override domain policy?

[Dave]

is it possible to override a domain policy as a local admin? if so, how??
our domain admins have set xp sp2's firewall to always disabled because they
'think' it is causing problems on the network... however, i will be on the
road for a week and want the firewall on when i connect to hotel or airport
connections. as local admin on the laptop can i override that setting? if
i remove the machine from the domain (yes i know what this does to trusts
and domain accounts and it doesn't affect what i need the machine for) will
that automatically remove the policy or would i still have to do something?

 

[Malke]

is it possible to override a domain policy as a local admin? if so,
how?? our domain admins have set xp sp2's firewall to always disabled
because they 'think' it is causing problems on the network... however,
i will be on the road for a week and want the firewall on when i
connect to hotel or airport
connections. as local admin on the laptop can i override that
setting? if i remove the machine from the domain (yes i know what
this does to trusts and domain accounts and it doesn't affect what i
need the machine for) will that automatically remove the policy or
would i still have to do something?

Check with your sysadmins to see how they want to handle this.

Malke

 

[Dave]

Check with your sysadmins to see how they want to handle this.

i got their answer... they do not 'recommend' installing a firewall at this
time becaues they 'think' it causes connectivity problems. however they
don't travel and just worry about keeping the company lan safe, i have seen
what can happen when an unfirewalled machine is connected to the internet
and do not want to risk that when i need the computer on the road. i am
free to go get my own 3rd party firewall if i want, but i would rather use
the windows firewall.

 

[Dave]

ok, i found the registry keys to turn the firewall back on despite the
policy setting. will have to instruct those admins about the difference in
domain and standard settings i think, that may help reduce their opposition.
just to make sure i have it right, the domain setting applies when i am
connected on the domain's network, and the 'standard' setting applies when i
am not plugged in there, correct?? that is what i think i am seeing, but
only option i have here right now is the lan ethernet or an internet dialup
connection. one thing i don't know is, will my edit of the registry keys be
overwritten by the next policy update?

 

[Lanwench [MVP - Exchange]]

i got their answer... they do not 'recommend' installing a firewall
at this time becaues they 'think' it causes connectivity problems.
however they don't travel and just worry about keeping the company
lan safe, i have seen what can happen when an unfirewalled machine is
connected to the internet and do not want to risk that when i need
the computer on the road. i am free to go get my own 3rd party
firewall if i want, but i would rather use the windows firewall.

They're being silly. Ask them to set up a group policy so that the firewalls
are disabled when on the LAN, and enabled when not - or exclude your
computer from this policy so that you can enable it when on the LAN (with
exceptions set up so they can still manage the computer when on the local
subnet of your network in the office). You do need a firewall when you're on
an unprotected network, absolutely.

 

[Lanwench [MVP - Exchange]]

ok, i found the registry keys to turn the firewall back on despite the
policy setting. will have to instruct those admins about the
difference in domain and standard settings i think, that may help
reduce their opposition. just to make sure i have it right, the
domain setting applies when i am connected on the domain's network,
and the 'standard' setting applies when i am not plugged in there,
correct?? that is what i think i am seeing, but only option i have
here right now is the lan ethernet or an internet dialup connection.
one thing i don't know is, will my edit of the registry keys be
overwritten by the next policy update?
Probably.

 

[Esteven1]

You seem to be sure of yourself and your computing ability, yet you
want to use the inferior and 'blanket' protection of Windows Firewall?
Even the free alternatives are a much better alternative to Windows
Firewall, espically for users who are savvy enough to figure out their
configuration. Essentially you should talk to the admins and see about
setting your mobile PC to change the settings when you remove yourself
from the domain. Once you do this, you should be able to manually turn
it on via the standard way, espically since you already have registry
access.

-Eric

 

[Torgeir Bakken \(MVP\)]

ok, i found the registry keys to turn the firewall back on despite the
policy setting. will have to instruct those admins about the difference in
domain and standard settings i think, that may help reduce their opposition.
just to make sure i have it right, the domain setting applies when i am
connected on the domain's network, and the 'standard' setting applies when i
am not plugged in there, correct??

Hi

Here is how the SP2 firewall determines if it is to activate
the domain or standard profile:

If last-received Group Policy update DNS name match any of the
connection-specific DNS suffixes of the currently connected
connections (not PPP or SLIP-based) on the computer the FW's
domain settings will be used. There is no way to change this
behavior.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.

You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this.

 

[Admiral Q]

If the computer belongs to your employer, and your employer is enforcing
a specific policy (regardless of whether you agree or disagree), and any
damage done is through no fault of your own, and those same admins will have
to recover the PC/Laptop, and after a few times, their management sees time
wasted recovering PC because they were not firewalled off the LAN, then
Group aka Company policy will change.
Also, in most companies, hacking the registry as you have, to contradict
the company policy is a "termination" offense - again whether "you" think it
is good policy or not is not the issue - the issue, you hacked your
employer's PC and changed or went against Group aka Company Policy, which
almost all employees agree to abide by when they are hired. Yes it has
already been tried in many of small courts and unemployment hearings - Group
Policy on PC/Laptops are the same as "Company Policy", considered just as
serious as "sexual harassment", "stealing", "fraternization", etc. if you
violate.

--
Star Fleet Admiral Q @ your service!
"Google is your Friend!"
www.google.com

***********************************************

 

[Dave]

yeah, right. i wish they would recover the laptop for me. i just spent 12
hours feeding it cd's because one of their mandatory upgrades hosed the
network setup on it and they couldn't figure out how to fix it. they don't
even require that i put it on the domain, i did that just to make login to
mail and shared drives a bit easier, something i will rarely use this
machine for anyway. their 'policy' is that they don't want the windows
firewall used because the 'think' is is causing unspecified connectivity
problems, and they 'don't recommend' installing a firewall. yeah, really
great 'policy'. i already have my own computer lab of non-domain machines
and take care of some project specific non-domain servers at this site which
the managers here are very happy with, if the hq IT people tried to get me
fired over something like this they would probably be the ones to hit the
road.

 

[Lanwench [MVP - Exchange]]

yeah, right. i wish they would recover the laptop for me. i just
spent 12 hours feeding it cd's because one of their mandatory
upgrades hosed the network setup on it and they couldn't figure out
how to fix it. they don't even require that i put it on the domain,
i did that just to make login to mail and shared drives a bit easier,
something i will rarely use this machine for anyway. their 'policy'
is that they don't want the windows firewall used because the 'think'
is is causing unspecified connectivity problems, and they 'don't
recommend' installing a firewall. yeah, really great 'policy'. i
already have my own computer lab of non-domain machines and take care
of some project specific non-domain servers at this site which the
managers here are very happy with, if the hq IT people tried to get
me fired over something like this they would probably be the ones to
hit the road.

Sounds like you don't get much in the way of decent tech support. Won't
speculate as to the reason, but perhaps you should make it known to
management (in writing!).