一、简介
公司主机加入域后,防火墙未进行设置,规则不统一,不少主机ping不通。另打算开启远程桌面,方便远程管理网内每台主机。曾在DC上测试过域组策略内的Windows防火墙设置,无论是新增规则还是直接开启允许ICMP之类的选项,Win7客户端都无效,最后不得不考虑批处理。批处理执行方式和前文的相同,域组策略在用户开机时自动执行。
二、配置
1、防火墙
net start MpsSvc ::开启服务
sc config MpsSvc start= auto ::开机启动 netsh advfirewall set allprofiles state on ::启用防火墙 netsh advfirewall firewall add rule name="Allow Ping" dir=in protocol=icmpv4 action=allow netsh advfirewall firewall add rule name="FTP" protocol=TCP dir=in localport=20 action=allow netsh advfirewall firewall add rule name="FTP" protocol=TCP dir=in localport=21 action=allow netsh advfirewall firewall add rule name="SSH" protocol=TCP dir=in localport=22 action=allow netsh advfirewall firewall add rule name="Telnet" protocol=TCP dir=in localport=23 action=allow netsh advfirewall firewall add rule name="SMTP" protocol=TCP dir=in localport=25 action=allow netsh advfirewall firewall add rule name="TFTP" protocol=UDP dir=in localport=69 action=allow netsh advfirewall firewall add rule name="POP3" protocol=TCP dir=in localport=110 action=allow netsh advfirewall firewall add rule name="HTTPS" protocol=TCP dir=in localport=443 action=allow netsh advfirewall firewall add rule name="Netbios-ns" protocol=UDP dir=in localport=137 action=allow netsh advfirewall firewall add rule name="Netbios-dgm" protocol=UDP dir=in localport=138 action=allow netsh advfirewall firewall add rule name="Netbios-ssn" protocol=TCP dir=in localport=139 action=allow netsh advfirewall firewall add rule name="Netbios-ds" protocol=TCP dir=in localport=445 action=allow netsh advfirewall firewall add rule name="HTTP" protocol=TCP dir=in localport=80 action=allow netsh advfirewall firewall add rule name="HTTP" protocol=TCP dir=in localport=8080 action=allow
::常用端口
旧版语法(Win7&Win8.1测试无效)
@echo off netsh firewall set opmode mode = enable ::启用防火墙 netsh firewall set icmpsetting type=ALL mode=enable
::允许ICMP
netsh firewall set service remotedesktop enable netsh firewall set portopening tcp 3389 enable
2、远程桌面
@echo off net start SessionEnv net start TermService ::开启服务 sc config SessionEnv start= demand sc config TermService start= demand ::开机手动启动 REG ADD "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ::开启选项
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
::开启3389端口
本文出自 “运维菜鸟.log” 博客,谢绝转载!