc=UDP Port 1900|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\c30169e2-7d33-41de-a469-a13c73fea088
v2.0|Action=Allow|Active=TRUE|Dir=In|App=%SystemRoot%\system32\raserver.exe|Name=Remote Assistance Server process|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteAdmin-In-TCP
v2.0|Action=ByPass|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%SystemRoot%\system32\svchost.exe|Svc=*|Name=@FirewallAPI.dll,-29753|Desc=@FirewallAPI.dll,-29756|RMauth=D:(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-4293)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5287)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5623)|EmbedCtxt=@FirewallAPI.dll,-29752|Security=Authenticate|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteAdmin-NP-In-TCP
v2.0|Action=ByPass|Active=TRUE|Dir=In|Protocol=6|LPort=445|App=System|Name=@FirewallAPI.dll,-29757|Desc=@FirewallAPI.dll,-29760|RMauth=D:(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-4293)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5287)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5623)|EmbedCtxt=@FirewallAPI.dll,-29752|Security=Authenticate|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteAdmin-RPCSS-In-TCP
v2.0|Action=ByPass|Active=TRUE|Dir=In|Protocol=6|LPort=RPC-EPMap|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|Name=@FirewallAPI.dll,-29765|Desc=@FirewallAPI.dll,-29768|RMauth=D:(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-4293)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5287)(A;;CC;;;S-1-5-21-2088903243-771512506-2371240255-5623)|EmbedCtxt=@FirewallAPI.dll,-29752|Security=Authenticate|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteFwAdmin-In-TCP
v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC|App=%SystemRoot%\system32\svchost.exe|Svc=policyagent|Name=@FirewallAPI.dll,-30003|Desc=@FirewallAPI.dll,-30006|EmbedCtxt=@FirewallAPI.dll,-30002|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\FirewallRules\RemoteFwAdmin-RPCSS-In-TCP
v2.0|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=RPC-EPMap|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|Name=@FirewallAPI.dll,-30007|Desc=@FirewallAPI.dll,-30010|EmbedCtxt=@FirewallAPI.dll,-30002|Edge=FALSE|
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\IPSecExempt
2
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}
{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\CAName
DC=com, DC=omwlaw, CN=omwlaw-OMWSRV2008-CA
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\CertAccountMapping
FALSE
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\ExcludeCAName
FALSE
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\HealthCert
FALSE
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0000\Method
MachineCert
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\CAName
C=US, O="VeriSign, Inc.", OU=Class 3 Public Primary Certification Authority
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\CertAccountMapping
FALSE
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\ExcludeCAName
FALSE
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\HealthCert
FALSE
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0001\Method
MachineCert
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0002\Method
MachineNtlm
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\0003\Method
Anonymous
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}{6CEA1BA5-034C-4139-97DC-A75E3B88BAC5}\Version
2.1
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\Anonymous\0000\Method
Anonymous
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\Anonymous\Version
2.1
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\ComputerKerberos\0000\Method
MachineKerb
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase1AuthenticationSets\ComputerKerberos\Version
2.1
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}
{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}{93D543AA-9B24-4D32-928D-532170E00379}
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}{93D543AA-9B24-4D32-928D-532170E00379}\0000\Method
UserNTLM
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}{93D543AA-9B24-4D32-928D-532170E00379}\0001\Method
Anonymous
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}{93D543AA-9B24-4D32-928D-532170E00379}\Version
2.1
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\Phase2AuthenticationSets\EmptySet\Version
2.1
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\PolicyVersion
513
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall
1
Vista Lobotomy Settings
Software\policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall
1
Vista Lobotomy Settings
Kenmore, WA
October 12th, 2009 11:25pm
Hi,
Thank you for your update.
Firstly, may I know how it works when you set the rules to Allow and enable them?
After checking the report, I found the following under Inbound Rules of Windows Firewall with Advance Security:
Since some rules are set to allowed and enabled by default, it may not be necessary to set the rule manually.
Based on the current situation, please try the following to check the issue:
1. Check and adjust the Group Policy settings.
2. Please disable the policy “Vista Lobotomy Settings” and have a check.
3. Take a client computer out of the OU which will be applied the policy “Vista Lobotomy Settings” and see if you can access it.
Thanks. Hope this helps.
