HP Integrity Superdome SX1000 HP Insight Management WBEM Providers on Integrit - Page 19

Microsoft Windows Server™ 2008 Firewall configuration

Get HP Integrity Superdome SX1000 PDF manuals and user guides View all HP Integrity Superdome SX1000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 19 highlights

6 Microsoft Windows Server™ 2008 Firewall configuration This section describes a configuration method for enabling direct remote WMI access on a server running the Microsoft Windows Server 2008 Firewall. These configuration steps were derived from testing on RC1 of Microsoft Windows Server 2008, and so might not apply to the latest version of Microsoft Windows Server 2008 Firewall. There are many methods to establish remote communication with WMI. Locally privileged programs can establish communication with WMI locally and serve up a private or standardized remote management interface. The System Management Homepage (SMH) and Windows Remote Management (an implementation of WS Management) are examples. This documentation does not apply to these or other indirect methods of WMI related communication, only to direct remote connections to WMI. Firewall configurations for indirect WMI communication methods are independent of establishing a direct remote connection to WMI. Apart from setting up the firewall, some user privileges are a consideration in allowing direct remote WMI access. For example, when the user is not an Administrator, some privileges might not exist by default. For more information, see "Security requirements for the Insight Providers" (page 11) and the Securing a Remote WMI Connection MSDN article at http://msdn2.microsoft.com/en-us/library/ aa393266.aspx. Configuration You can establish direct remote WMI access on a computer running the Windows Server 2008 Firewall, but the default configuration does not allow it. However, by using the built-in firewall rules, you can enable remote WMI access in as little as two commands. You execute the following commands locally on the Windows Server 2008 machine that is providing WMI access (that is, on a computer running the Insight Providers on Windows Server™ 2008). netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes Output: Updated 4 rule(s). Ok. The command enables all firewall rules contained in the specified firewall group. If the command output does not confirm that the rules were updated, check that the group name and each word in the command are correct. The group name with spacing emphasized is below: "WindowsManagementInstrumentation(WMI)" This first command is equivalent to selecting the "Windows Management Instrumentation (WMI)" checkbox in the Control Panel→WIndows Firewall→Settings→Exceptions tab. An additional firewall rule is needed to allow a remote user to establish a WMI session. It can be enabled with a similar command: netsh advfirewall firewall set rule name="Network Discovery (NB-Name-In)" new enable=yes This command updates a portion of a rule group (a single rule). It can also be done in the GUI, as follows: 1. Click Administrative Tools→Windows Firewall with Advanced Security→Inbound Rules. 2. Enable the "Network Discovery (NB-Name-In)" rule(s). Configuration 19

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
6 Microsoft Windows Server™ 2008 Firewall configuration
This section describes a configuration method for enabling direct remote WMI access on a server
running the Microsoft Windows Server 2008 Firewall. These configuration steps were derived
from testing on RC1 of Microsoft Windows Server 2008, and so might not apply to the latest
version of Microsoft Windows Server 2008 Firewall.
There are many methods to establish remote communication with WMI. Locally privileged
programs can establish communication with WMI locally and serve up a private or standardized
remote management interface. The System Management Homepage (SMH) and Windows Remote
Management (an implementation of WS Management) are examples.
This documentation does not apply to these or other indirect methods of WMI related
communication, only to direct remote connections to WMI. Firewall configurations for indirect
WMI communication methods are independent of establishing a direct remote connection to
WMI.
Apart from setting up the firewall, some user privileges are a consideration in allowing direct
remote WMI access. For example, when the user is not an Administrator, some privileges might
not exist by default.
For more information, see
“Security requirements for the Insight Providers” (page 11)
and the
Securing a Remote WMI Connection
MSDN article at
aa393266.aspx
.
Configuration
You can establish direct remote WMI access on a computer running the Windows Server 2008
Firewall, but the default configuration does not allow it. However, by using the built-in firewall
rules, you can enable remote WMI access in as little as two commands.
You execute the following commands locally on the Windows Server 2008 machine that is
providing WMI access (that is, on a computer running the Insight Providers on Windows Server™
2008).
netsh advfirewall firewall set rule group=
Windows Management
Instrumentation (WMI)
new enable=yes
Output: Updated 4 rule(s).
Ok.
The command enables all firewall rules contained in the specified firewall group. If the command
output does not confirm that the rules were updated, check that the group name and each word
in the command are correct. The group name with spacing emphasized is below:
Windows<SPACE>Management<SPACE>Instrumentation<SPACE>(WMI)
This first command is equivalent to selecting the “Windows Management Instrumentation
(WMI)” checkbox in the
Control Panel
WIndows Firewall
Settings
Exceptions
tab.
An additional firewall rule is needed to allow a remote user to establish a WMI session. It can
be enabled with a similar command:
netsh advfirewall firewall set rule name=
Network Discovery (NB-Name-In)
new enable=yes
This command updates a portion of a rule group (a single rule). It can also be done in the GUI,
as follows:
1.
Click
Administrative Tools
Windows Firewall with Advanced Security
Inbound
Rules
.
2.
Enable the “Network Discovery (NB-Name-In)” rule(s).
Configuration
19