cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Changing Default Dynamic WMI Port's to Static Specific Port's Windows 2012 Server's

Dear Experts,

I am facing a challange in using WMI Dynamic Port's which is allocated by default. DCOM's dynamic port allocation feature offers great flexibility in that programmers and administrators alike are free from the burden of having to configure (or hard code) applications to specific ports, free from resolving conflicts between multiple applications attempting to use the same port(s), and so on. Unfortunately, because DCOM (by default) is free to use any port between 1024 and 65535 when it dynamically selects a port for an application, it is rather "firewall unfriendly" out of the box. Configuring your firewall to leave such a wide range of ports open would present a serious security hole.

When a server makes a callback to a client, it creates a new connection to the client and sends method calls over that separate channel by using dynamic port's from 1024-65535.

I want to restrict the default port's and want to be very specific Example: 58000 - 58200 Range of Port's.

The SAM is been installed on Windows-2012 Server and the Remote Host's running on OS like.. 2003 SP2/R2, Win 2012.

Appreciate if someone can Guide me on How to customize the Port's and STEP's.

Thanks in Advance,

4 Replies
Level 10

what if the windows firewall is OFF.

then how can we setup up fixed port for WMI... ??? any ideas..

0 Kudos

I have tried above steps . But still I am facing the issue

0 Kudos
Level 17

The first thing to be aware of is that if your target systems are all running Windows operating systems, then there is no need to configure ports on the Windows Firewall, you simply need to enable the three rules contained in the Windows Management Instrumentation (WMI) ruleset.

9-20-2013 3-27-10 PM.png

If you're using a third-party host firewall on those systems, determine if that firewall allows you to build rules similar to the three rules in the Windows Firewall.

If you have no other choice but to restrict the ports used, Microsoft KB154596 describes how to restrict the RPC ports assigned by the Endpoint Mapper. That KB article also contains other references with advanced information that may be of interest. In short, these are the steps required:

Open the Registry Editor (you'll need to use REGEDT32.EXE) and navigate to HKLM\Software\Microsoft\Rpc

Create a new registry KEY named "Internet" as a subkey of "Rpc"

Create three new VALUES in the "Internet" key

  • "Ports" as REG_MULTI_SZ
  • "PortsInternetAvailable" as REG_SZ
  • "UseInternetPorts" as REG_SZ

In the "Ports" value define the port, list of ports, or range of ports

Set "PortsInternetAvailable" and "UseInternetPorts" to 'Y' to enable the use of the ports listed in the "Ports" value.

To configure this across a large number of clients will be better served by defining a Group Policy template.

Alternately, you can also use the RPC Configuration Tool from the Windows 2000 Resource Kit to configure the port range. This could be scripted in a power-on script.

Yet another way to approach this, for Vista and later systems (not available for XP/2003) is to run WMI in a dedicated service host with a static port. WMI is configured using the winmgmt command line arguments, specifically the /standalonehost argument. By default, then, WMI will run on port 24158. You can change this port assignment by using Dcomcnfg.exe. These would only need to be run one time on each host, perhaps as part of the system deployment tasks.

Level 11

I did this part -Setting Up a Fixed Port for WMI (Windows)

It works like a charm!

0 Kudos