I'm soooooo tired of Windows Firewall. Perhaps I don't understand it well enough, but it just seems to consistantly interfere with things my customers are trying to accomplish. I always have to turn it off, and SBS has a built in policy that grey's it out if the customer is removed from the domain (laptops, etc). Here's what I need to do (I copied this explanation)
The new Windows Firewall Control Panel icon gives you access to configuring on an individual machine. In an enterprise setting, however, not only would it be a major pain to have to set each individual machine's firewall settings, but the system administrators probably need to control exactly which settings are available and used within their network. You can completely manage the new Windows Firewall using Group Policy, making the task of the system administrator much easier.
Updating Group Policy Editor
In order to manage the Group Policy objects for Windows Firewall, you may need to update the version of the Group Policy Editor you are using. If you attempt to edit the settings for Windows Firewall on a computer running Windows 2000, Windows Server 2003, or Windows XP SP1 or prior versions, you may get an error message:
The following entry in the [strings] section is too long and has been truncated.
To update the Group Policy Editor, see the Microsoft Knowledge Base article 842933.
Additionally, if you are running in a Microsoft Windows Small Business Server 2003 environment, you need to obtain the Windows Small Business Server 2003 Update for Windows XP SP2 from the Microsoft download site.
Because of the way Group Policy Objects (GPO) are distributed in a domain environment, once you open an existing GPO from an administrative computer running Windows XP SP2, the domain GPO will be upgraded to include the new .adm. This will cause problems with existing versions of gpedit.msc that haven't been updated, so you will either need to update these, as described in 842933, or only use a Windows XP SP2 computer to manage Group Policy.
Installing the Group Policy Administrative Template
To install and edit the Group Policy Administrative Template for Windows Firewall, follow these steps:
1. Log on to a computer that is a member of the domain and has Windows XP SP2 installed, with an account that is a member of the Domain Admins, Enterprise Admins or Group Policy Creator Owners security groups.
2. Click Start >Run and type mmc to open a new MMC console.
3. On the File menu, select Add/Remove Snap-in.
4. Click Add and select Group Policy Object Editor from the list.
5. In the Select Group Policy Object dialog box, click Browse.
6. Select the Default Domain Policy, as shown here, and click your way back to the main MMC console.
See full-sized image.
7. In the console tree, navigate to Computer Configuration, Administrative Templates, Network, Network Connections and then Windows Firewall, as shown:
See full-sized image.
8. Highlight the policy you want to edit. The default choices are "Domain Profile" or "Standard Profile." The Standard Profile is used when a domain-managed computer is not physically connected to the domain, such as a laptop taken home.
9. Edit the policies for that profile. Note: You should edit both sets of policies to have the desired settings. By default, both policies are the same initially.
Configuring Deployment Settings
By default, the Group Policy settings for the Windows Firewall are "Not Configured" for all objects. This allows the Windows Firewall to use its default settings, which are quite restrictive.
The following table describes the policies that are available.
Policy
Configuration
Behavior
Windows Firewall: Allow authenticated IPSec bypass
Enabled
IPSec traffic is not inspected by the Firewall.
Windows Firewall: Protect all network connections
Not Configured
Local administrators can enable or disable the Windows Firewall on any network connections.
Enabled
Windows Firewall is enabled on all network connections, and a local administrator cannot disable it.
Disabled
Windows Firewall is turned off on all network connections, and local administrators cannot enable it.
Windows Firewall: Do not allow exceptions
Not Configured
Local administrators can control whether the No Exceptions mode is used.
Enabled
No exceptions are allowed. You should enable the Windows Firewall: Protect all network connections setting as well, or local administrators could bypass this setting.
Disabled
Local administrators cannot enable the No exceptions mode.
Windows Firewall: Define program exceptions
Not Configured
Local administrators can configure exceptions. (Overridden by the Windows Firewall: Allow local program exceptions setting.)
Enabled
A list of exceptions is entered in the Group Policy Editor, and these are enabled. Any locally configured exceptions are ignored.
Disabled
No exceptions are configured, and locally configured exceptions are ignored.
Windows Firewall: Allow local program exceptions
Not Configured
Local administrators can add program exceptions.
