Turning off Windows Firewall

[Pierre]

WinXPPro SP2 machine connected to Windows 2003 server.

I don't have the option to turn of or off Windows Firewall.
It's on, but i can't turn it off - the options are grayed out.

It says the settings are managed by Group Policy.

What settings do i have to change on the server then,
in order to have the ability to turn off the firewall,
at least on this one machine?
(since there is a program running that seems to be incompatible with the
firewall).

 

[Bruce Sanderson]

Ask your Domain Administrator to move the computer's account into an OU to
which the Group Policy Object containing the Firewall setttings does not
apply.

 

[Guest]

But exactly which group policy settings need to be changed? I'm the server
administrator, and I'd like to know for myself.

I have a similar issue - my XP-SP2 client workstation (connected to an
SBS2003 server) won't allow me to disable the windows firewall, and it is a
function of the group policy (option to turn off the firewall is greyed out,
obvious message stating, "for your security, some settings are controlled by
group policy"). Even if the workstation is disconnected (and therefore user
is logging on via cached credentials), the 'turn off' option is still greyed
out.

I haven't changed any group policy settings (local or server) - they are all
in default mode (i.e. not configured).

What I'd like to do is allow the user to be able to select whether to turn
the firewall on or off, either while directly connected to the domain (domain
mode) or disconnected (standard mode).

 

[Guest]

Bruce....can you be a little more specific regarding which group policy
settings need to be changed? I'm in a similar predicament, with an XP-SP2
workstation unable to turn off the firewall in either domain or standard
mode. I'm pretty sure I know where to look within Group Policy to effect the
changes (Administrative Templates-Network-Network Connections-Windows
Firewall-Domain Profile), but I'm unsure where to proceed from there. I
haven't modified any of the current settings (they're all set to "Not
configured"), which I thought would've allowed me the freedom to turn on/off
the firewall, but obviously it hasn't. I'd also like to know whether I need
to make changes on the server only, or if I need to change any local policy
settings as well.

Thanks,
Terry

 

[Guest]

Hi Pierre

I've come up with a solution that worked on my Small Business Server 2003
network, however it does affect all domain-based workstations...so use with
caution.


1) On the server, go to Start->Administrative Tools->Group Policy
Management, drill down to Forest--Domains--<domain name>--Small Business
Server Windows Firewall

2) Right-click on this object (Small Business Server Firewall) and select
Edit

3) Drill down to Computer Configuration->Administrative
Templates->Network->Network Connections->Windows Firewall->Domain Profile

4) Change the value of "Windows Firewall: Protect All Network Connections"
from 'Enabled' to 'Not Configured'

5) This will allow the client workstation the ability to turn on/off the
Windows Firewall.

6) If you want to do the same for a client workstation when its disconnected
from the domain (i.e. a mobile, laptop computer), then choose 'Standard
Profile' instead of 'Domain Profile' in Step #3 above.

Regards,

Terry

 

[Bruce Sanderson]

By "server" I assume you mean the (a) Domain Controller.

Firewall settings in Group Policy Editor are in:

Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile
or
Computer Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Standard Profile

If a GPO with any settings in the above applies to the computer account for
an XP SP2 computer, the state of the firewall is determined by the value of
"Windows Firewall: Protect all network connections":

"Enabled" - the firewall is On and can not be set to Off by local
Administrator action.

"Disabled" - the firewall is Off and can not be set to On by local
Administrator action.

"Not Configured" - a local administrator can turn the firewall On or Off,
but may or may not be able to change any settings when it is on, depending
on the values of other settings (e.g. if "Windows Firewall: Allow local
program exceptions" is Disabled, a local administrator can not add local
program exceptions)

You don't need to make any local policy changes on the XP SP2 computer for
this to work (I tested this today for one computer in a large Windows 2000
domain).

There can be multiple applicable GPOs that have firewall settings, so use
Resultant Set of Policies to see which GPO a particular setting is coming
from ("Windows Firewall: Protect all network connections"):.

The Resultant Set of Policies feature in the Group Policy Management Console
is very useful for this - it also reports the local policy settings that
apply (as well as settings from GPOs). See
http://www.microsoft.com/downloads/...24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en.

Use the "gpupdate /force" command on the XP SP2 computer to get Group Policy
related changes applied to the computer "immediately", rather than at the
next automatic update (if there are multiple Domain Controllers, you have to
wait for inter-DC replication to take place before running gpupdate will
have any affect).

Another alternative is to move the XP SP2 computer's account into an OU that
the GPO containing the Windows Firewall settings does not apply to; then the
firewall is completly under local administrators control.