Lock Windows XP Firewall

Is there a REG hack to run that will keep the windows firewall on or off
possitions so users can't either turn it off or turn it on??

Thanks for your time

Secure Your Desktops With The New Group Policy Settings In SP2

At A Glance:
Windows XP SP2 firewall
Securing access to the Internet
Internet Explorer policy settings
Setting file-level risk settings
Group Policy Admini- strationActive DirectorySecurityWindows XP SP2


The Group Policy mechanism built into Windows has always been the most
effective and efficient way to immediately gain more control over your user,
client, and server population. Once you deploy Windows XP Service Pack 2
(SP2), your control will get better. Let's examine some of the goodies that
you'll be able to explore once the latest service pack is installed on your
Windows® XP clients.

There are over six hundred new policy settings available for machines loaded
with Windows XP SP2. Space prevents me from examining each one individually,
but I will describe some of the categories of new features as well as some of
the most useful policy settings so that you can get to work and put them to
use right away. [Editor's Update - 5/16/2005: The Group Policy snap-in for
the Microsoft Management Console allows you to edit Group Policy Objects. To
access this snap-in in Windows XP, go to Start | Run, and enter gpedit.msc.
You can also find gpedit.msc in the %windir%\system32 directory.]


Controlling the Windows XP SP2 Firewall

Perhaps the biggest news for Windows XP SP2 is the built-in Windows
Firewall. For the record, there was always a firewall built into Windows XP,
but with Windows XP SP2, the firewall is turned on by default and is much
more controllable via Group Policy. Before the release of Windows XP SP2, the
firewall was turned off by default. The policies used to control the Windows
Firewall can be found in two locations: Administrative Templates | Network |
Network Connections | Windows Firewall | Domain Profile, and Administrative
Templates | Network | Network Connections | Windows Firewall | Standard
Profile. Inside each node, you'll find a number of new additions that will
allow you to achieve fine-grained control. Take a look at Figure 1 to see all
the new controls located within the Domain Profile node.


Figure 1 Windows XP SP2 Firewall Settings
But what is the difference between the Domain Profile node and the Standard
Profile node? The Domain Profile settings take effect when users are inside
your home network, that is, when they're actively logged in by a Domain
Controller. The Standard Profile is useful for when users are out of the
office, perhaps in a hotel or on another public network where they cannot
reach your company's Domain Controllers for authentication. In these
situations, you might choose to handle firewall settings differently. For
instance, your corporate policy might dictate that certain ports need to be
opened on each desktop for a specific application or for administrative
management, but that users should have an even tighter level of security when
they are on the road.

Once a Windows XP SP2 computer receives the policy settings for both the
Domain Profile and Standard Profile, that computer is ready to travel both in
and out of the office. You can be sure that machine is employing your
company's firewall security policy both in the office and on the road.

If you're interested in getting some more information about how a computer
determines if it is supposed to use "Domain Profile" or "Standard Profile"
policy settings, be sure to read "Determination Behavior for Network-Related
Group Policy Settings" on the Microsoft® TechNet Web site.


Securing Computer Access to the Internet

There are two areas containing Group Policy settings for securing Internet
access, that will be of particular interest when you want even tighter
control on outbound Internet communications. For instance, administrators in
academic environments might want to restrict a specific set of computers from
connecting to the Internet. Or, a corporate administrator might want to
increase protection when it comes to their users downloading (and potentially
executing) specific file types.

To locate these areas, first go to Administrative Templates | System |
Internet Communication Management where you'll locate the Restrict Internet
Communication policy setting. This setting can be used to disable Internet
communications for specified machines. Additionally, if you go to
Administrative Templates | System | Internet Communication Management and
select Internet Communication settings, as seen in Figure 2, you'll find some
additional lockdown options when Internet communication is involved. Most of
the policy settings in this section are self-explanatory, but they are
valuable additions for protecting both corporate and academic networks from
adding unnecessary software or potentially misusing the computing resources.


Figure 2 Internet Communication Settings
Next, go to User Configuration | Administrative Templates | Windows
Components | Attachment Manager. You'll find multiple settings on how to
process various file types when users attempt to open those files, as shown
in Figure 3. As the name of the node suggests, the process that's being
managed under the hood is called the "Attachment Manager." The Attachment
Manager has some preassigned degrees of risk associated with file types. For
instance, .bat, .vbs, and .reg would all be considered "High Risk." Files
considered "Low Risk" are those with the .log and .txt extensions. To specify
how Windows XP SP2 should handle file types of varying risk, you can use the
policy setting named Default Risk Level for file attachments. You can also
modify which file types should be considered high, moderate, and low risk
using policy settings contained within the same node. If your anti-virus tool
can register itself with Windows XP SP2, you can likely use the new "Notify
antivirus programs when opening attachments" policy setting, which can tell
the antivirus program to take additional action.


