XP firewall Domain Profile leaves 2nd wireless nic wide open?


S

Senshine

Hello, I am researching on using winxp firewall. My question is that when a
user is connected to the domain and the xp fireall domain profile is in use.
(Our case the firewal domain profile disables the firewall) Will it also
disable the firewall on all other nics on a laptop??

For example we have laptop users that leave their wireless nic on when
docking back in the office and then join the domain through the wired nic on
the doc.

They can easily connect to other wireless networks since we are in a big
city while the firewall domain profile is enabled. Does that mean that the
wireless nic has no firewall enabled also?

Or is XP firewall smart enough to know that the wireless nic cant find the
domain controller for our network and the firewall stays on for that
wireless nic while the other wired nic that did find the domain controller fw
gets disabled?

If not anyone know something that would adress this.
 
Ad

Advertisements

B

Brent

Go to Network Connections and check the properties for the wireless
connection and click on the Advanced tab. There are settings there for
Windows XP Firewall. Make sure that the firewall is enabled for the wireless
connection and you should be fine.

Good Luck
 
S

Senshine

One I cant do that for 800 laptops. Two, in the gpo for the firewall area I
am using the domain firewall profile policy which is set to disable the
firewall when the laptop recognizes that its part of the domain.

If the user or I can even change the firewall to be enabled on just the
wireless nic manually , this setting would be reversed back to firewall off
when the the domain firewall profile policy firewall policy is applied again
when the laptop connect back to our domain.

What I don't see in group policy is the control of certain nics when using
the standard or domain profile in the firewall area of group policy
 
O

Old Rookie

You could try used the netsh firewall show state command on a computer when
connected to the domain to see if it gives you the info you need on the
state for each adapter.

You could also try testing connecting to a domain computer through the
wireless newtwork while it is connected to the domain network. Temporaily
disable the server service on the wired nic and see if you connect via only
the wirless nic.

Assuming it is disabled for both adapters while connected to the domain you
have a few options.

-- A computer user policy that the user signs that states they must disable
their wireless network adapter when in the office with a brief reason why
and stated consequences for lack of compliance.

-- Enabling the firewall when connected to the domain and enabling only the
execptions needed such as file and print sharing with a scope of ONLY the
management computers IPs that need access to file and print sharing on the
domain computers.

-- Ipsec policies that require kerberos authentication to access file and
print sharing and other exposed services on the domain workstations only
[NOT domain controllers]. However ipsec is an advanced topic and must not be
implemented without good understanding how it works and first implementing
on test domain network to see functionality. Improperly implemented an ipsec
policies can shut down a network and ruin your day. Though properly
implemented it helps bullet proof your network from non domain computer
access. Windows 2008 has made great strides in making this easy to configure
though only Vista computers can take advanatge of Windows Advanced Firewall
connection security rules while Windows 2000/2003/XP can also use regular
ipsec policies.

http://technet.microsoft.com/en-us/library/cc754274(WS.10).aspx

-- Keep in mind that enforcing strong passwords that must be changed
peridically, good AV protection, and keeping domain computers patched
minimizes the chance of unathorized access even with the firewall disabled
on a typical domain computer with simple file sharing disabled.


Steve
 
Ad

Advertisements

B

Brent

oooo Okay well that changes things. I'm not too sure you'd be able to set it
up like that. I looked through myself, couldn't find anything.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top