Windows批处理：配置防火墙规则、开启远程桌面

一、简介

　　公司主机加入域后，防火墙未进行设置，规则不统一，不少主机ping不通。另打算开启远程桌面，方便远程管理网内每台主机。曾在DC上测试过域组策略内的Windows防火墙设置，无论是新增规则还是直接开启允许ICMP之类的选项，Win7客户端都无效，最后不得不考虑批处理。批处理执行方式和前文的相同，域组策略在用户开机时自动执行。

二、配置

1、防火墙

net start MpsSvc
::开启服务

sc config MpsSvc start= auto
::开机启动

netsh advfirewall set allprofiles state on
::启用防火墙

netsh advfirewall firewall add rule name="Allow Ping" dir=in protocol=icmpv4 action=allow
netsh advfirewall firewall add rule name="FTP" protocol=TCP dir=in localport=20 action=allow
netsh advfirewall firewall add rule name="FTP" protocol=TCP dir=in localport=21 action=allow
netsh advfirewall firewall add rule name="SSH" protocol=TCP dir=in localport=22 action=allow
netsh advfirewall firewall add rule name="Telnet" protocol=TCP dir=in localport=23 action=allow
netsh advfirewall firewall add rule name="SMTP" protocol=TCP dir=in localport=25 action=allow
netsh advfirewall firewall add rule name="TFTP" protocol=UDP dir=in localport=69 action=allow
netsh advfirewall firewall add rule name="POP3" protocol=TCP dir=in localport=110 action=allow
netsh advfirewall firewall add rule name="HTTPS" protocol=TCP dir=in localport=443 action=allow
netsh advfirewall firewall add rule name="Netbios-ns" protocol=UDP dir=in localport=137 action=allow 
netsh advfirewall firewall add rule name="Netbios-dgm" protocol=UDP dir=in localport=138 action=allow 
netsh advfirewall firewall add rule name="Netbios-ssn" protocol=TCP dir=in localport=139 action=allow 
netsh advfirewall firewall add rule name="Netbios-ds" protocol=TCP dir=in localport=445 action=allow 
netsh advfirewall firewall add rule name="HTTP" protocol=TCP dir=in localport=80 action=allow
netsh advfirewall firewall add rule name="HTTP" protocol=TCP dir=in localport=8080 action=allow
::常用端口

旧版语法（Win7&Win8.1测试无效）

@echo off
netsh firewall set opmode mode = enable
::启用防火墙

netsh firewall set icmpsetting type=ALL mode=enable
::允许ICMP

netsh firewall set service remotedesktop enable
netsh firewall set portopening tcp 3389 enable

2、远程桌面

@echo off
net start SessionEnv
net start TermService
::开启服务

sc config SessionEnv start= demand
sc config TermService start= demand
::开机手动启动


REG ADD "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
::开启选项

netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
::开启3389端口

本文出自 “运维菜鸟.log” 博客，谢绝转载！