Figure 3 Attachment Manager
To find out more information on the Windows XP SP2 Attachment Manager, read
Knowledge Base article 883260, "Description of how the Attachment Manager
works in Windows XP Service Pack 2".


Securing Browser Settings

It's no secret that Microsoft Internet Explorer in Windows XP SP2 has
enhanced functionality to protect the home, corporate, and academic user. For
instance, Internet Explorer now comes with a pop-up blocker, better control
for handling ActiveX® add-ins, and other safety features.


Figure 4 Additional Internet Explorer Policy Settings
Internet Explorer users now have a whopping 619 possible policy settings at
their disposal. You'll find most of these settings at Administrative
Templates | Windows Components | Internet Explorer | Internet Control Panel |
Security Page. Figure 4 shows settings for the Internet Zone. You can also
change settings for other zones: Intranet, Trusted Sites, Restricted Sites,
Local Machine, and Locked-Down Local Machine. You can easily configure what
the behavior should be for the new Internet Explorer features when you're
within each zone. For instance, you might want to allow ActiveX downloads
while in your intranet zone, but block the download of ActiveX controls when
you're visiting a restricted site.


Locating the New Policy Settings

You can locate the new policy settings using the built-in filtering
available while editing any GPO. Simply open the Group Policy Object editor,
and go to User Configuration | Administrative Templates or Computer
Configuration | Administrative Templates and select Filtering on the View
menu. Once the Filtering dialog appears, as shown in Figure 5, select Filter
by Requirements Information. Next, select which requirements you are
interested in, such as "At least Microsoft Windows XP Professional with SP2."
Once performed, you can easily see which policy settings are new for this
operating system.


Figure 5 Filtering Policy Settings
Because the text within the Group Policy Object editor is not searchable, I
would suggest you download the Excel spreadsheet entitled "Group Policy
Settings Reference for .adm Files Included with Windows XP Professional
Service Pack 2".


Figure 6 The Group Policy Settings Reference Spreadsheet
As you can see in Figure 6, this spreadsheet contains all policy settings
and is easily configured to display only the new ones. Indeed, this
spreadsheet contains worksheets which show just the new settings for regular,
registry-based policy settings known as administrative (ADM) templates, as
well as security settings (non-registry settings). All policy settings are
searchable as well, making this a handy resource if you're looking for a
specific policy setting but can't locate it in the Group Policy Object editor.


Conclusion

There are tons of new policy settings to help you control Windows XP SP2, so
get out there and make your world even more secure! As with anything new,
though, be sure to perform thorough tests on a test lab or small segment of
users before rolling out into full production.



"John" wrote:

Is there a REG hack to run that will keep the windows firewall on or off
possitions so users can't either turn it off or turn it on??

Thanks for your time

John wrote:

Is there a REG hack to run that will keep the windows
firewall on or off possitions so users can't either
turn it off or turn it on??

Hi,

Using the command line tool netsh.exe, you can enable or disable the
WinXP SP2 firewall on the fly, like this (assuming that the users are
have local admin rights):

To enable:
%SystemRoot%\System32\netsh.exe firewall set opmode ENABLE

To disable:
%SystemRoot%\System32\netsh.exe firewall set opmode DISABLE

You can e.g. put the commands in a couple of shortcuts or batch files.


The netsh.exe syntax is documented in WF_XPSP2.doc.

WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
Windows XP with Service Pack 2" is downloadable from
http://www.microsoft.com/downloads/d...d-499f73a637d1



--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Perfect that is what I am looking for.

thanks guys!


"Torgeir Bakken (MVP)" wrote:

John wrote:

Is there a REG hack to run that will keep the windows
firewall on or off possitions so users can't either
turn it off or turn it on??

Hi,

Using the command line tool netsh.exe, you can enable or disable the
WinXP SP2 firewall on the fly, like this (assuming that the users are
have local admin rights):

To enable:
%SystemRoot%\System32\netsh.exe firewall set opmode ENABLE

To disable:
%SystemRoot%\System32\netsh.exe firewall set opmode DISABLE

You can e.g. put the commands in a couple of shortcuts or batch files.


The netsh.exe syntax is documented in WF_XPSP2.doc.

WF_XPSP2.doc "Deploying Windows Firewall Settings for Microsoft
Windows XP with Service Pack 2" is downloadable from
http://www.microsoft.com/downloads/d...d-499f73a637d1



--
torgeir, Microsoft MVP Scripting, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx