1

I have a Windows Server 2012 R2 virtual machine with two network interfaces. I would like to be able to query WMI on one interface and block all WMI request on the other. So far, no matter what I've tried, Windows firewall will either block both interfaces or neither.

I've tried using the sources tab on the firewall rule named "Windows Management Instrumentation (WMI-In)" to specify a local address. I've also tried using PowerShell Set-NetFirewallInterfaceFilter to specify only a single interface.

I've used Wireshark to verify that the traffic is going to the expected IP addresses. I've been testing the wmi connectivity by using the PowerShell command gwmi -computername 172.16.136.x win32_computersystem

R. McGee
  • 111
  • 1
  • What network profile and firewall profile is the server using for both interfaces? Try enabling the firewall rule for the appropriate network/firewall profile and disabling for the other. – joeqwerty Aug 16 '16 at 17:57
  • Thanks. I gave that a try, but since the server is joined to the domain it doesn't appear that I can change the network profile of the interface. When I tried, I received the error: Set-NetConnectionProfile : Unable to set the NetworkCategory due to one of the following possible reasons: not running PowerShell elevated; the NetworkCategory cannot be changed from 'DomainAuthenticated'; user initiated changes to NetworkCategory are being prevented due to the Group Policy setting 'Network List Manager Policies'. – R. McGee Aug 16 '16 at 18:33
  • Isn't one network profile listed as Domain and the other listed as Public or Private? – joeqwerty Aug 16 '16 at 18:42
  • No, they are both listed as domain. When I execute Get-NetConnectionProfile | ft InterfaceAlias, NetworkCategory both interfaces have the NetworkCategory of DomainAuthenticated . Both of these interfaces are on the same network. – R. McGee Aug 16 '16 at 19:00
  • I see. Why is the server dual-homed on the same network? – joeqwerty Aug 16 '16 at 19:21
  • In short, it really doesn't need to be dual-homed. We're running a SNMP simulator that simulates 100s of devices, each with their own IP address. We're using that in our test lab for the monitoring tool we sell. If the monitoring tool detects SNMP and WMI on the same IP address, then it combines the data it gets from both protocols and that is just a mess. I was trying to set up the server so all of the simulated devices were on one network interface, and all of the management protocols for the host server would be on another interface. I didn't realize Windows wouldn't allow that. – R. McGee Aug 17 '16 at 20:06

1 Answers1

1

if your network interfaces and their corresponding network adapters happen to have a one-to-one relationship, then yes you can restrict WMI to a given interface.

I'm not sure how this might be accomplished by PowerShell cmdlets but given how wildly diverse the terminology and consequently sparse the documentation can be from Microsoft regarding "the PowerShell way" (which I happen to be a massive fan of regardless of critique), I would research later. You can accomplish what you want via GUI (firewall.cpl) with the advanced dialog box.

See the screenshot for how to accomplish this:firewall with advanced security control panel applet

For a given network profile, assuming you have configured the governing profile to your specification, you could simply check the boxes to administratively enable/disable as-needed.

Cheers!

ProGrammar
  • 11
  • 1