Windows Firewall Turned on Automatically

[Guest]

Just experienced a very strange situation. We have several hundred XP clients
on an NT Domain. We disable windows firewall. Over the weekend we upgraded
our NT 4 Domain to Windows 2003 Mixed Mode Active Directory. We are now
seeing today and yesterday some machines have the windows firewall enabled.
We discoverd the problem due to an older legacy application we have had
stopped working. The application was working yesterday (2 days after the
upgrade) but today it was not. The machines experiencing the problem are
located in seperate office and seperate departments. so far we have seen only
about 15 with the firewall enabled. As we just upgraded we dont have any
GPO's in place that would enable this. We dont have any other automated
customization tools that were configured to do this either.

Is there any log file or any way to determine when/by who the firewall was
enabled. The users of the machines dont have admin rights so we know it was
not them. Any insight on this one would be great!

Thanks

 

[Guest]

Check to see if your users do not have admin rights on the domain or on there
local machine. I'm pretty sure that if they still have admin rights on there
local machine they can still turn on Windows Firewall. If not, which events
have you already tried to research? Did you have any security policies active
at the time of this situation? Try looking there...

Hope this helps in any way...

The Saint
MCP, MCDST

 

[Guest]

Users do not have admin rights on the domain nor on the local machine. As far
as researching events I'm not sure what you mean. I do not see any events in
the event log that indicate anything relating to windows firewall. We are
currently not using any security policies either. It is quite strange.

 

[Lanwench [MVP - Exchange]]

In

Just experienced a very strange situation. We have several hundred XP
clients on an NT Domain. We disable windows firewall. Over the
weekend we upgraded our NT 4 Domain to Windows 2003 Mixed Mode Active
Directory. We are now seeing today and yesterday some machines have
the windows firewall enabled. We discoverd the problem due to an
older legacy application we have had stopped working. The application
was working yesterday (2 days after the upgrade) but today it was
not. The machines experiencing the problem are located in seperate
office and seperate departments. so far we have seen only about 15
with the firewall enabled. As we just upgraded we dont have any GPO's
in place that would enable this. We dont have any other automated
customization tools that were configured to do this either.

Is there any log file or any way to determine when/by who the
firewall was enabled. The users of the machines dont have admin
rights so we know it was not them. Any insight on this one would be
great!

Thanks

Really does sound like group policy to me. Run the GPMC and see what policy
settings you have - and on the client, run gpresult in a command prompt to
see the 'resultant set of policy'

Any chance you can just add an exception for your legacy app? I personally
like leaving the firewalls enabled, but with the exceptions I wish.

 

[Guest]

We have narrowed this down some. It appears to be a problem on the XP boxes
not correctly detecting the correct firewall profile. When the boxes were
initially built they were joined to the domain as well as had the firewall
turned off, thus disabling the firewall for that profile. Now that we have
upgrade we see the machines are randomly selecting which domain profile to
use, since we do not have the firewall disabled on the standard profile when
the machine incorrectly determines which profile to use the firewall is on.
We did a lot of testing on this. We would take a single machine and not make
any changes to and just reboot it over and over. After each reboot we would
run 'netsh firewall show config' to see which profile was active. sometimes
it would be the domain profile sometimes it would be the standard profile. To
get around this temporarily we have implemented a login script element to
disable the firewall, however it stinks that we can not rely on the
workstation to determine correctly.

 

[Lanwench [MVP - Exchange]]

In

We have narrowed this down some. It appears to be a problem on the XP
boxes not correctly detecting the correct firewall profile. When the
boxes were initially built they were joined to the domain as well as
had the firewall turned off, thus disabling the firewall for that
profile. Now that we have upgrade we see the machines are randomly
selecting which domain profile to use, since we do not have the
firewall disabled on the standard profile when the machine
incorrectly determines which profile to use the firewall is on. We
did a lot of testing on this. We would take a single machine and not
make any changes to and just reboot it over and over. After each
reboot we would run 'netsh firewall show config' to see which profile
was active. sometimes it would be the domain profile sometimes it
would be the standard profile. To get around this temporarily we have
implemented a login script element to disable the firewall, however
it stinks that we can not rely on the workstation to determine
correctly.

Hi - what do you mean by domain profile, and why can't you handle this via
GPO, and why can't you just add the exceptions you need to the firewall
rather than disabling it outright?

 

[Guest]

Windows Firewall Has Two Profiles Domain and Standard. This allows you to
have different configurations depending if the computer is on its home domain
or not. GPO is ineffective as a result of this because we want the firewall

 

[Lanwench [MVP - Exchange]]

In

Windows Firewall Has Two Profiles Domain and Standard. This allows
you to have different configurations depending if the computer is on
its home domain or not. GPO is ineffective as a result of this
because we want the firewall on for the standard profile and off for
the domain profile. With the machine not detecting the correct
profile it renders GPO useless.

Hmmm - well, I don't have an NT domain (I haven't had to touch NT in years)
and am not sure what difference it make that you migrated from one, if
any...but in W2003 you should be able to specify that that when they
machines are on the domain they have the settings you wish, and when they're
off the domain they have the settings you wish. Personally, I leave the
firewall enabled all the time, actually, with exceptions set for whatever I
need, from the business network's IP range only.

Have you tried posting in m.p.windows.group_policy? This is precisely what
policies are for...

Sorry I can't help further

 

[Torgeir Bakken \(MVP\)]

Windows Firewall Has Two Profiles Domain and Standard. This allows you to
have different configurations depending if the computer is on its home domain
or not. GPO is ineffective as a result of this because we want the firewall
on for the standard profile and off for the domain profile. With the machine
not detecting the correct profile it renders GPO useless.

Hi,

Note that is some cases the Standard Profile will be used even
if the computers are connected to the domain. This will happen
if last-received Group Policy update DNS name does not match any
of the connection-specific DNS suffixes of the currently connected
connections on the computer. In this case, the non-domain settings
will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.


You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this.