WMI through firewall

  • Article

In a number of ocasions have been asked to configure services running under the svchost process to pass through the Firewall on Windows XP.
Particularly for WMI access as administrators and applications might need it for performing data collection, monitoring and other administrative tasks.

The problem is that Windows Firewall on XP doesn’t allow to add SVCHOST.exe as a Program exception (the reason behind it is that other services run under SVCHOST and there are several SVCHOST processes running at the same time).
An example is wmimgmt which runs along with AudioSrv, Browser, CryptSvc, etc, under the same SVCHOST process.
Additionally the RPC ports used by the services running under the SVCHOST processes are assigned dynamically by default.

This is very easy to configure if you are using Windows Firewall with Advanced Security on clients running Windows Vista or above, on XP is a diferent story though.
By the way the Mainstream Support phase ended on 2009/04/14 and the Extended Support phase will end on 2014/04/08.
Which means you have had 5 years to plan and upgrade to a newer client OS.
If haven't done so yet I strongly recommend you to start right away (You may get more info on the support lifecycle for Windows XP in https://support.microsoft.com/lifecycle/?LN=en-gb&C2=1173).

Note:
When using GPOs to configure firewall settings XP settings should be configured under Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall.
Computer Configurations/Windows Settings/Security Settings/Windows Firewall with Advanced Security only applies to Windows Vista or above.
    
So, first we need to configure WMI to run on a separate SVCHOST process:

To configure Windows Management Instrumentation Service (wmimgmt) to run under a separate SVCHOST process.
1.Install Hotfix that is mentioned in https://support.microsoft.com/kb/897571
2.Click Start, click Run, type Cmd, and then click OK.
3.At a command prompt, type net stop winmgmt, and then press ENTER.
4.Click Start, click Run, type Notepad, and then click OK.
5.Copy the following code into Notepad. 
 
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"Winmgmt"=hex(7):77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,00,00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\winmgmt]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityAppID"="{D16904E8-7F7D-4821-ACF5-FDE160CBE65E}"
 
[HKEY_CLASSES_ROOT\AppID\{D16904E8-7F7D-4821-ACF5-FDE160CBE65E}]
@="Svchost_winmgmt"
"EndPoints"=hex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,69,00,70,00,5f,00,74,00,\
63,00,70,00,2c,00,30,00,2c,00,34,00,33,00,32,00,31,00,00,00,00,00

 
Note:
In this code we configure the port number 4321 as an example.
You may use Dcomcnfg.exe tool to set the port number later.
 
6.Save the file that you created in step 5. Name the file Winmgmtsvc.reg
7.Double-click Winmgmtsvc.reg, click Yes to add the information to the registry, and then click OK.
8.Click Start, click Run, type sc config winmgmt binPath= "%systemroot%\system32\svchost.exe -k winmgmt", and then click OK.
 
Note:
This command configures the WMI service to run in a separate process.
In this command, the quotation marks are required.
In this command, the space after binPath= is required.
 
 "Path to executable"

Now to configure wmimgmt to use a static endpoint. (in order to change the port used in the example above ie. 4321)

9.Click Start, click Run, type dcomcnfg , and then click OK.
10.Under Console Root, expand Component Services, expand Computers, expand My Computer, and then expand DCOM Config.
11.Right-click Svchost_winmgmt, and then click Properties.
12.On the Endpoints tab, click Add.
13.Click Static endpoint, configure the static endpoint that you want, and then click OK two times.
14.Click Start, click Run, type Cmd, and then click OK.
15.At a command prompt, type net start winmgmt, and then press ENTER.
 
Note:

This specifies a static port instead of the WMI default dynamic port behavior.
The static endpoint will not be visible by using Netstat.exe until a remote WMI request is sent to the server.
 

Finally configure “Define Inbound Port Exception” under Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain profile for the same port configured on the action above.
The settings should look as follows:
Windows Firewall: Protect all network connections  Enabled
Windows Firewall: Define port exceptions
135:TCP:*:enabled:EPM-DCOM135
4321:TCP:*:enabled:winmgmt4321 (NOTE: This is according to the example above, Should be changed to the port you selected)
 
Note:
This procedure is described on KB897571 and although the article doesn’t refer to Windows XP, the same hotfix is also available for XP.
hotfix - fix230723 is REQUIRED, without the hotfix these settings are ignored.
You might be able to use the same concept for other services running under SVCHOST.

 

Important: I strongly recommend the above to be tested for functionality and security before deploying to production.

You're more than welcome to share your views.

Thanks

Paulo