在 Azure VM 中禁用来宾 OS 防火墙Disable the guest OS Firewall in Azure VM

本文为以下情况提供参考:你怀疑来宾操作系统防火墙正在筛选发往虚拟机 (VM) 的部分或全部流量。This article provides a reference for situations in which you suspect that the guest operating system firewall is filtering partial or complete traffic to a virtual machine (VM). 如果故意对导致 RDP 连接失败的防火墙进行更改,则可能发生这种情况。This could occur if changes were deliberately made to the firewall that caused RDP connections to fail.

解决方案Solution

本文所述的过程(即,如何正确设置防火墙规则)旨在作为一种解决方法,让你能够集中精力解决实际问题。The process that is described in this article is intended to be used as a workaround so that you can focus on fixing your real issue, which is how to set up the firewall rules correctly. 启用 Windows 防火墙组件是 Azure 最佳做法。It is a Azure Best Practice to have the Windows Firewall component enabled. 如何配置防火墙规则取决于对所需 VM 的访问级别。How you configure the firewall rules depends on the level of access to the VM that is required.

联机解决方案Online Solutions

如果该 VM 处于联机状态且可以在同一虚拟网络中的另一个 VM 上对其进行访问,则可以使用另一个 VM 执行以下缓解措施。If the VM is online and can be accessed on another VM on the same virtual network, you can make these mitigations by using the other VM.

缓解措施 1:自定义脚本扩展或运行命令功能Mitigation 1: Custom Script Extension or Run Command feature

如果有正在运行的 Azure 代理,则可以使用自定义脚本扩展运行命令功能(仅限资源管理器 VM)来远程运行以下脚本。If you have a working Azure agent, you can use Custom Script Extension or the Run Commands feature (Resource Manager VMs only) to remotely run the following scripts.

备注

  • 如果在本地设置防火墙,请运行以下脚本:If the firewall is set locally, run the following script:
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' -name "EnableFirewall" -Value 0
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' -name "EnableFirewall" -Value 0
    Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\Standardprofile' -name "EnableFirewall" -Value 0 
    Restart-Service -Name mpssvc
    
  • 如果通过 Active Directory 策略设置防火墙,则可以运行以下脚本进行临时访问。If the firewall is set through an Active Directory policy, you can use run the following script for temporary access.
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name "EnableFirewall" -Value 0
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name "EnableFirewall" -Value 0
    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile' -name "EnableFirewall" -Value 0
    Restart-Service -Name mpssvc
    
    但是,只要再次应用该策略,就会被踢出远程会话。However, as soon as the policy is applied again, you'll be kicked out of the remote session. 此问题的永久性解决方法是修改此计算机上应用的策略。The permanent fix for this issue is to modify the policy that's applied on this computer.

缓解措施 2:PSTools 命令Mitigation 2: PSTools commands

  1. 在故障排除 VM 上,下载 PSToolsOn the troubleshooting VM, download PSTools.

  2. 打开 CMD 实例,然后通过其 DIP 访问 VM。Open a CMD instance, and then access the VM through its DIP.

  3. 运行以下命令:Run the following commands:

    psexec \\<DIP> -u <username> cmd
    netsh advfirewall set allprofiles state off
    psservice restart mpssvc
    

缓解措施 3:远程注册表Mitigation 3: Remote Registry

按以下步骤来使用远程注册表Follow these steps to use Remote Registry.

  1. 在故障排除 VM 上,启动注册表编辑器,然后转到“文件” > “连接网络注册表” 。On the troubleshooting VM, start registry editor, and then go to File > Connect Network Registry.

  2. 打开 TARGET MACHINE\SYSTEM 分支,指定以下值:Open up the TARGET MACHINE\SYSTEM branch, and specify the following values:

    <TARGET MACHINE>\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall           -->        0 
    <TARGET MACHINE>\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall           -->        0 
    <TARGET MACHINE>\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall         -->        0
    
  3. 重启服务。Restart the service. 由于无法使用远程注册表执行此操作,因此必须使用“远程服务控制台”。Because you cannot do that by using the remote registry, you must use Remote Service Console.

  4. 打开 Services.msc 的实例。Open an instance of Services.msc.

  5. 单击“服务(本地)”。Click Services (Local).

