Change SP2 firewall profile from CLI

[Jeff Vandervoort]

Windows XP SP2 client in SBS2003 SP1 domain. XP client firewall settings set
by GPO.

When the computer is connected to the SBS network, and logged on to with the
Administrator account, NETSH help leads me to believe that the command...
netsh firewall set opmode mode = enable profile = standard
....should change the firewall profile from Domain to Standard.

And when I issue the command, NETSH responds with "Ok." as though it's
actually done something useful. Yet this command...
netsh firewall show opmode
....shows that the Domain profile remains the current profile.

I've also tried it with a Scheduled Task that runs in the SYSTEM account,
with the same result.

In the GPO, "Windows Firewall: Protect all network connections" is set to
Not Configured for both profiles. I can enable and disable the firewall from
the NETSH command line, just can't switch profiles.

What's up with that?

 

[Steven L Umbach]

Hi Jeff.

My understanding is that unless you specify a profile the default profile is
used for the option you set in set opmode mode and is not to change mode.
The possibilities are current, standard, domain, and all. So I suspect that
your command is actually setting the Windows Firewall to be enabled in the
standard profile. As far as I know the profile used can only be determined
on whether or not the operating system detects a domain controller for it's
domain on the network it is connected to and it supposed to be periodically
be determined by the network location awareness service.

Steve

 

[Jeff Vandervoort]

OK, I guess that makes sense. Thanks.

What doesn't make sense is that if this is by design, it's a lousy design!
It only gives me the choice of enabling or disabling the firewall for my VPN
clients after logon to allow remote admin, instead of just allowing specific
exceptions. It's all or nothing.

--
Jeff Vandervoort
JRVsystems

Hi Jeff.

My understanding is that unless you specify a profile the default profile
is used for the option you set in set opmode mode and is not to change
mode. The possibilities are current, standard, domain, and all. So I
suspect that your command is actually setting the Windows Firewall to be
enabled in the standard profile. As far as I know the profile used can
only be determined on whether or not the operating system detects a domain
controller for it's domain on the network it is connected to and it
supposed to be periodically be determined by the network location
awareness service.

Steve

 

[Steven L Umbach]

You could try configuring the standard profile with the exceptions you need
such as for remote admin only from your subnet or admin workstation IPs.

Steve

OK, I guess that makes sense. Thanks.

What doesn't make sense is that if this is by design, it's a lousy design!
It only gives me the choice of enabling or disabling the firewall for my
VPN clients after logon to allow remote admin, instead of just allowing
specific exceptions. It's all or nothing.