Questions About Windows Firewall and Domain Policy Enforcement

[Leo Alls]

I have a Windows 2000 domain that has 200 workstations most of which are
still only running XP w/SP1. We haven't been able to move everyone to SP2
because of the problems that have arisen.

Problem 1: 90% of the workstations need to have the firewalls activated
because of the way they travel around and the networks that they are subject
to attach to.

Problem 2: The workstations need to be able to be managed on all the
workstations when they are connected to the domain.

Problem 3: If we enable the firewall locally on the workstations then the
domain policies do not over ride the local setting.

Problem 4: If we disable the firewall settings locally then the domain
policy Domain Profile settings takes over and functions properly as long as
there is no Standard Profile configured. If you created a Standard Profile
in the policy then it applies that setting over the Domain Profile. This
problem doesn't matter whether you are on the domain network or not.

Question 1: Is there a way to enforce the domain policy firewall settings
even if the firewall was activated locally?

Question 2: Is there a way to enforce the Domain Profile to work over the
Standard Profile when connected to the domain and the Standard to be the
default when not connected to the domain?

TIA,
Leo

 

[Benjamin Gay [MSFT]]

Hi Leo,
Can you please provide me with more detail with what you mean by connecting
to the domain? Are you saying that the machines are always joined to your
domain (i.e. the computer belongs to your domain) but happen to connect to
other networks? Also can you provide me with a bit more information on how
they connect to your domain (i.e. are they wired, wireless, VPN etc)?

As I'm sure you are aware there are several ways that your users can
configure the firewall, namely group policy, net shell scripts, manual
configuration and through an application using the relevant firewall
configuration API's.

Let me see if I can answer your questions now:

1. You should enable the firewall on all your machines. Create exemptions
based on your applications requirements. For example file and print etc.

2. You can do this through group policy or a login script. Group policy
would probably be the better way to go. You can force policy by performing a
gpupdate /force

3. I'm not quite sure what you are saying here. Can you please explain in
more detail.

4. What do you mean by disable the firewall locally? Are you stopping the
sharedaccess service or setting the operation mode of the firewall? Please
provide me with some more information on how this machine is configured.

Q1. Group policy overrides local policy. Please explain what you mean by
activating locally.

Q2. This should be happening. If you can give me some more information on
this I can help diagnose what is happening.

Regards

 

[lforbes]

Hi Leo,
Can you please provide me with more detail with what you mean
by connecting
to the domain? Are you saying that the machines are always
joined to your
domain (i.e. the computer belongs to your domain) but happen
to connect to
other networks? Also can you provide me with a bit more
information on how
they connect to your domain (i.e. are they wired, wireless,
VPN etc)?

As I'm sure you are aware there are several ways that your
users can
configure the firewall, namely group policy, net shell
scripts, manual
configuration and through an application using the relevant
firewall
configuration API's.

Let me see if I can answer your questions now:

1. You should enable the firewall on all your machines. Create
exemptions
based on your applications requirements. For example file and
print etc.

2. You can do this through group policy or a login script.
Group policy
would probably be the better way to go. You can force policy
by performing a
gpupdate /force

3. I'm not quite sure what you are saying here. Can you please
explain in
more detail.

4. What do you mean by disable the firewall locally? Are you
stopping the
sharedaccess service or setting the operation mode of the
firewall? Please
provide me with some more information on how this machine is
configured.

Q1. Group policy overrides local policy. Please explain what
you mean by
activating locally.

Q2. This should be happening. If you can give me some more
information on
this I can help diagnose what is happening.

Regards

--

Benjamin Gay
Microsoft Corporation

Hi,

There are new .adm files with Windows XP SP2. Copy them from the
windows\inf folder on your xp SP2 machine to the windows\inf folders
on your servers. Now when you run group policy under the Computer
Configuration Admin - Networks you will see a Windows Firewall group
policy. You can set a lot of settings here. I don’t use the firewall
but someone posted here recently about how to set it up. Look back at
the previous posts. It wasn’t that long ago.

Cheers,

Lara

 

[Leo Alls]

I have a Windows 2000 domain that has 200 workstations most of which are
still only running XP w/SP1. We haven't been able to move everyone to SP2
because of the problems that have arisen when trying to apply firewall
settings through domain GPO (Some issues came up this week and we were
forced to install SP2 on about 70 XP workstations).

Problem 1: 90% of the workstations need to have the firewalls activated
because of the way the users travel around and the networks that they are
subject to attach their laptop to. Our users travel all over the state and
have requirements forcing them to get on networks that do not belong to our
office. Users access the office through hardware VPN tunnels normally and
are authenticated to the domain. There may be times that a user will have to
connect without the
hardware VPN device and will then be required to make a software tunnel on
one of these uncontrolled networks.

Problem 2: All the workstations have software that will need to be managed
on all the workstations when they are connected to the domain. (Anti-Virus
Updates push, Software Inventory pull).

Problem 3: If we enable the firewall on the workstations then the domain
policies do not over ride the local setting (we tried to take the default
SP2 settings on firewall activation).

Problem 4: If we disable the firewall settings on the workstation then the
domain policy Domain Profile settings takes over and functions properly as
long as there is no Standard Profile configured. If you created a Standard
Profile in the policy then it applies that setting over the Domain Profile.
This problem doesn't matter whether you are on the domain network or not.
After checking further this may or may not be true. It worked for a while
and after I added the standard profile the domain profile quit working. Once
I reset the standard settings back to not configured the domain settings
were not detected. The command "netsh firewall show state" displays the info
below:
Profile = Standard
Operational Mode = Disable
Exception Mode = Enable
Multicast/Broadcast Response Mode = Enable
Notification Mode = Enable
Group Policy Version = Windows Firewall
Remote Admin Mode = Disable

Question 1: Is there a way to enforce the domain policy firewall settings
even if the firewall was activated on the workstation by a default install
of SP2? I've already applied the ADM files to all DCs and I've made the
settings that I want in the GPO, but I can not get them to work properly.

Question 2: Is there a way to enforce the Domain Profile to work over the
Standard Profile when connected to the domain and the Standard to be the
default when not connected to the domain?

Question 3: What am I missing here. Everyone authenticates to the DCs fine.
All the computers that I am trying to manage are domain authorized computers
and can be accessed from all DCs.

TIA,
Leo

 

[Phillip Windell]

I have a Windows 2000 domain that has 200 workstations most of which are
still only running XP w/SP1. We haven't been able to move everyone to SP2
because of the problems that have arisen when trying to apply firewall

It can be configured to activate the Firewall when the machnes are not on
the local network,...but when they are on the local network the Firewall is
deactivated.

Deploying Windows Firewall Settings for Microsoft Windows XP with Service
Pack 2: Using Group Policy
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2wgp.mspx