Nicholas Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb @ microsoft.com.Nicholas Li - MSFT
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2009 11:44am
Hi Nicholas, Thanks for the reply. I've created a copy of the Lobotomy GPO. I've placed my computer alone in an OU with this new GPO. I'm trying to clear out the various extraneous settings. The manual settings you found were my attempts to override the annoying three blocking rules. The rules show up on the workstation but don't seem to override the Blocking rules as the should (or as I would expect). After a few more surgical attempts I'll completely kill the link of this GPO to the OU my computer is in. See what happens to the firewall settings.This particular also contains a bunch of application related stuff. I know it shouldn't just for this kind of troubleshooting. I'll try to split out Security and application related settings to two or more GPOs in the future.KevinKenmore, WA
October 16th, 2009 8:47pm
Nicholas (and whomever else is following this).I moved my workstation to another OU, then applied a copy of the Lobotomy GPO to this OU. I removed the 4firewall policies intended to ALLOW remote administration/remote assistance. Very interesting effects of this change. 1. The mystery rules BLOCKING remote admin/assistance dissappeared (Yeah!). 2. The Vista firewall is now somehow blocking DNS!! (Boo :( ) This has the added side effect that the workstation can not detect that it's on the domain network and should apply the DOMAIN firewall policy. In order to get around this I have to manually turn off the firwall. With the firewall off I can reboot, detect the domain. Even under the Domain firewall policy I have to leave the firewall off inorder to get DNS responses. There is only one BLOCKING rule on Remote Desktop, and it's assigned to the Private and Public profiles. I cannot yet figure out why or how DNS is being blocked.The most noticeable Event log entry during boot up is Source DnsApi, Event ID 11164, Level Warning. System failed to register host resource records for network adapter. I can get past this by leaving the firewall off for the Private and Domain profiles during a reboot.Also the NETLOGON service fails... Time-Service Warning ID 129.I'm sure all related to DNS.My orginal goal was to allow normal operations in my network with the Vista Firewall enabled. Some progress, but now I have to get the workstation to boot properly and find the network.KevinKenmore, WA
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2009 6:59pm
Update - Found a secure connection isolation rule with source local setting. I deleted it, and now the DNS works with the firewall enabled. I'll have to review the firewall settings, and the GPO further after the domain syncs, and I get a chance to reboot the workstation. So far this is promising. Now there's the question.. Why does deleting 4"ALLOW" rules in Domain Group Policy also result in the removal of 3 Blocking rules listed as Local Group Policy rules?????Very strange.KevinKenmore, WA
October 26th, 2009 7:30pm
O.K. I"m actually got rid of the three blocking rules. Not sure exactly how. The last change I made to the Group Policy Object was in Computer/Polices/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile.I set everything to "Not Configured" except Allow inbound remote administration, and Allow inbound Remote Dekstop.In previous GPO I had several of the other settings enabled including Define inbound program exceptions (with 4 items to support our DMS), Allow ICMP exception, Allow local port exceptions, Define inbound port exceptions (with port 135 TCP enabled),allow inbound UPnP framework. I also hadProtect all network connections Disabled.One of these settings is somehow causing the blocking rules to materialize... Very weird. It would be rather time consuming to figure out which one.None of these settings would appear from the description to cause three specific blocking rules to appear.KevinKenmore, WA
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2009 12:55am
Hi Kevin,
I am glad to know that it worked.
At this time, I also would like to know if there is something I can help. If you have any questions or concerns, please also feel free to let me know.
Thanks. Have a great day!
Nicholas Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com.Nicholas Li - MSFT
October 28th, 2009 1:57pm
I guess the only question is what's causing those weird rules. Group Policy, and GP Preferences were suppose to be this huge time savings for network administrators. Seems that every thing I want to accomplish in this environment takes a few minutes to implement, then a week or two to figure out why it doesn't work. I spent over a month trying to deploy printers with GPP according to documentation. After discovering over a dozen interesting ways to lock up vista I had to give up and deploy the printers manually. I'm trying to use the advanced features of Active Directory, and Vista. It just seems like I have to work around them more than actually use them. I'm venting a little here, but hopefully this thread is read by someone that can make a difference. I have a Windows 7 system in the lab now. Hopefully it will be better behaved.Thanks for you guidance.KevinKenmore, WA
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2009 6:12pm
Hi Kevin,
Regarding Group Policy, I would like to share the following resources with you:
Windows Server Group Policy Home
Group Policy
Group Policy Team Blog
Hope they are helpful.
If you need some help on Group Policy related question, it is recommended that you go to our Windows Server Forums for help:
Windows Server Forums
Thanks again for keep in touch.
Nicholas Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfb@microsoft.com.Nicholas Li - MSFT
November 3rd, 2009 7:31am