Help Center

Follow

Windows Firewall Ports and Exceptions

In order to successfully use PDQ Deploy and PDQ Inventory the client computers must have the following firewall ports / services enabled.

Required:

  • Windows Firewall: Allow inbound file and printer sharing exception
    • This rule allows the IPC$ and ADMIN$ shares to be available. Administrative access to these shares is required.
  • Windows Firewall: Allow ICMP exceptions - (Allow inbound echo request)
    • This rule allows a target computer to respond to ping requests. Ping is used by PDQ Inventory to determine the Online status of a computer. Keep in mind that Admin Arsenal products ping the FQDN (Fully Qualified Domain Name) of a computer to determine if it is online and / or available.
If you are enabling these rules via Group Policy (GPO) (recommended) you should use the path:
 
Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
 
If you are enabling these rules on computers that are not members of an Active Directory (AD) domain then use:
 
Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
 
FirewallExceptions.png
 
 
If the target machine is not a member of an Active Directory domain then you may need to disable Remote UAC restrictions. Click here for instructions.
Admin Arsenal products use SMB to communicate with target computers. If you can manage remote computers using standard Windows' administration tools you should be set as far as ports go. The following ports are used by SMB. 
 
  • UDP 137
  • UDP 138
  • UDP 445
  • TCP 139
  • TCP 445

Package Library

PDQ Deploy has the ability to import pre-built packages from adminarsenal.com.

***UPDATED 20 JULY 2015*** Packages are downloaded from the site below. You may need to add this address to any whitelist that your company uses.

https://aafiles.blob.core.windows.net 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

9 Comments

  • 0

    Hint:

    In case your default shares are unavailable, check these registry entries:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

    "AutoShareServer"=dword:00000001

    "AutoShareWks"=dword:00000001

     If these settings are not enabled, deleted shares are not recreated.

  • 0

    These commands open the correct ports, and a few others, in XPMode SP3. They should work as well in XP SP2. See the help for the netsh command on the trailing "all" which opens it to all contexts (all IPs). In the ICMP rule, you can change the all to 8 and it will work for most purposes. Copy/paste to a .bet file and run as admin if you are the trusting type. Each should be followed by an "OK" if run individually, or in batch.

    #########################################

    netsh firewall set service remoteadmin enable all

    netsh firewall set service remotedesktop enable all

    netsh firewall set service icmpsetting all enable

    netsh firewall set service fileandprint enable

    netsh firewall add portopening UDP 445 SaMBa enable

    netsh firewall add allowedprogram C:\Windows\system32\sessmgr.exe RemoHelp enable

    #########################################

    jon(at)purdue.edu

  • 0

    uhhhh .bet is .bat

  • 0

    Above has worked for me, but you may wish to add:

    netsh firewall add portopening TCP 5985 WRM enable

    and maybe:

    netsh firewall add portopening TCP 80 WRM-http enable

    if needed

  • 0

    Thanks for sharing, Jonathan.

  • 0

    But is there a way to secure those ports with ssl? And what exactly is being transferred over each? If it's using a local admin account on each machine to install packages, on what port is it communicating the credentials ?

     

    Any information on how to secure PDQ would be great.

  • 0

    Hi Nicholas,

    These are the standard ports that Microsoft's SMB uses for communication for File and Printer Sharing. As far as encryption for SMB, that is configured in Windows and in AD and is dependent on which version of SMB is being used. Microsoft uses different encryption (I believe all are AES standards) for each version.

    You can read about the encryption that PDQ products use when it comes to storing the credentials used during deployments and scans in our documentation.

