Vista Firewall - Domain Profile problems

M

Maeliosa

I understand how the Vista profiles work. However I have issues with
this because on our domain I am not able to fully manage Vista
clients. Here's why:

In order for Vista to use the Domain Profile for the Firewall, every
active network connection on the PC must be authenticated to the
domain. If there are any other active network connections where the
network type is not "Domain" then the firewall profile "Public" is set
as active, and the machine cannot be communicated with.

I WANT the public profile to stay the way it is. This is safe because
when they take their machines away from the office, they are protected
automatically. However while in the office this causes many issues.
Our machines need to be FULLY managed. This means we need to be able
to ping, file share (for hidden admin shares), we use SMS, Antivirus
management tools, etc... So there are many firewall exceptions
defined on the Domain Profile using Group Policy.

Here's the issue:

Some machines have wireless cards. Well I have yet to find a way to
disable wireless cards automatically when they can connect to the
domain. If we can't do it automatically, then it isn't fully
manageable and our users can exploit the fact that they can make their
machine "invisible" on our network, except that we know they are
getting an IP through DHCP. This is bad.

And wireless cards aren't the end of it. Anyone that has any other
type of network adapter, like the virtual adapters VMWare installs.
Those are always an active connection. And that connection is
classified as "unidentified network" - which means anyone with VMWAre
installed on their machine will always use the public profile, unless
they manually disable all the VMWare adapters.

The Vista firewall is powerful, but it is not ideal for computers that
are used on the domain because of these reasons. For security reasons
if a computer is not fully manageable while on your domain, or if a
user can block you the administrators of the domain from having full
control of their domain computer, then that is a huge security risk.
The point of domain machines is that they are in a controlled
environment. Automatically applying the public profile to a domain
machine while it is on the domain, simply because it has other network
adapters, causes the machine to be authenticated to the domain, yet
the domain has no authority over that machine except when manual
intervention is used. This is very, very bad. Did no one think of
this when designing the firewall profiles? I expect to see more
people either disabling the Vista firewall completely, or putting
exceptions in their public profile to work around this issues, thereby
making the Vista firewall moot anyways.


If anyone knows how to address these issues in an AUTOMATED way -
meaning I can centrally control this and don't rely on manual
intervention on the clients (for security reasons we don't rely on the
users to configure their machines) - please respond. Taking away the
user's admin rights now is not enough. Now we have to figure out some
way to make sure the Vista machines are manageable without the user
simply turning on their wireless card to block admins from controlling
their machines. So far I have found no ideal solution without
loosening the public profile settings - I might as well just disable
the firewall feature completely and cross my fingers eh?
 
M

Maeliosa

I understand how the Vista profiles work. However I have issues with
this because on our domain I am not able to fully manage Vista
clients. Here's why:

In order for Vista to use the Domain Profile for the Firewall, every
active network connection on the PC must be authenticated to the
domain. If there are any other active network connections where the
network type is not "Domain" then the firewall profile "Public" is set
as active, and the machine cannot be communicated with.

I WANT the public profile to stay the way it is. This is safe because
when they take their machines away from the office, they are protected
automatically. However while in the office this causes many issues.
Our machines need to be FULLY managed. This means we need to be able
to ping, file share (for hidden admin shares), we use SMS, Antivirus
management tools, etc... So there are many firewall exceptions
defined on the Domain Profile using Group Policy.

Here's the issue:

Some machines have wireless cards. Well I have yet to find a way to
disable wireless cards automatically when they can connect to the
domain. If we can't do it automatically, then it isn't fully
manageable and our users can exploit the fact that they can make their
machine "invisible" on our network, except that we know they are
getting an IP through DHCP. This is bad.

And wireless cards aren't the end of it. Anyone that has any other
type of network adapter, like the virtual adapters VMWare installs.
Those are always an active connection. And that connection is
classified as "unidentified network" - which means anyone with VMWAre
installed on their machine will always use the public profile, unless
they manually disable all the VMWare adapters.

The Vista firewall is powerful, but it is not ideal for computers that
are used on the domain because of these reasons. For security reasons
if a computer is not fully manageable while on your domain, or if a
user can block you the administrators of the domain from having full
control of their domain computer, then that is a huge security risk.
The point of domain machines is that they are in a controlled
environment. Automatically applying the public profile to a domain
machine while it is on the domain, simply because it has other network
adapters, causes the machine to be authenticated to the domain, yet
the domain has no authority over that machine except when manual
intervention is used. This is very, very bad. Did no one think of
this when designing the firewall profiles? I expect to see more
people either disabling the Vista firewall completely, or putting
exceptions in their public profile to work around this issues, thereby
making the Vista firewall moot anyways.

