XPSP2 Windows Firewall Group Policy not being applied

[Guest]

Hello,

I have started deploying SP2 to my XP clients. I have imported the new
Group Policy settings on my Policy objects. I have made some changes in the
windows firewall configurations in group policy, but they aren't being
applied to the workstations when they logon to the domain. I have setup the
policy to allow incoming echo requests to allow ping, I have allowed file
and print sharing and remote administration using the following syntax:

localsubnet,192.168.1.0/24

I have also tried to define a few program exceptions for Symantec Antivirus
9.0 and NetMeeting. I have added the exceptions using the following syntax:

%programfiles%\conf.exe:192.168.1.0/24:enabled:NetMeeting
%programfiles%\rtvscan.exe:192.168.1.0/24:enabled:SAV 9.0
%programfiles\lucomserver.exe:192.168.1.0/24:enabled:Live Update

I have configured these options in the domain profile section of the
firewall policy, but they aren't being applied. What can I do to have these
settings applied to machines when they logon to our domain. Any help that
you can provide in this matter would be much appreciated. Thank you.

 

[Anthony Yates]

Anything in the event log about errors applying policy?
Anthony

 

[Guest]

Unfortunately not....the group policy is being applied, the start menu
changes and other settings that I have made are working correctly, but none
of the firewall changes are being applied.

 

[Bruce Sanderson]

Firewall configurations are Computer related, not user related, so make sure
the GPO containing the settings is applied (linked or inherited) to the OU
that contains the computer accounts for the XP SP2 computers.

I'm assuming the "Start Menu changes" you are referring to are in User
Configuration, Administrative Templates, Start Menu and Taskbar so their GPO
needs to be applied to the OU containing User accounts.

I suggets not mixing Computer Configuration and Computer Configuration
settings in the same GPO because it can lead to confusion and they apply to
disjoint sets of objects (computers vs users).

On one of the XP SP2 computers, open a command prompt and run the command

netsh firewall show state

Does this show "Profile = Domain"?

 

[Guest]

Hi

as well as Ern, I cannot apply firewall settings via GPO.
I try to add a port with the line 16666:TCP:192.168.0.0/24:enable:testgpo in
the
define port exception but modification don't appear.

Problem is I'm newbie in GPOs. My GPO on user config work well.
I don't know how to visualize if gpos in computer config work.
Could you giv me a gpo visible on a user profile to check quickly if it is
working or not.

Im using Win2003 and winXPsp2.
I put the objectPC in the OU, and apply gpo on that OU.

Something else,
could you explain what's "link active" with right clic on gpo (with
group policy manager Version: 1.0.2)

thank's

Luc

 

[Guest]

Hi

as well as Ern, I cannot apply firewall settings via GPO.
I try to add a port with the line 16666:TCP:192.168.0.0/24:enable:testgpo in
the
define port exception but modification don't appear.

Problem is I'm newbie in GPOs. My GPO on user config work well.
I don't know how to visualize if gpos in computer config work.
Could you giv me a gpo visible on a user profile to check quickly if it is
working or not.

Im using Win2003 and winXPsp2.
I put the objectPC in the OU, and apply gpo on that OU.

Something else,
could you explain what's "link active" with right clic on gpo (with
group policy manager Version: 1.0.2)

thank's

Luc

 

[Bruce Sanderson]

1. Use the Group Policies Results (last item in the left pane of GPMC) to
see what GPOs are actually applied to the target computer and what settings
those GPOs contain (right click on Group Policy Results, select Group Policy
Results Wizard...). The RSOP wizard contacts the targetted computer to
obtain information about the GPOs applied to it.

2. to verify Windows Firewall settings, open a command prompt on the target
computer (objectPC) and use the command:

netsh firewall show state

3. Does the above command show "Domain" for "Profile"?

4. computer GPO settings won't necessarily get applied immediately.
Computer settings are fetched from the Domain Controller when the computer
starts and every so often aftwards. You can force the GPOs to be re-read
from the Domain Controller by using the gpupdate command on the target
computer (use the command gpupdate /? to see the options available).

5. I assume you mean "Link Enabled" - if there is a check mark, that GPO
will be applied to objects in the OU. If there is no check mark, that GPO
will not be applied. In GPMC, open Help, Help Topics, select the Index tab,
key the work "links" and see the links, Group Policy objects/disabling item
for additional information.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

 

[lucbft]

Thank's bruce for your answer.

 

[lucbft]

Thank's bruce for your answer.

I don't know why but I can't write all my questions so I attache
file.

Thank's for your precious help

+----------------------------------------------------------------
| Attachment filename: description.txt
|Download attachment: http://www.mcse.ms/attachment.php?postid=3565843
+----------------------------------------------------------------

-
lucbf

 

[Bruce Sanderson]

I don't have an MCSD.MS account and don't want one. Please copy/paste into
a newsgroup post.

 

[lforbes]

I don't have an MCSD.MS account and don't want one. Please
copy/paste into
a newsgroup post.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong
question.

