OK, this is my first ever blog post. Bear with me.
If you are remotely administering a Windows 7 client, for example, listing the services on the remote machine using the Computer Management tool or the sc.exe command line, there may be an unexpected delay when connecting. If you use netstat -a -n during this delay you will see a TCP connection from your machine to the target machine sitting in the SYN_SENT state. After a little while this connection attempt times out and the operation succeeds anyway.
Another example of a remote administration tool that suffers from this problem is psexec.exe.
This will happen if you are connecting from another Windows 7 machine (or, presumably, Windows 2008 R2) and the firewall on the target machine is configured by group policy with the “Allow inbound remote administration exception” setting enabled.
The cause: the group policy setting configures one of the relevant firewall rules incorrectly. The “Remote Administration (RPC)” rule is set to apply to svchost.exe instead of services.exe. My best guess is that this is a bug in the Windows 7 group policy client.
The problem can be worked around by turning on an appropriate rule locally on the affected clients. If you are using the GUI, turning on the “Remote Service Management” exception will solve the problem. From the command line:
netsh advfirewall firewall set rule name="Remote Service Management (RPC)" profile=domain new enable=yes
Note this is all a single line, but I have split it for readability. You could use group policy to include this command in a startup script, or run it remotely for each machine using psexec. It only needs to be run once on each machine. Note that the command-line version only enables one of the rules associated with the “Remote Service Management” exception, but if you have the above-mentioned group policy exception defined the other necessary rules are already present.
Hope this helps.