  6. 选择“连接到另一台计算机”。Select Connect to another computer.

  7. 输入问题 VM 的专用 IP 地址 (DIP)Enter the Private IP Address (DIP) of the problem VM.

  8. 重启本地防火墙策略。Restart the local firewall policy.

  9. 尝试从本地计算机再次通过 RDP 连接到该 VM。Try to connect to the VM through RDP again from your local computer.

脱机解决方案Offline Solutions

如果遇到无法通过任何方法访问该 VM 的情况,则自定义脚本扩展将失败,你必须直接通过系统磁盘在脱机模式下工作。If you have a situation in which you cannot reach the VM by any method, Custom Script Extension will fail, and you will have to work in OFFLINE mode by working directly through the system disk. 为此,请执行以下步骤:To do that, follow these steps:

  1. 将系统磁盘附加到恢复 VMAttach the system disk to a recovery VM.

  2. 开始与恢复 VM 建立远程桌面连接。Start a Remote Desktop connection to the recovery VM.

  3. 确保磁盘在磁盘管理控制台中标记为“联机”。Make sure that the disk is flagged as Online in the Disk Management console. 请留意分配给附加系统磁盘的驱动器号。Note the drive letter that's assigned to the attached system disk.

  4. 在进行任何更改之前,请创建 \windows\system32\config 文件夹的副本,以防需要回滚更改。Before you make any changes, create a copy of the \windows\system32\config folder in case a rollback of the changes is necessary.

  5. 在故障排除 VM 上,启动注册表编辑器 (regedit.exe)。On the troubleshooting VM, start the registry editor (regedit.exe). 

  6. 对于此故障排除过程,我们将配置单元装载为 BROKENSYSTEM 和 BROKENSOFTWARE。For this troubleshooting procedure, we are mounting the hives as BROKENSYSTEM and BROKENSOFTWARE.

  7. 突出显示 HKEY_LOCAL_MACHINE 项,然后从菜单中选择“文件”>“加载配置单元”。Highlight the HKEY_LOCAL_MACHINE key, and then select File > Load Hive from the menu.

  8. 在附加的系统磁盘上找到 \windows\system32\config\SYSTEM 文件。Locate the \windows\system32\config\SYSTEM file on the attached system disk.

  9. 打开提升的 PowerShell 实例,然后运行以下命令:Open an elevated PowerShell instance, and then run the following commands:

    # Load the hives - If your attached disk is not F, replace the letter assignment here
    reg load HKLM\BROKENSYSTEM f:\windows\system32\config\SYSTEM
    reg load HKLM\BROKENSOFTWARE f:\windows\system32\config\SOFTWARE 
    # Disable the firewall on the local policy
    $ControlSet = (get-ItemProperty -Path 'HKLM:\BROKENSYSTEM\Select' -name "Current").Current
    $key = 'BROKENSYSTEM\ControlSet00'+$ControlSet+'\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile'
    Set-ItemProperty -Path $key -name 'EnableFirewall' -Value 0 -Type Dword -force
    $key = 'BROKENSYSTEM\ControlSet00'+$ControlSet+'\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile'
    Set-ItemProperty -Path $key -name 'EnableFirewall' -Value 0 -Type Dword -force
    $key = 'BROKENSYSTEM\ControlSet00'+$ControlSet+'\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile'
    Set-ItemProperty -Path $key -name 'EnableFirewall' -Value 0 -Type Dword -force
    # To ensure the firewall is not set through AD policy, check if the following registry entries exist and if they do, then check if the following entries exist:
    $key = 'HKLM:\BROKENSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
    Set-ItemProperty -Path $key -name 'EnableFirewall' -Value 0 -Type Dword -force
    $key = 'HKLM:\BROKENSOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
    Set-ItemProperty -Path $key -name 'EnableFirewall' -Value 0 -Type Dword -force
    $key = 'HKLM:\BROKENSOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile'
    Set-ItemProperty -Path $key -name 'EnableFirewall' -Value 0 -Type Dword -force
    # Unload the hives
    reg unload HKLM\BROKENSYSTEM
    reg unload HKLM\BROKENSOFTWARE
    
  10. 拆离系统磁盘并重新创建 VMDetach the system disk and re-create the VM.

  11. 检查是否解决了问题。Check whether the issue is resolved.