135端口:Microsoft在这个端口运行DCE RPC end-point mapper为它的DCOM服务。这与UNIX 111端口的功能很相似。使用DCOM和RPC的服务利用计算机上的end-point mapper注册它们的位置。远端客户连接到计算机时,它们查找end-point mapper找到服务的位置。
The Windows Firewall: Allow remote administration exception setting allows you to specify whether computers running Windows XP with SP2 can be remotely administered by applications that use TCP ports 135 and 445 (such as MMC and WMI), and is shown in the following figure.
Services that use these ports to communicate are using remote procedure calls (RPC) and Distributed Component Object Model (DCOM) to access remote hosts. In effect, Windows Firewall adds Svchost.exe and Lsass.exe to the program exceptions list and allows those services to open additional, dynamically assigned ports, typically in the range of 1024 to 1034. Windows Firewall also allows incoming ICMP Echo messages (also known as the ICMP Echo Request messages).
You can select the following:
Not Configured (default)
Remote administration is not allowed.
Enabled
Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. InAllow unsolicited incoming messages from, type * to specify traffic originating from any source IPv4 address or a comma-separated list of sources. The sources can be LocalSubnet to specify traffic originating from a directly reachable IPv4 address or one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example list of sources:
Note This command is shown on multiple lines for better readability; enter them as a single line.
LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10. 116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
IPv6 traffic supports the * and LocalSubnet scopes.
Note If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.
Host names, DNS names, or DNS suffixes are not supported.
Disabled
Remote administration is not allowed. Windows Firewall blocks port 135 and does not open 445. Also, in effect, it adds SVCHOST.EXE and LSASS.EXE to the program exceptions list with the Status of Disabled. Because disabling this policy setting does not block TCP port 445, it does not conflict with the Windows Firewall: Allow file and printer sharing exceptionsetting. This does not prevent these programs from running or their corresponding ports from being opened.
Malicious users and programs often attempt to attack networks and computers using RPC and DCOM traffic. We recommend that you contact the manufacturers of your critical programs to determine if they require RPC and DCOM communication. If they do not, then do not enable this setting.
Note If you only want to open a subset of the ports that this setting opens, leave this setting set to Not Configured and use theWindows Firewall: Define port exceptions setting to selectively open ports.
by ADMIN on APRIL 17, 2008
Microsoft has a web page that lists the various tools you can use to remotely administer a Windows Server system. The page lists each remote administration tool and the steps that are required to successfully use the tool with the Windows Firewall service enabled on the local or remote machine.
Firewall configuration details for the following remote administration tools are provided:
Microsoft also has a guide to Windows firewall configuration by server role.
原文地址:http://www.cnblogs.com/jjkv3/p/3850557.html