All,

I have been searching around for a bit, and am looking to understand exactly
how I can take advantage of the SP2 firewall GPO settings - specifically the
Domain and Standard Profile settings.

If I have a bunch of salespeople with laptops, and I set a GPO as follows:

DOMAIN PROFILE
WF: Protect all network connections: Enabled
WF: Allow remote admin exception: Enabled
STANDARD PROFILE
WF: Protect all network connections: Enabled

Is this saying that when the Salespeople are at our office & plugged into
our network that the firewall will be enabled and will allow remote admin
connections - but when they are offsite (at home, at a client, etc.) the
firewall will be on with no exceptions?

Thanks in advance...

David

David Levine wrote:

> I have been searching around for a bit, and am looking to understand exactly
> how I can take advantage of the SP2 firewall GPO settings - specifically the
> Domain and Standard Profile settings.
>
> If I have a bunch of salespeople with laptops, and I set a GPO as follows:
>
> DOMAIN PROFILE
> WF: Protect all network connections: Enabled
> WF: Allow remote admin exception: Enabled
> STANDARD PROFILE
> WF: Protect all network connections: Enabled
>
> Is this saying that when the Salespeople are at our office & plugged into
> our network that the firewall will be enabled and will allow remote admin
> connections - but when they are offsite (at home, at a client, etc.) the
> firewall will be on with no exceptions?
>
Hi,

Yes, that is correct.

Note that is some cases the Standard Profile will be used even
if the computers are connected to the domain. This will happen
if last-received Group Policy update DNS name does not match any
of the connection-specific DNS suffixes of the currently connected
connections on the computer. In this case, the non-domain settings
will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.


You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

I appreciate the response!

I am sure I will find out for myself, but once I apply these settings to the
GPO, will my SMS 2.0 client software blow up, or will the admin exception
handle that as well?

Thanks much...

-D

"Torgeir Bakken (MVP)" wrote:

> David Levine wrote:
>
> > I have been searching around for a bit, and am looking to understand exactly
> > how I can take advantage of the SP2 firewall GPO settings - specifically the
> > Domain and Standard Profile settings.
> >
> > If I have a bunch of salespeople with laptops, and I set a GPO as follows:
> >
> > DOMAIN PROFILE
> > WF: Protect all network connections: Enabled
> > WF: Allow remote admin exception: Enabled
> > STANDARD PROFILE
> > WF: Protect all network connections: Enabled
> >
> > Is this saying that when the Salespeople are at our office & plugged into
> > our network that the firewall will be enabled and will allow remote admin
> > connections - but when they are offsite (at home, at a client, etc.) the
> > firewall will be on with no exceptions?
> >
> Hi,
>
> Yes, that is correct.
>
> Note that is some cases the Standard Profile will be used even
> if the computers are connected to the domain. This will happen
> if last-received Group Policy update DNS name does not match any
> of the connection-specific DNS suffixes of the currently connected
> connections on the computer. In this case, the non-domain settings
> will be used.
>
> From
> The Cable Guy - May 2004
> Network Determination Behavior for Network-Related Group Policy Settings
> http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx
>
> <quote>
> To apply this behavior to Windows Firewall settings:
>
> () If the connection-specific DNS suffix of a currently connected
> connection on the computer that is not PPP or SLIP-based (such as
> an Ethernet or 802.11 wireless network adapter) matches the value
> of the
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
> Policy\History\NetworkName registry entry, Windows Firewall uses
> the domain profile.
>
> () If the connection-specific DNS suffix of a currently connected
> connection on the computer that is not PPP or SLIP-based does not
> match the value of the
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
> Policy\History\NetworkName registry entry, Windows Firewall uses
> the standard profile.
>
>
> You can determine the connection-specific DNS suffixes of the
> currently connected connections on the computer from the display
> of the ipconfig command issued from a command prompt.
>
> </quote>
>
> Read the Cable Guy article for more about this.
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>