Enabled
Local administrators can add program exceptions.
Disabled
Local administrators cannot add program exceptions.
Windows Firewall: Allow remote administration exception
Not Configured
Remote administration is not allowed.
Enabled
Unsolicited incoming traffic for remote administration is allowed. Specific details are as configured and cannot be overridden by a local administrator.
Disabled
Remote administration is not allowed. Port 135 is blocked and port 445 is not opened.
Windows Firewall: Allow file and print sharing exception
Not Configured
Local administrators can enable the pre-defined File and Printer Sharing exception. This pre-defined exception opens up ports 137 and 138 for UDP traffic, and ports 139 and 445 for TCP traffic.
Enabled
Ports 137 and 138 are opened for UDP traffic, and ports 139 and 445 are opened for TCP traffic. ICMP Echo messages are enabled.
Disabled
Local administrators cannot enable the pre-defined File and Printer Sharing exception.
Windows Firewall: Allow ICMP exceptions
Not Configured
Local administrators can configure ICMP exceptions.
Enabled
The specified incoming ICMP traffic is allowed.
Disabled
No unsolicited incoming ICMP traffic is allowed, and no local ICMP exceptions are allowed.
Windows Firewall: Allow Remote Desktop exception
Not Configured
Remote desktop connections are disabled, but local administrators can enable the pre-configured Remote Desktop exception.
Enabled
Remote desktop connections are allowed and TCP port 3389 is enabled.
Disabled
Remote desktop connections are disabled, and local administrators cannot enable the pre-configured Remote Desktop exception.
Windows Firewall: Allow UPnP framework exception
Not Configured
The UPnP ports are not opened, but local administrators can enable the pre-configured UPnP Framework exception.
Enabled
Ports UDP 1900 and TCP 2869 are opened.
Disabled
The UPnP ports are not opened, and local administrators cannot enable the pre-configured UPnP Framework exception.
Windows Firewall: Prohibit notifications
Not Configured
Notification messages are displayed to the logged-on user. Local administrators can override the setting
Enabled
Notification messages are not displayed.
Disabled
Notification messages are displayed to the logged-on user. Local administrators cannot override the setting.
Windows Firewall: Allow logging
Not Configured
Logging is not enabled, but can be enabled and configured by a local administrator.
Enabled
Logging is enabled, and the settings for name, location and maximum size of the log file are entered in the Group Policy Editor.
Disabled
Logging is not enabled, and cannot be enabled by a local administrator.
Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Not Configured
The incoming unicast response is accepted if received within 3 seconds. The setting can be overridden by a local administrator.
Enabled
The incoming unicast response is dropped. This cannot be overridden by a local administrator.
Disabled
The incoming unicast response is accepted if received within 3 seconds. This cannot be overridden by a local administrator.
Windows Firewall: Define port exceptions
Not Configured
No port exceptions are configured, but local administrators can configure exceptions.
Enabled
The specified port exceptions are configured, and locally configured exceptions are ignored. For example, to configure all group policy controlled Windows XP SP2 systems to act as Web servers to the local subnet only, you could define a port exception for port 80, as shown here:
Disabled
No excepted ports are configured. Local configuration of exceptions is controlled by the setting of the Windows Firewall: Allow local port exceptions policy.
Windows Firewall: Allow local port exceptions
Not Configured
Local administrators cannot add port exceptions unless the Windows Firewall: Define port exceptions setting is set to Not Configured.
Enabled
Local administrators can add port exceptions.
Disabled
Local administrators cannot add port exceptions.
As you can see, you can control all the settings of the Windows Firewall using Group Policy:
* Where appropriate, you can leave the settings "Not Configured" to allow local administrators to manage their settings as needed using the Control Panel.
* Where this could cause conflicts with other domain applications or policies, you can explicitly enable or disable them, and even configure specific port and program exceptions as part of Group Policy. This allows the domain administrator to enable remote administration from any local subnet machine, or specific machines, while completely disabling all file and print sharing on machines running the Windows Firewall.
* Where an internal application requires specific settings, you can enable them as part of Group Policy so that they are enforced throughout the domain.
Monday, August 07, 2006
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment