Configuring the Firewall on Server Core for Remote Management

Posted On 2008-08-03 by FortyPoundHead
Tags: Tip Tutorial Windows Server 2008
Views: 2065

As you already know by now, in Windows Server 2008, Server Core installation does not include the traditional full graphical user interface (GUI).

Once you have configured the server, you can only manage it locally at a command prompt, or remotely using a Terminal Server connection. A third management option is to manage the server remotely using the Microsoft Management Console (MMC) or command-line tools that support remote use. Read more about remote management of Server Core on my "Managing Windows 2008 Server Core through RDP", "Remotely Managing Windows 2008 Server Core Settings through MMC Snap-ins" and "Remotely Managing Windows 2008 Server Core Firewall" articles.

The Server Core blog has published a nice guide on how to configure the Server Core firewall for remote management in various scenarios.

Just like on a full Windows Server 2008 installation, the Windows Firewall is on by default, and most inbound traffic is blocked out-of-the-box. However, since the main reason for a "server" is to "serve" something (be it a service, a file, or anything else that needs to be accessible through the network), you will need to enable certain network traffic through the firewall.

One of the reasons for enabling incoming traffic through the firewall is remote management. As mentioned in previous articles, you can manage Server Core via the local command prompt, remotely with the usual MMC-based snap-in Administration tools, through WinRM and WinRS, and even through Remote Desktop (although all you'll get is a nice command prompt window…)

In most cases, after the initial configuration of the server, you'll find yourself wanting to manage some of the roles and features installed on the server, and then you'll probably go to the MMC-based snap-in Administration tools. The Server Core blog lists three scenarios for remote management via MMC:

  • Server Roles – When a server role is installed on the server, the appropriate ports are automatically opened to allow the role to function, as well as to allow remote management. No additional configuration is required. Using the Remote Server Administration Tools (RSAT) feature on a full server installation, you can install just the MMC snap-ins for a role and use them to remotely manage the role on Server Core.

  • Domain joined server – Once the server joins a domain, the firewall profile is changed to the domain profile which allows remote management. Again, no additional configuration is required.

  • Workgroup server – This is the scenario in which you may need to make firewall configuration changes to allow remote management. If you just want all remote management to work you can use the following command:
    Netsh advfirewall firewall set rule group="remote administration" new enable=yes
    The above command will allow for most remote management tools to work out-of-the-box. However, in addition to allowing the MMC snap-ins through the firewall, the following MMC snap-ins require additional configuration:
    Device Manager

    To allow Device Manager to connect, you must first enable the “Allow remote access to the PnP interface” policy.

    You must first start the Virtual Disk Service (VDS) on the Server Core installation.

    IPSec Management

    On the Server Core installation you must first enable remote management of IPSec. This can be done using the scregedit.wsf script:
    cscript \windows\system32\scregedit.wsf /im 1
    So, most remote administration MMC snap-ins are now functioning by simply enabling the Remote Administration firewall rules. But, as the blog describes, it is possible to be more granular and only allow certain MMC snap-ins to remotely manage the box. There may be situations where you would only want to allow certain MMCs to connect for remote administration.

    Not every MMC snap-in has a firewall group, here are those that do:

    MMC SnapinRule Group
    Event ViewerRemote Event Log Manangement
    ServicesRemote Service Management
    Shared FoldersFile And Printer Sharing
    Task SchedulerRemote Scheduled Tasks Management
    Reliability and Performance"Performance Logs and Alerts" and "File and Printer Sharing"
    Disk ManagementRemote Volume Management
    Windows Firewall with Advanced SecurityWindows Firewall Remote Management

    On the Server Core box you can enable any of these groups by running:

    netsh advfirewall firewall set rule group="" new enable=yes

    You can also remotely enable these using the Windows Firewall with Advanced Security MMC snap-in. Read my "Remotely Managing Windows 2008 Server Core Firewall" article. When looking at the server's firewall settings you'll notice that the rules can be sorted by the Group column, making it easier for you to see which group was enabled and which one wasn't.

    About the Author

    FortyPoundHead has posted a total of 1974 articles.

    Comments On This Post

    No comments on this post yet!

    Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

    Or you can drop a note to the administrators if you're not sure where you should post.

    Your IP address is:

    Before you can post, you need to prove you are human. If you log in, this test goes away.

Code Links