page contents

About the Post

Author Information

EC2 Windows 2008/2008r2 loss of connectivity due to Windows Firewall

Happy New Year to everyone and I hope you had a great holiday!

I have update this information in the form of a video, which can be found here.

Today, I am going to talk about an issue where you might be connecting to a server remotely and all of a sudden you are no longer able to connect via Remote Desktop (RDP). I normally see this issue when either a security update gets applied during Windows Update or someone made a mistake with a Windows Firewall rule. In my example, I will actually break it by removing the RDP access with Windows firewall, but more importantly I will show you how to fix it in the Amazon EC2 cloud environment.

I will do this for both Microsoft Windows Server 2008 and Server 2008r2, since the Windows Firewall is a bit different between the 2 versions. I will also use a Microsoft Windows Server 2003r2 instance to perform the recovery to avoid having to modify  the Boot Configuration Data (BCD) store, so I can perform this recover a bit faster. Later this week, I will show you how to edit the BCD store in the event you need to perform these steps with only Windows 2008 servers.

The information provided in this blog is meant as a tutorial. It is not the final word on security or setup for your particular case. In Simpler terms: USE at your own risk. With that being said, I hope it helps.

This process only works if we have all instances in the same Availability zone (AZ) because we will need to share the root EBS backed volume. It is important to note the following:

– Instance store instances (s3 backed root devices) do not allow you this flexibility, so you will not be able to detach the C drive
– EBS Volumes can only be shared with one instance at a time
– EBS Volumes can only be shared with the same AZ and can’t be used for other instances outside the AZ in the same region

Here is how you can find the Windows 2003 public Amazon Machine Images(AMI). First, click on Community AMIs, then in the drop down box choose Amazon Images, then type in 2003 and hit enter. Since, I am not too concerned with this machine, I am going to go for a cheaper machine and will use the 32 bit one. I have highlighted all of these selections in purple below:

As stated earlier, it is recommended to launch the new instance in the same AZ as seen below:

Now, we will go into the Windows 2008 server and break it by making a change to the firewall which will not respond to RDP requests. First we need to see the Windows Firewall rules:

Here is how the firewall is currently allowing RDP:

Then we need to turn off RDP by un-selecting it and hitting apply or ok:

Give it a few minutes and it will disconnect and will not longer allow you to connect back to it:

Here is how Windows 2008r2’s firewall looks:

Here is how the firewall is currently allowing RDP:

Ok, lets test out theory and turn it off:

Again, we will get the disconnect and you will also see this error, which is normally what you see before you normally start asking for help.

So, let’s go ahead and fix it. Basically, we will need to do the following and it is the same steps for both versions of Windows 2008:

1. Stop the instances:

2. Go to EBS volumes menu in AWS Management console:

2. Detach the root volumes

3. Attach the root volume to the w2k3 instance as xvdf:

4. Verify volume is attached and online in Disk Management:

And My Computer:

5. Open regedit:

6. Navigate to HKLM:

7.  Load the hive for the system in Windows 2008 on this Windows 2003 server by going to File and then Load Hive:

Select the D drive:

Browse to D:\Windows\System32\Config and select system:

Hit open and rename it to system_w2k8 to distinguish the difference between the 2 versions in the registry:

Notice that we now have 2 systems, which is for Windows 2003 (system) and Windows 2008 (system_w2k8):

8.Browse to the registry settings for your Windows firewall, which is system_w2k8\CurrentControlset001\services\SharedAccess\Parameters\FirewallPolicy:

9. Make modifications to the registry to turn off the Windows Firewall for all 3 profiles (DomainProfile, PublicProfile, StandardProfile):

Select a profile and then double-click on the DWORD EnableFirewall and notice it is set to (1) which is on:

Change the value to a zero (0) to turn it off:

Do that exact same step for each profile (DomainProfile, PublicProfile, StandardProfile) and then unload the hive to save it. You will need to go back up to HKLM and select the system_w2k8 and then File, Unload Hive:

9. Now detach the volume in the AWS Management Console and attach it back to the Windows 2008 version as /dev/sda1:

And attach it back to your original Windows 2008 instance in the AWS Management Console:

and name it /dev/sda1:

10. Start your EC2 instance:

notice that the IP address has changed after the start. (Originally was ec2-50-112-36-65.us-west-2.compute.amazonaws.com)

So we need to connect to the new name and now you will see that we can connect 🙂

11. Verify your work and see that we did in fact turn off the profile:

12. Before we turn it on, allow RDP access, by clicking on Turn Windows Firewall on or off and then hit the Exceptions tab:

Click next to Remote Desktop to put the check mark next to it and hit Apply or OK. Then click the Update settings now to turn it back on after you allow RDP:

 Here is the process in Windows 2008r2:

As you can see the firewall is listed as OFF after we attach the root volume:

Notice that RDP is not enabled in the Windows Firewall and looks like the same as we left it in the beginning:

Then we will need to add the RDP access, by checking the RDP options before enabling the Windows Firewall and note that the firewall is still off:

So click next to on to enable it:

Now you are golden and can RDP into the server 🙂

Tags: , , , , ,

Trackbacks/Pingbacks

  1. Recovering EC2 Windows 2008/2008r2 instance due to Windows Firewall issues | Scott Mattie's blog - January 18, 2012

    […] Forums ← EC2 Windows 2008/2008r2 loss of connectivity due to Windows Firewall […]

Copy Protected by Chetan's WP-Copyprotect.