Thread: SP2 firewall Domain & Standard GPO settings?
View Single Post
  #2  
Old August 13th 05, 06:41 PM
Torgeir Bakken \(MVP\)
external usenet poster
  
Posts: n/a
Default
David Levine wrote:

I have been searching around for a bit, and am looking to understand exactly
how I can take advantage of the SP2 firewall GPO settings - specifically the
Domain and Standard Profile settings.

If I have a bunch of salespeople with laptops, and I set a GPO as follows:

DOMAIN PROFILE
WF: Protect all network connections: Enabled
WF: Allow remote admin exception: Enabled
STANDARD PROFILE
WF: Protect all network connections: Enabled

Is this saying that when the Salespeople are at our office & plugged into
our network that the firewall will be enabled and will allow remote admin
connections - but when they are offsite (at home, at a client, etc.) the
firewall will be on with no exceptions?

Hi,

Yes, that is correct.

Note that is some cases the Standard Profile will be used even
if the computers are connected to the domain. This will happen
if last-received Group Policy update DNS name does not match any
of the connection-specific DNS suffixes of the currently connected
connections on the computer. In this case, the non-domain settings
will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/com...uy/cg0504.mspx

quote
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.


You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

/quote

Read the Cable Guy article for more about this.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx
Ads