Allow remote administration exceptions - Domain Profile
|ID: oval:gov.nist.USGCB.xpfirewall:def:5004||Date: (C)2012-04-13 (M)2017-07-28|
|Class: COMPLIANCE||Family: windows|
Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034 but potentially anywhere from 1024 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows
Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
|Microsoft Windows XP|