question

shaunm001 avatar image
0 Votes"
shaunm001 asked shaunm001 action

Windows Firewall, IPSec, and Remote PowerShell

I've configured Connection Security Rules to require inbound authentication using Kerberos:

89573-image.png


I've configured Windows Firewall to block all incoming connections:

89509-image.png


And I've configured various exceptions to allow incoming connections for required services from authorized users and computers:

89602-image.png

Each of these rules are configured to override the "Block all connections" default firewall setting mentioned earlier:

89479-image.png

This all works fine with one exception...I cannot get remote PowerShell commands to work in this configuration:

89574-image.png


It seems the RPC Dynamic Ports don't open up on the remote PC when running a PowerShell command like "Get-WMIObject". It doesn't matter what kind of exceptions I put in, it never works. I even created an exception that says "let everything in" from my authorized PCs and it still doesn't work:

89603-image.png



Other similar inbound rules work fine (Like the default Remove Event Log Management (RPC) rule, which allows inbound connections for %SystemRoot%\System32\svchost.exe% to RPC Dynamic Ports). Something about remote PowerShell is unique and I can't figure out what, any thoughts from the community?

windows-10-network
image.png (19.7 KiB)
image.png (35.8 KiB)
image.png (139.4 KiB)
image.png (73.2 KiB)
image.png (34.7 KiB)
image.png (23.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered shaunm001 commented

Hi,

Check that the Windows Management Instrumentation (WMI-In) rule is enabled in the firewall. Otherwise you will see the RPC server is unavailable message, as picture below:

89802-image.png

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (152.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, tried that, same result ("RPC Server is unavailable"). I would think that the rule I created to allow any program to any local port using any protocol would be just as effective (more so) as enabling the WMI-In rule.

It doesn't seem to be about enabling the right rule, there is something about PowerShell remote commands that cause them to fail when the Windows firewall on the remote machine is configured the way that we have it (Block all, with various exceptions configured to override the block-all setting). All of the other services shown in my example screenshot above work fine in this configuration, PowerShell remote commands are the only exception for some reason.

0 Votes 0 ·
shaunm001 avatar image
0 Votes"
shaunm001 answered shaunm001 published

Still having this problem. I'll put it out there a different way...

I've deleted all rules except one "AllowAll" rule for my workstation:

91333-image.png


When I try to view remote event viewer logs, everything works as expected:

91309-image.png


Windows Firewall Logs confirm the successful connection:

91334-image.png


But when I try to use Get-WmiObject in PowerShell, Im able to establish connection on TCP port 135, but the RPC Dynamic Ports are never opened, and the Get-WmiObject command fails:

91310-image.png


Windows Firewall Log shows the successful connection to TCP 135, but no log of a dropped connection to the RPC Dynamic Ports:

91335-image.png



Remote event log viewer works but Get-WmiObject doesnt. Why?


image.png (9.6 KiB)
image.png (17.6 KiB)
image.png (18.2 KiB)
image.png (15.3 KiB)
image.png (9.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BC-7626 avatar image
0 Votes"
BC-7626 answered CandyLuo-MSFT commented

It looks like a powershell issue
The classic cmd.exe works much better.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It seems like a bug...in Windows Firewall or in PowerShell, I don't know which.

0 Votes 0 ·

I would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

0 Votes 0 ·