WMI, PowerShell and Windows Firewalls

juancarlos_muro
Kilo Expert

on ‎01-08-2015 05:26 AM

WMI and Powershell access remote Windows machines on port 135 (RPC).

For remote Windows machines where Windows Firewall is enabled, it is not enough just opening port 135 to have Discovery successfully discover the machine.

When the MID server knocks at the door of RPC on the remote server via 135, the remote machine announces a (dynamic) port that the MID server has to use in order to access DCOM back on the remote server. The port announced by the RPC Server on the remote machine is one of a range of ports (unless RPC is configured to run with a static port).

The default ranges of DCOM ports are:

  • from 1025   to 5000:   Windows 2000, Windows XP and Windows Server 2003
  • from 49152 to 65535: Windows Server 2008 and later versions, and in Windows Vista and later versions

If the range of DCOM ports is not opened in the Windows Firewall, Discovery will fail with the next error response to the "WMIRunner - WMI: Classify" probe:

<error>


Authentication failure with the local MID server service credential.


</error>


<error>


Failed to access target system.   Please check credentials and firewall settings on the target system to ensure accessibility: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))


Stack Trace:


     at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)


     at System.Management.ManagementScope.InitializeGuts(Object o)


     at System.Management.ManagementScope.Initialize()


     at System.Management.ManagementObjectSearcher.Initialize()


     at System.Management.ManagementObjectSearcher.Get()


     at Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()


     at System.Management.Automation.Cmdlet.DoBeginProcessing()


     at System.Management.Automation.CommandProcessorBase.DoBegin()


</error>

ServiceNow Wiki explicitly mentions that "Ensure that the MID Server application host machine has access to the targets on all ports due to the unique nature of the WMI requirements."

However, for customers that refuse to open all ports to the MID server there is a solution that consists on the next:

  • A) Open the port 135 on the firewall.
  • B) Open acces to the standard DCOM ports.
  • C) Optionally, configure DCOM to use a specific range of ports instead of the standard DCOM ports, and open them on the firewall.

A) How to open the port 135 on the Windows Firewall (Windows 2000, XP, Server 2003):

This solution consists on adding an Exception to Windows Firewall. Follow the next steps:

  1.   Start > Control Panel > Windows Firewall > Exceptions > Add Port...
    ~ Name: RPC Endpoint Mapper - TCP Port 135
    ~ Port: 135
    ~ TCP

A) How to open the port 135 on the Windows Firewall (Windows Server 2008, Vista and later):

This solution consists on adding a rule to Windows Firewall with Advanced Security to open the port 135/RPC. Follow the next steps:

  1. Start > Administrative Tools > Windows Firewall with Advanced Security
  2. Inbound Rules (right button click) >> New Rule...
  3. [Rule Type]: select "Custom", click "Next".
  4. [Program]: select "All programs".
  5. [Program]: on Services, click "Customize...". Select "Apply to this service: Remote Procedure Call (RPC) - RpcSs" and click "OK" to close the dialog box. Click "Next".
  6. [Protocol and Ports]: select "Protocol type: TCP".
  7. [Protocol and Ports]: select "Local port: RPC Endpoint Mapper".
  8. [Protocol and Ports]: leave "Report port: All Ports" and click "Next".
  9. [Scope]: leave "Which local/remote IP addresses does this rule match: Any IP address" (you might need to set it different for your security policy). Click "Next".
  10. [Action]: select "Allow the connection"
  11. [Profile]: select "Domain", "Private" and "Public" (you might need to set it different for your security policy). Click "Next".
  12. [Name]: give the rule a name: "RPC Endpoint Mapper - TCP Port 135". Click "Finish".

It is possible that other of the predefined rules already allows access to 135/RPC. That is the case of the rule "File and Printer Sharing - RPC-EPMAP".

Even so, it is still interesting having your own rule controling this access.

B) How to open access on the Windows Firewall to the standard DCOM ports (Windows 2000, XP, Server 2003):

This solution consists on adding Exceptions to Windows Firewall. As there are many exceptions to be added, we are going to run a script that adds the entries for you.

Follow the next steps:

  1. Make sure that the port 135 is open. For that, follow A)
  2. Open a command line and type the next:

FOR /L %I in (1025,1,5000) do netsh firewall add portopening TCP %I "Dcom - TCP Port "%I

That will add an entry per port to the Windows Firewall (3975 entries).

If you find that these are too many entries, you can follow the next steps in "C)" to have DCOM use only a few ports.

B) How to open access on the Windows Firewall to the standard DCOM ports (Windows Server 2008, Vista and later):

There are many ways to achieve this.

One of them is adding the Exceptions to Windows Firewall running the command of the previous section, but this time using the range of DCOM ports for Windows 2008. For that, substitute (1025,1,5000) in the command by (49152,1,65535).

That will add an entry per port to the Windows Firewall (16383 entries).

If you find that these are too many entries, you can follow the next steps in "C)" to have DCOM use only a few ports.

Other way consits on adding rules to Windows Firewall with Advanced Security as we saw in A). For that, follow the next steps:

  1. Make sure that the port 135 is open. For that, follow A).
  2. Start > Administrative Tools > Windows Firewall with Advanced Security
  3. Inbound Rules (right button click) >> New Rule...
  4. [Rule Type]: select "Custom", click "Next".
  5. [Program]: select "All programs".
  6. [Program]: on Services, click "Customize...". Select "Apply to all programs and services" and click "OK" to close the dialog box. Click "Next".
  7. [Protocol and Ports]: select "Protocol type: TCP".
  8. [Protocol and Ports]: select "Local port: Dynamic RPC".
  9. [Protocol and Ports]: leave "Report port: All Ports" and click "Next".
  10. [Scope]: leave "Which local/remote IP addresses does this rule match: Any IP address" (you might need to set it different for your security policy). Click "Next".
  11. [Action]: select "Allow the connection"
  12. [Profile]: select "Domain", "Private" and "Public" (you might need to set it different for your security policy). Click "Next".
  13. [Name]: give the rule a name: "DCOM - TCP Dynamic RPC". Click "Finish".

C) How to configure DCOM to use only a few ports.

We are going to add 100 ports: 65000 - 65100. Warning!: this is a really low value and would result in Discovery (and other remote applications) running too slow.

  1. Start > Administrative Tools > Component Services
  2. Console Root > Component Services > Computers > My Computer (right button click) >> Default Protocols > "Connection-oriented TCP/IP" > Properties...
  3. Add... Port range: 65000-65010.
  4. Restart the server.
  5. Follow the steps in B). For Windows 2000, XP, Server 2003 substitute (1025,1,5000) in the command by (65000,1,65100). That adds 100 entries to the Windows Firewall.
Labels:
  • 17,600 Views
Comments
Ankush13
Kilo Guru
‎01-15-2015 12:37 PM

Excellent work Juan! this will definitely help


0 Helpfuls
Antony_Alldis
ServiceNow Employee
ServiceNow Employee
‎03-19-2015 12:58 AM

Carlos - I have to 2nd what Ankush has stated!



This is a superb piece of documentation. Great work buddy!


0 Helpfuls
nikhilagr20
Giga Contributor
‎03-23-2015 05:54 AM

This is very useful information. Really helpful !!!


0 Helpfuls
mrcraig
Kilo Contributor
‎05-28-2015 06:50 AM

Has anyone applied this to target DMZ servers?


0 Helpfuls
chuckm
Giga Guru
‎01-25-2018 12:35 PM

Custom DCOM Port Ranges



I have run into a scenario where I was not able to discover several Windows servers even though I verified the default DCOM port ranges were properly configured in the firewall.   After a marathon troubleshooting session, I figured out that certain Windows machines had been individually configured to use custom DCOM port ranges.   Once the custom port ranges were opened in the firewall, I successfully discovered the Windows server.



The Remote Procedure Call (RPC) dynamic port allocation is configured in the Registry Editor under HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc.   If Rpc only has 3 values as shown, then the Default DCOM port ranges are configured.



RPC 01.bmp



If the Internet key was added to the Rpc key, then a custom DCOM port range has been configured.



RPC 02.bmp



Under the Internet key 3 Port key values are configured:



  • Ports (REG_MULTI_SZ data type)
  • PortsInternetAvailable (REG_SZ data type)
  • UseInternetPorts (REG_SZ data type)


As an example, the following custom DCOM ports 5000 through 5100 are configured:



  • Ports: REG_MULTI_SZ: 5000-5100
  • PortsInternetAvailable: REG_SZ: Y
  • UseInternetPorts: REG_SZ: Y


More detailed information can be found at Microsoft at the following URL (How to configure RPC dynamic port allocation to work with firewalls):



https://support.microsoft.com/en-us/help/154596


HarshTimes
Tera Guru
‎04-23-2018 08:50 PM

Very good article. This really helpful.

0 Helpfuls
Version history
Last update:
‎01-08-2015 05:26 AM
Updated by: