The first thing to be aware of is that if your target systems are all running Windows operating systems, then there is no need to configure ports on the Windows Firewall, you simply need to enable the three rules contained in the Windows Management Instrumentation (WMI) ruleset.
If you're using a third-party host firewall on those systems, determine if that firewall allows you to build rules similar to the three rules in the Windows Firewall.
If you have no other choice but to restrict the ports used, Microsoft KB154596 describes how to restrict the RPC ports assigned by the Endpoint Mapper. That KB article also contains other references with advanced information that may be of interest. In short, these are the steps required:
Open the Registry Editor (you'll need to use REGEDT32.EXE) and navigate to HKLM\Software\Microsoft\Rpc
Create a new registry KEY named "Internet" as a subkey of "Rpc"
Create three new VALUES in the "Internet" key
- "Ports" as REG_MULTI_SZ
- "PortsInternetAvailable" as REG_SZ
- "UseInternetPorts" as REG_SZ
In the "Ports" value define the port, list of ports, or range of ports
Set "PortsInternetAvailable" and "UseInternetPorts" to 'Y' to enable the use of the ports listed in the "Ports" value.
To configure this across a large number of clients will be better served by defining a Group Policy template.
Alternately, you can also use the RPC Configuration Tool from the Windows 2000 Resource Kit to configure the port range. This could be scripted in a power-on script.
Yet another way to approach this, for Vista and later systems (not available for XP/2003) is to run WMI in a dedicated service host with a static port. WMI is configured using the winmgmt command line arguments, specifically the /standalonehost argument. By default, then, WMI will run on port 24158. You can change this port assignment by using Dcomcnfg.exe. These would only need to be run one time on each host, perhaps as part of the system deployment tasks.