James O'Neill's Blog

April 16, 2008

Core! that firewall management has some tricks.

Filed under: How to,Security and Malware,Windows Server,Windows Server 2008 — jamesone111 @ 5:23 pm

Quite a lot of the last few days has gone into preparation for the Road-Show and making sure I had all the things right for show Windows Server Core.

Core, as you probably know by now, is server 2008 with support of only a subset of features, and most of the GUI bits removed. The idea is that you manage core remotely, but some things need to be done at the command line. I’ve got all my notes on core on my PC but when I checked out the Core document in the step by step guides, I found it had all the bits I’d pulled together over recent months in one place, and a few more. I recommend it.

Server 2008 starts "shields-up" that is with the firewall blocking just about everything (even to the point of blocking inbound PINGs, which might be going a bit far). To manage core remotely from the management console, you need to set some firewall rules. In an ideal world my demo core machine would be in a domain -  and group policy would set the firewall rules. But it isn’t: the Step by step document kindly tells me that to allow all MMC Sanp-ins to connect, at a comment prompt, I need to type

   Netsh advfirewall firewall set rule group="remote administration" new enable=yes

and to enable remote management of the firewall

   Netsh advfirewall firewall set curentprofile settings remotemanagement enable

There’s one more section that jumps out of the document To manage a server that is running a Server Core installation and is not a domain member using an MMC snap-in … establish alternate credentials … on your client computer using

   cmdkey /add:<servername> /user:<username> /pass:<password>

This works like a charm for everything … except for the firewall MMC. The fact that it governs it’s own management traffic separately should have been a clue here. I haven’t found any way to get it to accept alternate credentials. This normally wouldn’t be an issue, because I use a standard password on all my demo machines. Steve does the same; they’re different passwords (of course), and in this case Steve set up the Hyper-v host computer, I set up the core machine as Virtual Machine guest on it. One had his password and one had mine. Much gnashing of teeth followed. 

This post originally appeared on my technet blog.

Create a free website or blog at WordPress.com.

%d bloggers like this: