If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Configuring the Builtin Firewall GPO
I am trying to configure a group policy that will allow me to control the
windows built in firewall across our domain. What I don't know how to do is configure it so that if a PC needs the firewall to be temporarily disabled an administrator can come do that for the machine. I have a test OU setup to do this so any suggestions can be tested. |
Ads |
#2
|
|||
|
|||
Configuring the Builtin Firewall GPO
I had an issue with local admins and Power users trying to turn off their AV
so I used GP to disable access to turn off the AV service unless you were an admin. Computer config --Windows Settings ---Security Settings ----System Services -----Windows ICS/Firewall Check define policy and set to automatic Edit the Security so only System and whatever group you want to be able stop the service. You would be best off making sure you use a group so you can add the users or other groups to that group. If you want to be a little more picky about what port or what service you may want to allow you can use the Windows firewall policy settings to tweak what you want to allow. For instance I only allow selected programs to run: Computer --AdminTemplates ---Network ----NetworkConnections -----Windows Firewall ------Domain (and standard for when laptops are off network) -------Define Program Exceptions Look into how to set for your network. Basically: Program.exe : * : Enabled: ProgDescription The star says all netoworks, but you can limit it to subnet, local, whatever. You also need to "Allow local program exception" for this to work You can also us the Define Port Exceptions as well to allow connections from remote computers. I use these setting to make sure only requests from my IP addresses are allowed and also prevent users from sharing printers, drives, etc. Zachary" wrote in message ... I am trying to configure a group policy that will allow me to control the windows built in firewall across our domain. What I don't know how to do is configure it so that if a PC needs the firewall to be temporarily disabled an administrator can come do that for the machine. I have a test OU setup to do this so any suggestions can be tested. |
#3
|
|||
|
|||
Configuring the Builtin Firewall GPO
i tried setting the security on the service and that was a no go. No matter
what i do, or what user i log in as, the Windows ICS/Firewall Service won't start. I get an error: error 0x80004015 the class is configured to run as a security id different from the caller This sounded like a very simple solution and would like to deploy it, am i doing somthing wrong? Did you run into this when you deployed these GPO settings? "Jordan" wrote in message ... I had an issue with local admins and Power users trying to turn off their AV so I used GP to disable access to turn off the AV service unless you were an admin. Computer config --Windows Settings ---Security Settings ----System Services -----Windows ICS/Firewall Check define policy and set to automatic Edit the Security so only System and whatever group you want to be able stop the service. You would be best off making sure you use a group so you can add the users or other groups to that group. If you want to be a little more picky about what port or what service you may want to allow you can use the Windows firewall policy settings to tweak what you want to allow. For instance I only allow selected programs to run: Computer --AdminTemplates ---Network ----NetworkConnections -----Windows Firewall ------Domain (and standard for when laptops are off network) -------Define Program Exceptions Look into how to set for your network. Basically: Program.exe : * : Enabled: ProgDescription The star says all netoworks, but you can limit it to subnet, local, whatever. You also need to "Allow local program exception" for this to work You can also us the Define Port Exceptions as well to allow connections from remote computers. I use these setting to make sure only requests from my IP addresses are allowed and also prevent users from sharing printers, drives, etc. Zachary" wrote in message ... I am trying to configure a group policy that will allow me to control the windows built in firewall across our domain. What I don't know how to do is configure it so that if a PC needs the firewall to be temporarily disabled an administrator can come do that for the machine. I have a test OU setup to do this so any suggestions can be tested. |
Thread Tools | |
Display Modes | |
|
|