Microsoft KB Archive/840634

= How to configure Windows Firewall in Windows XP Service Pack 2 to allow remote administration tools that use WMI, RPC, or DCOM =

Article ID: 840634

Article Last Modified on 12/5/2007

-

APPLIES TO


 * Microsoft Windows XP Service Pack 2

-



Notice
This article is intended for advanced computer users. If you are not comfortable with advanced troubleshooting, you might want to ask someone for help or contact support. For information about how to contact support, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/

Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.



SYMPTOMS
When you try to remotely manage a computer that is running Windows XP Service Pack 2 (SP2), you may receive an error message that resembles one of the following error messages:

Computer \\ cannot be managed. The network path was not found.

Choose 'Connect to another computer' from the Action menu to manage a different computer.

Unable to access the computer.

The error was: Access is denied.

Unable to access the computer.

The error was: The network path was not found.

Failed to open Group Policy object on. You might not have appropriate rights.

Details: The network path was not found.

An object (Computer) with the following name cannot be found: &quot; &quot;. Check the selected object types and location for accuracy and ensure that you have typed the object name correctly, or remove this object from the selection.

System error 53 has occurred. The network path was not found.



CAUSE
This issue may occur if you try to manage the remote computer by using one of the following Microsoft Management Console (MMC) tools:
 * Certificates
 * Computer Management
 * Device Manager
 * Disk Management
 * Event Viewer
 * Group Policy
 * Indexing Service
 * Internet Protocol Security (Ipsec) Monitor
 * IP Security Policy
 * Local Users and Groups
 * Removable Storage Management
 * Resultant Set of Policy
 * Services
 * Shared Folders
 * WMI Control

Additionally, this issue may occur if you try to manage the remote computer by using the Net.exe tool or if you try to access the remote computer from the following dialog boxes:
 * Select Users, Computers, or Groups
 * Find Users, Contacts, and Groups
 * Net.exe

This issue occurs because the default configuration of the Windows Firewall program in Windows XP SP2 blocks incoming network traffic on Transmission Control Protocol (TCP) port 445. For the administrative tools listed here to connect to a remote computer, that remote computer must allow incoming network traffic on TCP port 445.



RESOLUTION
To resolve this issue, use one of the following methods.

Method 1 and Method 2 describe how to resolve this issue for each computer. Method 3 describes how to resolve this issue on multiple computers by using Group Policy.

Advanced Users
These methods are intended for advanced computer users. If you are not comfortable with advanced troubleshooting, you might want to ask someone for help or contact support. For information about how to contact support, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/

Method 1: Use the Netsh command-line tool
On the remote Windows XP SP2-based computer, run a netsh command to allow traffic through Windows Firewall on TCP port 445:  Click Start, click Run, type cmd in the Open box, and then click OK. Type the following command, and then press ENTER:

netsh firewall set portopening tcp 445 smb enable

You receive the following message:

Ok.

 Close the command prompt.

To implement this change throughout your organization, run this netsh command-line from a batch file or from a script.

Method 2: Use the Graphical User Interface
On the remote Windows XP SP2-based computer, modify Windows Firewall to allow incoming TCP traffic on port 445:
 * 1) Click Start, and then click Control Panel.
 * 2) Click Security Center, and then click Windows Firewall.
 * 3) Click the Exceptions tab, click to select the File and Printer Sharing check box, and then click Edit.
 * 4) Click to select the TCP 445 check box, click Change scope, and then take one of the following actions:
 * 5) * Click My network (subnet) only.
 * 6) * Click Custom list, and then type the IP addresses that you want to manage this computer.
 * 7) Click OK four times.

Method 3: Use Group Policy to set the 'Allow Remote Administration Exception' policy
Note These steps assume that all the computers that you want to manage by using this policy are in the same organizational unit. For more information about how use Group Policy, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

These steps assume that Windows Firewall is configured to use the domain profile. The domain profile is the most typical scenario. For more information about Windows Firewall profiles and about how Windows selects the profile to load, see the Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 guide. To obtain this guide, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en

To configure Group Policy to allow the remote administration of your computers, follow these steps.  Create a Group Policy object for the organizational unit that contains the Windows XP SP2-based computers that you want to manage:  Log on to a domain controller.</li> Click Start, click Run, type dsa.msc in the Open box, and then click OK.</li> Expand your domain, right-click the organizational unit that you want to create the Group Policy in, and then click Properties.</li> Click the Group Policy tab, and then click New.</li> Type a name for the Group Policy object, and then press ENTER.</li> Click Close.</li></ol> </li> Log on to a domain member computer that is running Windows XP SP2 as a user who is a member of one or more of the following security groups: <ul> Domain Admins</li> Enterprise Admins</li> Group Policy Creator Owners</li></ul> </li> Click Start, click Run, type mmc in the Open box, and then click OK.</li> On the File menu, click Add/Remove Snap-in.</li> On the Standalone tab, click Add.</li> In the Add Standalone Snap-in dialog box, click Group Policy Object Editor, and then click Add.</li> In the Select Group Policy Object dialog box, click Browse.</li> Click the Group Policy object that you want to update with the new Windows Firewall settings. For example, click the organizational unit that contains the Windows XP SP2 computers, click OK, and then click the Group Policy object that you created in step 1.</li> Click OK, and then click Finish.</li> <li>Click Close, and then click OK.</li> <li>Under Console Root, expand the Group Policy object that you selected in step 8, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.</li> <li>On the right side, double-click Windows Firewall: Allow remote administration exception.</li> <li>Click Enabled, and then specify the administrative scope in the Allow unsolicited incoming messages from box. For example, to allow remote administration from a particular IP address, type that IP address in the Allow unsolicited incoming messages from box.

To allow remote administration from a particular subnet, type that subnet by using the Classless Internet Domain Routing (CIDR) format. In this scenario, type 192.168.1.0/24 to specify the network 192.168.1.0 with a 24-bit subnet mask of 255.255.255.0. For more information about how to specify a valid administrative scope, see the Syntax area of the Setting tab in this policy.</li> <li>Click OK, and then click Exit on the File menu.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
The client administrative tools are a set of Microsoft Management Console (MMC) snap-ins that let you administer users, computers, services, and other system components on local and remote computers.

<div class="references_section">