If anyone knows how to address these issues in an AUTOMATED way -
meaning I can centrally control this and don't rely on manual
intervention on the clients (for security reasons we don't rely on the
users to configure their machines) - please respond. Taking away the
user's admin rights now is not enough. Now we have to figure out some
way to make sure the Vista machines are manageable without the user
simply turning on their wireless card to block admins from controlling
their machines. So far I have found no ideal solution without
loosening the public profile settings - I might as well just disable
the firewall feature completely and cross my fingers eh?
Click to expand...

Is there anyone out there that has a solution for this? This is a
serious problem with security in our business with Vista.
 
T

ThePro

Maeliosa said:
Is there anyone out there that has a solution for this? This is a
serious problem with security in our business with Vista.
Click to expand...

We have some Vista laptops on the network and I do not have any problems
with remote admin. All the "others" connections (VPN, modem, etc.) are
"disconnected" when they are at the office so I guess they use the domain
profile.

Could you explain the steps to reproduce the problem you have ?

Thanks.

ThePro
 
M

Maeliosa

We have some Vista laptops on the network and I do not have any problems
with remote admin. All the "others" connections (VPN, modem, etc.) are
"disconnected" when they are at the office so I guess they use the domain
profile.

Could you explain the steps to reproduce the problem you have ?

Thanks.

ThePro
Click to expand...

Yes. My point is that I need to be sure that I can manage computers
that are in my domain. Right now all a user has to do to block me
from remotely managing a Vista box, is make one of their public
connections active. This is easy to do with products like VMWare,
that install virtual network adapters and need no physical connection
to be active. Once the adapter is active, the firewall profile
switches to public, blocking all traffic that I need to manage the
OS. Essentially, the user becomes invisible to us, except that we can
see it in log files. We just can't support them remotely. Wifi
connections have the same issue. We're left only to rely on the user
to disable their connection, know how to do that, and be honest enough
to do it. But that doesn't stop a malicious user.

This is a very bad thing. And it is ironic how the Windows Firewall
can be exploited like this to break one of the rules of security: to
be able to manage the resources on your domain. I know I can disable
it, but if I do that then they have no firewall if they connect the
laptop to a public network, and that also is a security risk. I'm in
what seems like a catch22 situation. I suspect when people catch on
to this it will be a bigger problem than just where I work.

Does anyone know how to solve this problem, am I somehow missing
something, or does Microsoft need to be notified?
 
M

Maeliosa

Yes.  My point is that I need to be sure that I can manage computers
that are in my domain.  Right now all a user has to do to block me
from remotely managing a Vista box, is make one of their public
connections active.  This is easy to do with products like VMWare,
that install virtual network adapters and need no physical connection
to be active.  Once the adapter is active, the firewall profile
switches to public, blocking all traffic that I need to manage the
OS.  Essentially, the user becomes invisible to us, except that we can
see it in log files.  We just can't support them remotely.  Wifi
connections have the same issue.  We're left only to rely on the user
to disable their connection, know how to do that, and be honest enough
to do it.  But that doesn't stop a malicious user.

This is a very bad thing.  And it is ironic how the Windows Firewall
can be exploited like this to break one of the rules of security: to
be able to manage the resources on your domain.  I know I can disable
it, but if I do that then they have no firewall if they connect the
laptop to a public network, and that also is a security risk.  I'm in
what seems like a catch22 situation.  I suspect when people catch on
to this it will be a bigger problem than just where I work.

Does anyone know how to solve this problem, am I somehow missing
something, or does Microsoft need to be notified?
Click to expand...

I guess no one has anything to offer up on this? Maybe no one wants
to read so much?

To sum it up: Vista Firewall is broken. If you want the details, read
the rest. Now does anyone out there know of anything to help me out
here?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Vista Firewall Profiles 2
Making Vista PC a member of domain-Profile 7
Joining Vista Prof. to domain 4
Vista not retaining profile information 1
XP firewall Domain Profile leaves 2nd wireless nic wide open? 4
unable to join to the domain with netbios name 1
Vista Ultimate Cannot Ping Domain Controller 1
Corrupt Domain Profile in Vista 3

Top