SP2 firewall Domain & Standard GPO settings?

[Guest]

All,

I have been searching around for a bit, and am looking to understand exactly
how I can take advantage of the SP2 firewall GPO settings - specifically the
Domain and Standard Profile settings.

If I have a bunch of salespeople with laptops, and I set a GPO as follows:

DOMAIN PROFILE
WF: Protect all network connections: Enabled
WF: Allow remote admin exception: Enabled
STANDARD PROFILE
WF: Protect all network connections: Enabled

Is this saying that when the Salespeople are at our office & plugged into
our network that the firewall will be enabled and will allow remote admin
connections - but when they are offsite (at home, at a client, etc.) the
firewall will be on with no exceptions?

Thanks in advance...

David

 

[Torgeir Bakken \(MVP\)]

I have been searching around for a bit, and am looking to understand exactly
how I can take advantage of the SP2 firewall GPO settings - specifically the
Domain and Standard Profile settings.

If I have a bunch of salespeople with laptops, and I set a GPO as follows:

DOMAIN PROFILE
WF: Protect all network connections: Enabled
WF: Allow remote admin exception: Enabled
STANDARD PROFILE
WF: Protect all network connections: Enabled

Is this saying that when the Salespeople are at our office & plugged into
our network that the firewall will be enabled and will allow remote admin
connections - but when they are offsite (at home, at a client, etc.) the
firewall will be on with no exceptions?

Hi,

Yes, that is correct.

Note that is some cases the Standard Profile will be used even
if the computers are connected to the domain. This will happen
if last-received Group Policy update DNS name does not match any
of the connection-specific DNS suffixes of the currently connected
connections on the computer. In this case, the non-domain settings
will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.


You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this.

 

[Guest]

I appreciate the response!

I am sure I will find out for myself, but once I apply these settings to the
GPO, will my SMS 2.0 client software blow up, or will the admin exception
handle that as well?

Thanks much...

-D