SP2 Firewall mods via Login Script

G

Guest

I'm trying open certain ports in the XP SP2 firewall using a script at user
login. The opened ports will allow use of the Diskeeper Corp. Sitekeeper
program to inventory/install software on the target machines. Sitekeepers
tech support provides a script to do this, however, when run by a
non-privileged user, the script does not function/returns access denied. I
have over a hundred machines that need this, so
"application-by-walking-around" is not desired.. Is there a way to allow the
script to run using the system credentials? or a run-as workaround??
Sitekeeper's tech support basically said "we provide the script as-is, don't
ask us how to use it...".. Since these machines are members of an old-style
NT4 domain, not AD, I can't (as far as I know) use a policy to make the f/w
mods... Any assistance/pointers to assistance would be appreciated...

Thanks
Dave Frandin
dave[AT]frandin[.]org

The script is as follows:

@echo off

SETLOCAL
rem If SP1 the following returns 1
netsh firewall ""
if ERRORLEVEL 1 GOTO Exit
netsh firewall set service type = FILEANDPRINT mode = ENABLE scope = ALL
netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31041 name =
SitekeeperRPC mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31040 name =
PIServerRPC mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31042 name = SKAgentRPC
mode = ENABLE scope = ALL
netsh firewall set portopening protocol = UDP port = 4500 name = SKIPSec4500
mode = ENABLE scope = ALL
netsh firewall set portopening protocol = UDP port = 500 name = SKIPSec500
mode = ENABLE scope = ALL
netsh firewall set allowedprogram program = "SKAgent.exe" name = SKAgent
mode = ENABLE scope = ALL
:Exit
ENDLOCAL
 
T

Torgeir Bakken \(MVP\)

Hi,

Different RunAs products listed here, some free and some not, some
with encryption option for the password as well:

http://groups.google.co.uk/[email protected]

Other ones not mentioned in the link above:

SUperior SU (free, has a command line iterface)
http://www.stefan-kuhr.de/supsu/main.php3

Supercrypt (as well as LSrunas/LSrunasE)
http://www.lansweeper.com/ls/lsrunas.aspx

Runasspc
http://www.robotronic.de/runasspcEn.html


You may also want to check out PolicyMaker Application Security
(previously NeoExec), the main difference is that it does not require
the use of a second account, as most other RunAs derivatives requires.

PolicyMaker Application Security
http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx


I'm trying open certain ports in the XP SP2 firewall using a script at user
login. The opened ports will allow use of the Diskeeper Corp. Sitekeeper
program to inventory/install software on the target machines. Sitekeepers
tech support provides a script to do this, however, when run by a
non-privileged user, the script does not function/returns access denied. I
have over a hundred machines that need this, so
"application-by-walking-around" is not desired.. Is there a way to allow the
script to run using the system credentials? or a run-as workaround??
Sitekeeper's tech support basically said "we provide the script as-is, don't
ask us how to use it...".. Since these machines are members of an old-style
NT4 domain, not AD, I can't (as far as I know) use a policy to make the f/w
mods... Any assistance/pointers to assistance would be appreciated...

Thanks
Dave Frandin
dave[AT]frandin[.]org

The script is as follows:

@echo off

SETLOCAL
rem If SP1 the following returns 1
netsh firewall ""
if ERRORLEVEL 1 GOTO Exit
netsh firewall set service type = FILEANDPRINT mode = ENABLE scope = ALL
netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31041 name =
SitekeeperRPC mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31040 name =
PIServerRPC mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31042 name = SKAgentRPC
mode = ENABLE scope = ALL
netsh firewall set portopening protocol = UDP port = 4500 name = SKIPSec4500
mode = ENABLE scope = ALL
netsh firewall set portopening protocol = UDP port = 500 name = SKIPSec500
mode = ENABLE scope = ALL
netsh firewall set allowedprogram program = "SKAgent.exe" name = SKAgent
mode = ENABLE scope = ALL
:Exit
ENDLOCAL
Click to expand...
 
G

Guest

Thank you very much! Will check these links out....

Dave Frandin
dave[AT]frandin[.]org


Torgeir Bakken (MVP) said:
Hi,

Different RunAs products listed here, some free and some not, some
with encryption option for the password as well:

http://groups.google.co.uk/[email protected]

Other ones not mentioned in the link above:

SUperior SU (free, has a command line iterface)
http://www.stefan-kuhr.de/supsu/main.php3

Supercrypt (as well as LSrunas/LSrunasE)
http://www.lansweeper.com/ls/lsrunas.aspx

Runasspc
http://www.robotronic.de/runasspcEn.html


You may also want to check out PolicyMaker Application Security
(previously NeoExec), the main difference is that it does not require
the use of a second account, as most other RunAs derivatives requires.

PolicyMaker Application Security
http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx


I'm trying open certain ports in the XP SP2 firewall using a script at user
login. The opened ports will allow use of the Diskeeper Corp. Sitekeeper
program to inventory/install software on the target machines. Sitekeepers
tech support provides a script to do this, however, when run by a
non-privileged user, the script does not function/returns access denied. I
have over a hundred machines that need this, so
"application-by-walking-around" is not desired.. Is there a way to allow the
script to run using the system credentials? or a run-as workaround??
Sitekeeper's tech support basically said "we provide the script as-is, don't
ask us how to use it...".. Since these machines are members of an old-style
NT4 domain, not AD, I can't (as far as I know) use a policy to make the f/w
mods... Any assistance/pointers to assistance would be appreciated...

Thanks
Dave Frandin
dave[AT]frandin[.]org

The script is as follows:

@echo off

SETLOCAL
rem If SP1 the following returns 1
netsh firewall ""
if ERRORLEVEL 1 GOTO Exit
netsh firewall set service type = FILEANDPRINT mode = ENABLE scope = ALL
netsh firewall set service type = REMOTEADMIN mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31041 name =
SitekeeperRPC mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31040 name =
PIServerRPC mode = ENABLE scope = ALL
netsh firewall set portopening protocol = TCP port = 31042 name = SKAgentRPC
mode = ENABLE scope = ALL
netsh firewall set portopening protocol = UDP port = 4500 name = SKIPSec4500
mode = ENABLE scope = ALL
netsh firewall set portopening protocol = UDP port = 500 name = SKIPSec500
mode = ENABLE scope = ALL
netsh firewall set allowedprogram program = "SKAgent.exe" name = SKAgent
mode = ENABLE scope = ALL
:Exit
ENDLOCAL
Click to expand...


--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

command not working to get netsh to block a single IP 0
XP Firewall Issue - Domain 1
Change SP2 firewall profile from CLI 3
Firewall still rejecting packets 1
Infameous 0x80070005 ERROR: Access denied 10
Multiple commands on the same command window? 2
HOWTO: XP SP2 firewall for remote access 2
Turning XP firewall off 3

Top