Thursday, 30 October 2008

Server Core - Firewall NetSH Command Line Reference

Configuring the Windows Server 2008 Server Core Firewall via the command line has to be one of the biggest brain busters there is!

There is always a need to figure out how to do something very specific, so we need to come up with a reference point, and that is what this blog post is.

The first place to check:

A really good resource:

This one gives us the necessary commands to open up the firewall to allow for remote management of its settings. And, when it comes to figuring out how to get things happening, sometimes you just can't beat a GUI!

Here are the commands, via the Server Core Blog post, that are crucial to opening things to the point where a remote management session can happen:

  • MMC Snap-in use "(Rule Group)"
  • Event Viewer "Remote Event Log Management"
  • Services "Remote Service Management"
  • Shared Folders "File and Printer Sharing"
  • Task Scheduler "Remote Scheduled Tasks Management"
  • Reliability and Performance "Performance Logs and Alerts" and “File and Printer Sharing”
  • Disk Management "Remote Volume Management"
  • Windows Firewall with Advanced Security "Windows Firewall Remote Management"

On the Server Core box you can enable these by running:

  • Netsh advfirewall firewall set rule group=“(rule group)” new enable=yes

Some additional commands:

  • Show profile settings: Netsh advfirewall firewall show allprofiles
  • Remote Administration: Netsh advfirewall firewall set rule group=“remote administration” new enable=yes

Another good resource: The things that are better left unspoken : Firewall management in ...

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

6 comments:

Luke said...

I've been mulling over the Hyper-V Server or Full Server 2008 with only Hyper-V role issue for a while now.

While there is no disputing the smaller disk and memory footprint, I'm not convinced that this outweights the increased effort required to manage a CLI server for an SMB.

I've heard the arguments about attack surface and patching, but the reality is you are already running SBS and you need to reboot SBS for the updates anyway. Keep it simple (consistency is key).

I think that Hyper-V Server and Server Core are better suited to larger organisations where savings in licensing and resources are multiplied over many servers.

Thats my current thinking anyway, I'll be installing Hyper-V Server in the next few days to experience it first hand.

Philip E. said...

Luke,

We are sold on Server Core for our SMB clients.

For now, until we have the disaster recovery scenarios ironed out, we are running mostly full installs at our client's sites.

We want to make sure we can backup/restore/restore to different hardware with the native Windows Server 2008 backup solution bofore jumping into that pool.

We are running Server Core internally for file serving and Hyper-V.

The performance increase is phenomenal. We took an identically configured server and installed Server 2008 Standard Full and ran with it for a while. We tested disk and network throughput as well as VM performance on Hyper-V.

We did the same thing with Server Core and noticed a huge increase in performance.

The one place we will notice a big difference when we go native with Server/SBS 2008 will be network performance.

Have a look around the Internet for info on how much network performance for things like large file copies increase exponentially in a native Server 2008 network. Neat stuff!

Philip

Matt said...

In case you guys have not yet run into this tool, i thought i would send it your way. Its called SMART Suite for Windows. Provides a UI for server core platforms. Free download, all you have to do is fill out the app below.

http://licensing.portlock.com/products/smart_suite/windows/application/

features included below. have fun

Configure display resolution
Clock and time zone configuration
Remote desktop configuration
Firewall Configuration
Windows Updates – No IE necessary
Configure IP address, gateway, subnet mask, DNS
Copy Files/Directories
Map a drive
Perform Windows Repair
Web Browser
Email Client
Screen saver configuration
Enable/Disable drivers and services
Manually load/install drivers
Windows Registry Editor
Command prompt
Configure dual boot systems
Configure bootable USB devices
Configure Language
No installation necessary
Boot bare-metal systems
Configure permission and security settings

Philip E. said...

Matt,

One of the things we strive to do is to use the built-in management capabilities for any products we work with ... to a degree.

Monitoring and remote management are the exception to that rule.

As for Server Core and Hyper-V Server 2008, we do prefer to run with the command line and our scripts before we would even look at third party.

Product looks interesting, and I am sure it has its place. But, at $199 per server, it is not for us. We run a lot of virtualization on Server Core internally and on-site with our clients.

That extra cost is not justified for us as we have been building our Server Core skills (check out the blog posts! ;)) since we had access to the Beta and RTM bits.

Thanks for the comment,

Philip

Matt said...

Philip,

Those are good points. I have only been experimenting with server core for probably the last month or more. Can you explain in greater detail, your preference to use scripts, other then the fact that they are free?

I did not pay the $199 for this product, only the trial. I am not a command line guru so i found spending the majority of my time searching for the appropriate commands to configure a server core system to my preferences was a bit of a headache. Just like anything else I suppose it gets easier.

Thank you for your reply.

Philip E. said...

Matt,

And therein lies a fitting example for the use of this product! :)

If you have a look at the Server Core from Scratch to Hyper-V Production post, you will see that the whole process is outlined there for you.

Getting to the point where we could write the above post was a very long and painstakingly difficult process. But, that is to be expected when working with a brand new product with very little documentation out there. Not a complaint, just a fact.

The benefit to experiencing that pain though, is the ability to get to know the product really good.

Philip