I’ve had a lot of requests for a way to disable XP firewalls on the network or at least open up the required ports to remotely manage the computers. If your workstations are protected by a NAT translating router with a decent firewall built into it, there is typically little need for the XP desktop firewall to be running on them.
If you have the XP firewall enabled, there’s very little that you can do in the way of remote management for these PC’s. Fortunately, there are was to automate the configuration of the XP firewalls on your network depending on what type of a network you are using.
Login Script Method
The easiest way to do this is with a login script. If your company is using a directory services such as Novel or Active Directory, you can create a script that runs each time that a user logs in. You can use this script to open the required firewall ports.
We run into a problem, however, if the user that is logging in does not have local administrative rights on his PC. This is required to modify the settings. For this, we can employ a nice piece of freeware called CPAU. Using this tool, you can do a run-as style command to make it go. Alternatively, you can use a tool such as Admin Script Editor to compile your script into an executable that runs under a specific security account. There are other tools that can do this and feel free to add them in the comments section if you would.
Active Directory Startup Script Method
You can also run the script using Active Directory’s group policy for the machine account. This script runs under the context of the machine’s system account and does not need to be elevated by tools such as CPAU. You can do this in the Group Policy Editor under “Windows Settings => Scripts => Startup”.
The following is a script that will open the required ports on the XP firewall:
netsh firewall set portopening udp 445 WindowsNetworking enable all
netsh firewall set portopening tcp 139 WindowsNetworking enable all
netsh firewall set portopening udp 137 WindowsNetworking enable all
netsh firewall set portopening udp 138 WindowsNetworking enable all
netsh firewall set portopening tcp 5900 VNC enable all
netsh firewall set portopening tcp 5800 VNC-HTTP enable all
Group Policy Method
You can set these options using Active Directory’s Group Policy, also. You can access this in the Group Policy Editor by navigating to “Computer Configuration => Administrative Templates => Network => Network Connections => Windows Firewall”.
As a side note, if you choose to use a scripting tool such as Admin Script Editor to compile your script, you can also choose to distribute it directly to the end users so that they can execute it themselves.
Make sure that you also disable Simple File Sharing on the remote computers. That can be just as much of a barrier to remote administration as the firewall. I’ll make a post about that one soon.