  • 0

    The command line commands above by Jonathan Paulsen were good, except the third one for me was throwing an error of bad syntax.  The syntax that worked for me was:

        netsh firewall set icmpsetting type=all mode=enable

     

     

  • 0

     

    These port are the port that were opened in my target server FW (it work's great). Before I had the issue so I opened port 445 for inbound trafic

    Name Action Protocol LocalPorts ApplicationName


    Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In) 1 1 System

    Core Networking - Internet Group Management Protocol (IGMP-In) 1 2 System

    Core Networking - Internet Group Management Protocol (IGMP-Out) 1 2 System

    Core Networking - IPv6 (IPv6-Out) 1 41 System

    Core Networking - IPv6 (IPv6-In) 1 41 System

    Core Networking - Multicast Listener Done (ICMPv6-Out) 1 58

    Core Networking - Multicast Listener Done (ICMPv6-In) 1 58 System

    Core Networking - Multicast Listener Report (ICMPv6-Out) 1 58

    Core Networking - Multicast Listener Report (ICMPv6-In) 1 58 System

    Core Networking - Multicast Listener Query (ICMPv6-Out) 1 58

    Core Networking - Multicast Listener Query (ICMPv6-In) 1 58 System

    Core Networking - Router Solicitation (ICMPv6-Out) 1 58

    Core Networking - Router Solicitation (ICMPv6-In) 1 58 System

    Core Networking - Router Advertisement (ICMPv6-Out) 1 58

    Core Networking - Neighbor Discovery Advertisement (ICMPv6-Out) 1 58

    Core Networking - Multicast Listener Report v2 (ICMPv6-Out) 1 58

    Core Networking - Neighbor Discovery Advertisement (ICMPv6-In) 1 58 System

    Core Networking - Neighbor Discovery Solicitation (ICMPv6-Out) 1 58

    Core Networking - Neighbor Discovery Solicitation (ICMPv6-In) 1 58 System

    Core Networking - Parameter Problem (ICMPv6-Out) 1 58

    Core Networking - Parameter Problem (ICMPv6-In) 1 58 System

    Core Networking - Time Exceeded (ICMPv6-Out) 1 58

    Core Networking - Time Exceeded (ICMPv6-In) 1 58 System

    Core Networking - Packet Too Big (ICMPv6-Out) 1 58

    Core Networking - Packet Too Big (ICMPv6-In) 1 58

    Core Networking - Destination Unreachable (ICMPv6-In) 1 58 System

    Core Networking - Router Advertisement (ICMPv6-In) 1 58 System

    Core Networking - Multicast Listener Report v2 (ICMPv6-In) 1 58 System

    NSClient++ Monitoring Agent 1 256 C:\Program Files\NSClient++\nscp.exe

    Core Networking - IPHTTPS (TCP-Out) 1 6 * C:\Windows\system32\svchost.exe

    Windows Management Instrumentation (WMI-In) 1 6 * C:\Windows\system32\svchost.exe

    Windows Management Instrumentation (WMI-Out) 1 6 * C:\Windows\system32\svchost.exe

    Windows Management Instrumentation (ASync-In) 1 6 * C:\Windows\system32\wbem\unsecapp.exe

    Remote Desktop - Shadow (TCP-In) 1 6 * C:\Windows\system32\RdpSa.exe

    Core Networking - Teredo (UDP-Out) 1 17 * C:\Windows\system32\svchost.exe

    Core Networking - DNS (UDP-Out) 1 17 * C:\Windows\system32\svchost.exe

    Windows Management Instrumentation (DCOM-In) 1 6 135 C:\Windows\system32\svchost.exe

    Remote Desktop - User Mode (TCP-In) 1 6 3389 C:\Windows\system32\svchost.exe

    Remote Desktop - User Mode (UDP-In) 1 17 3389 C:\Windows\system32\svchost.exe

    World Wide Web Services (HTTPS Traffic-In) 1 6 443 System

    File and Printer Sharing (SMB-In) 1 6 445 System

    Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) 1 17 546 C:\Windows\system32\svchost.exe

    Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) 1 17 546 C:\Windows\system32\svchost.exe

    Windows Remote Management (HTTP-In) 1 6 5985 System

    Core Networking - Dynamic Host Configuration Protocol (DHCP-Out) 1 17 68 C:\Windows\system32\svchost.exe

    Core Networking - Dynamic Host Configuration Protocol (DHCP-In) 1 17 68 C:\Windows\system32\svchost.exe

    World Wide Web Services (HTTP Traffic-In) 1 6 80 System

    Core Networking - IPHTTPS (TCP-In) 1 6 IPHTTPS System

    Core Networking - Teredo (UDP-In) 1 17 Teredo C:\Windows\system32\svchost.exe

Article is closed for comments.
Powered by Zendesk