Anders 0 Posted October 15, 2014 Share Posted October 15, 2014 Hello, I have been trying to figure out how to design a policy that allows WMI connections. I am running a few scripts to keep the inventory updated and with the default settings WMI is blocked. Tips I have tried are (will update as I get them): Unchecking "TCP port scanning attack detection" in IDS I switched to Interactive mode and created a separate rule when the WMI query was captured by the firewall but the rule generated is C:\Windows\svchost.exe Any Any which seems a bit to relaxed - or am I wrong? Also WMI seems to use dynamic ports between 1024 and 2000... I saw some people who use Spiceworks having the same issue, although I do not use Spiceworks. Did anyone here get this to work? Link to comment Share on other sites More sharing options...
Anders 0 Posted October 16, 2014 Author Share Posted October 16, 2014 Figured out how to set WMI to a fixed port instead of dynamic, in command prompt: winmgmt -standalonehost Then you have to restart Winmgmt service (the service have some dependencies to) for changes to take effect. This will lock WMI to TCP port 24158. Only thing to figure out now is how to make a policy that will allow incoming traffic on 24158 from my management server. Should be a piece of cake but when I try to roll out my test policy I get Finished with warning: No task for this client. When I look at the client in ERAC I can see that the Requested and Actual Policy is my test policy but I still cannot connect. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted October 18, 2014 Share Posted October 18, 2014 the clients will automatically receive the policy you have assigned to it when it checks into era which is 10min by default. If the client is not checking into erac, hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2716 Link to comment Share on other sites More sharing options...
Solution Anders 0 Posted October 20, 2014 Author Solution Share Posted October 20, 2014 Thank you for replying Arakasi, To get WMI static port to work I also needed to change the policy "Filtering mode: Automatic with exceptions" otherwise the Firewall didn't grab the rules I added to the policy. I also changed the policy to update more often during testing so that every change didn't take 10 minutes to roll out to my test computer. Link to comment Share on other sites More sharing options...
Recommended Posts