2

I have been searching the Internet for the past week for the answer to my question, but couldn't find any conclusive answer, so I ask here.

Based on your experience and/or knowledge, what policies could/should be enforced through Group Policy to ensure that all computers in the domain are manageable remotely using the triumvirate of psexec, remote WMI, and remote registry?

Background of my question: when I audited the computers in the domain, I would encounter computers that are not psexec-able, or remote WMI queryable, or remote regedit-able, or a combination of the three. This forced me to every time devise workarounds, a job that took away too much valuable time. So, rather than wasting time again and again, I'd rather enforce uniformity via a domain-wide GPO.

PS: The targets of operation are Windows XP SP3 and Windows 7 Professional/Enterprise.

pepoluan
  • 5,038
  • 4
  • 47
  • 72
  • Really depends on what specific settings are blocking those remote tools... and, FYI, it's the case often enough that something not working properly and that's what prevents access using these tools, rather than a cofiguration or setting that needs changed. – HopelessN00b Aug 25 '12 at 18:10
  • For psexec you will normally also need to set an exception in your antivirus software. It works in a way that AV software should be blocking for the general case. – John Gardeniers Aug 25 '12 at 22:42
  • @John since the antivirus is set and configured centrally (SEP), and everyone is using the same, I don't think that's the reason – pepoluan Aug 26 '12 at 04:12

1 Answers1

2

Mmmm... thoughts:

PSExec - just requires the remote PC to be contactable via RPC and SMB. Plus, you need the appropriate rights at the other end to remotely interact with the Service Control Manager (this could be forced via Group Policy Preferences). So, assuming the PC is operational...: If the PC is on the domain, then the Windows Firewall should let you in, unless you've tweaked the domain-connected firewall settings. Anti-virus products might see PSExec as a "Potentially unwanted Program". So, possibly some registry settings here to ensure it's allowed to execute.

WMI - Again, needs RPC to be functioning. You might want to force the WMI services to be running via GPOs. One snag with WMI is when a 3rd party product fecks up the WMI repository. Seen this so many times. Only fix is a manual recompile.

Remote Registry - Again, RPC and privs. Plus, you could force the service to be running via GPOs.

Simon Catlin
  • 5,232
  • 3
  • 17
  • 20
  • Thanks for the breakdown! On Monday, I'll check up on the problematic computers to ensure that WMI is healthy. In the meantime, I'm going to force RpcSs to run via GPO. I'll post another comment on my findings. – pepoluan Aug 26 '12 at 04:16