Hi,

First of all, why would you have the XP SP2 Firewall enabled on Domain
Client machines? In a Domain Environment using an internal IP range,
I would disable the Firewall on all the XP clients and setup a Domain
Firewall, either Hardware or software. In fact the large and far
reaching issues created when SP2’s firewall enables itself
automatically on a client in a domain enviroment is the reason why
myself and none of my Net Admin friends have ventured to install SP2.

I wasn’t aware of the new Group Policy Settings for disabling Windows
Firewall at the Domain level. Thank you for pointing that out. It is
weird that it was never mentioned in any of the "deploying SP2"
documents from Microsoft. I just put SP2 on my machine at home and
looked at the new Policies. I will have to copy them to my 2003 DC’s
and get it disabled before I deploy SP2 via WUS.

One thing to Note - Computer Configuration Group Policies are
refreshed on Startup. I have always had to restart my client computers
to get the Computer Config Policies to apply.

Cheers,

Lara

 

[Bruce Sanderson]

1) Protecting the network periphery using a network firewall is definitely a
good thing. But, it does not stop all attacks because a lot of virus, worm
and other attacks get inside the firewall by users visiting web sites,
receiving email that have the "malware" imbedded, or importing them from
elsewhere (e.g home) on floppy disks, CD or laptop. So, once one of these
nasty things bypass your perimeter firewall, they can infect all the
computers in your network. Many large organisations have had this happen
and it is very disruptive, expensive and time wasting to cure.

If each computer also has its own software firewall, viruses etc. can not
self propagate between computers in the network, or at least, not as easily,
once one computer gets infected. No firewall is 100% protection, but having
one one, such as the Windows Firewall, on each computer is definitly a step
in the right direction.

So, there is definitly a role for the Windows Firewall on Domain member
computers; this is especially true for laptops as these are frequently
connected to "foreign" networks (or directly to the Internet) that don't
have good firewalls. By setting the "Standard" profile to prevent
exceptions, laptops can be better protected when outside of the "corporate"
network.

2) I suggest testing your applications and scenarios with the Windows
Firewall enabled. Although there has been much reporting about "far
reaching" issues, most people have found there are, in practice, not that
many problems and most of those can be solved by making Program Exceptions
in the firewall configuration via Group Policy. In our set of 600 Windows
XP computers that have a fair variety of programs, including some built
in-house, we found only one, old, 16 bit application that we could not find
a way to make work with the Firewall enabled (this has something to do with
the way it implements the use of the ftp protocol). Fortunately, we expect
to retire that application early this year.

We have not found any applications that will not work with Windows XP SP2
with the Firewall disabled.

3) Microsoft documents re Group Policy and Windows Firewall:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngwfw.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngintro.mspx

I found these by following the Managing the Windows XP Service Pack 2
Environment link on the page at
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx

You might want to download the spreadsheet containing all the Administrative
Template and Security settings currently distributed by Microsoft for
Windows XP and earlier Windows versions- see
http://www.microsoft.com/downloads/...2f-da15-438d-8e48-45915cd2bc14&displaylang=en

4) Yes, Computer Configuration settings are refreshed at startup and
periodically thereafter. The default background refresh frequency is every
90 minutes + or - 30 (see Backgrond Refresh of Group Policy in the document
available at
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp
or
http://www.microsoft.com/downloads/...BC-D445-4E8F-AA4E-B9C27061F7CA&displaylang=en).
Also, the gpupdate command can be used to cause a Group Policy refresh at
any time.

I've used the gpupdate command quite a bit while testing Firewall Exceptions
and the Windows XP Firewall settings in a GPO are updated by this command
(in a large domain, it can take a few minutes for GPO changes to be
replicated to all domain controllers).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

 

[lforbes]

Hi,

Protecting the network periphery using a network firewall is
definitely a good thing. But, it does not stop all attacks because a
lot of virus, worm and other attacks get inside the firewall by users
visiting web sites, receiving email that have the "malware" imbedded,
or importing them from elsewhere (e.g home) on floppy disks, CD or
laptop.

I guess if your users have write access to the machines then this can
be a problem. I have 2400 users who don’t have write access to
anything except their H:\ on the server which is protected by Norton
Corp. We did have a user bring in a Welchia infected laptop but it
didn’t infect anything except one machine that wasn’t in the Domain.
I use NTFS and Group Policy to lock down pretty much everything.

However you do have to realize that the companies who had a problem
with the Welchia/Blaster type of virus’ were ones with Admins who
hadn’t patched their machines on a daily or weekly basis =). Wasn’t it
6 months that the patch had been released for one of these virus’?

I run a lot of TCP/IP software as well as doing 90% of my network
admin by remote admin, mapping drives etc. The only time that I have
had serious network problems with machines eg. DNS not working, not
being able to access software, not being able to map drives etc. is
when the Firewall has been turned on on the local machine.

If you are running into problems, turning off the firewall and testing
is a good place to start. If it works then you know it is the
firewall.

Thanks for all the links. If I do need to use the Windows Firewall in
the future, they will be useful.

Cheers,

Lara