Problem with inbound connection into high ports in CS 14

It's quite uncommon to restrict outbound connections nowadays.

But I have a problem with inbound connection, into high ports:

From an admin-PC I want to browse enduser-PC windows logs remotely. In CS13 I just allowed inbound SMB, Windows Networking and epmap.

Tried to create similar rules into CS14, but were only able to see windows shares, but unable to browse windows logs (Start -> Run -> eventvwr NameOfenduser-PC).

After googling this, eventvwr uses perhaps some high ports, which are different on every connection. Does windows FW handle this kind of connections differently than CS 13 FW ?

Find more posts tagged with

Comments

Askoik

Actually I already found two different places in Group Policies, to get all needed traffic flow nicely. But administering a Firewall isn't so nice and funny, as I have these two places + also PMC ruleset to remember:

Computer Configuration / Policies / Windows Settings / Security Settings / Windows Firewall with Advanced Security

Remote Event Log Management (NP-In)
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)

Computer Configuration / Policies / Administrative Templates / Network / Network Connections / Windows Defender Firewall / Domain Profile / Windows Defender Firewall: Allow inbound remote administration exception

(this is not needed for eventvwr, but for an network inventory tool)

So, if you know, how to create similar rules into PMC, please tell me! Then I could flush rules made with GPO editor.

MonikaL

Hi Askoik,

You need to check existing predefined Windows FW rules “Remote Event Log Management…”, and can try to enable them in Window FW, and check if this helps to resolve the issue.
Then you will need to create similar rules in Policy MAnager Console.

You may refer to the below url for example:
https://helpcenter.netwrix.com/Configure_IT_Infrastructure/Windows_Server/WS_Firewall_Rules.html

Regards,

Monika