A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Configuring the Builtin Firewall GPO



 
 
Thread Tools Display Modes
  #1  
Old January 12th 10, 09:41 PM posted to microsoft.public.security,microsoft.public.windows.group_policy,microsoft.public.windows.networking.firewall,microsoft.public.windowsxp.security_admin
Zachary
external usenet poster
 
Posts: 2
Default Configuring the Builtin Firewall GPO

I am trying to configure a group policy that will allow me to control the
windows built in firewall across our domain. What I don't know how to do is
configure it so that if a PC needs the firewall to be temporarily disabled
an administrator can come do that for the machine. I have a test OU setup
to do this so any suggestions can be tested.


Ads
  #2  
Old January 15th 10, 11:12 PM posted to microsoft.public.security,microsoft.public.windows.group_policy,microsoft.public.windows.networking.firewall,microsoft.public.windowsxp.security_admin
Jordan
external usenet poster
 
Posts: 41
Default Configuring the Builtin Firewall GPO

I had an issue with local admins and Power users trying to turn off their AV
so I used GP to disable access to turn off the AV service unless you were an
admin.

Computer config
--Windows Settings
---Security Settings
----System Services
-----Windows ICS/Firewall

Check define policy and set to automatic
Edit the Security so only System and whatever group you want to be able stop
the service. You would be best off making sure you use a group so you can
add the users or other groups to that group.

If you want to be a little more picky about what port or what service you
may want to allow you can use the Windows firewall policy settings to tweak
what you want to allow. For instance I only allow selected programs to run:

Computer
--AdminTemplates
---Network
----NetworkConnections
-----Windows Firewall
------Domain (and standard for when laptops are off network)
-------Define Program Exceptions

Look into how to set for your network. Basically:

Program.exe : * : Enabled: ProgDescription

The star says all netoworks, but you can limit it to subnet, local,
whatever.

You also need to "Allow local program exception" for this to work

You can also us the Define Port Exceptions as well to allow connections from
remote computers. I use these setting to make sure only requests from my IP
addresses are allowed and also prevent users from sharing printers, drives,
etc.


Zachary" wrote in message
...
I am trying to configure a group policy that will allow me to control the
windows built in firewall across our domain. What I don't know how to do
is configure it so that if a PC needs the firewall to be temporarily
disabled an administrator can come do that for the machine. I have a test
OU setup to do this so any suggestions can be tested.






  #3  
Old January 18th 10, 08:05 PM posted to microsoft.public.security,microsoft.public.windows.group_policy,microsoft.public.windows.networking.firewall,microsoft.public.windowsxp.security_admin
Zachary
external usenet poster
 
Posts: 2
Default Configuring the Builtin Firewall GPO

i tried setting the security on the service and that was a no go. No matter
what i do, or what user i log in as, the Windows ICS/Firewall Service won't
start. I get an error:

error 0x80004015 the class is configured to run as a security id different
from the caller

This sounded like a very simple solution and would like to deploy it, am i
doing somthing wrong? Did you run into this when you deployed these GPO
settings?

"Jordan" wrote in message
...
I had an issue with local admins and Power users trying to turn off their
AV so I used GP to disable access to turn off the AV service unless you
were an admin.

Computer config
--Windows Settings
---Security Settings
----System Services
-----Windows ICS/Firewall

Check define policy and set to automatic
Edit the Security so only System and whatever group you want to be able
stop the service. You would be best off making sure you use a group so
you can add the users or other groups to that group.

If you want to be a little more picky about what port or what service you
may want to allow you can use the Windows firewall policy settings to
tweak what you want to allow. For instance I only allow selected programs
to run:

Computer
--AdminTemplates
---Network
----NetworkConnections
-----Windows Firewall
------Domain (and standard for when laptops are off network)
-------Define Program Exceptions

Look into how to set for your network. Basically:

Program.exe : * : Enabled: ProgDescription

The star says all netoworks, but you can limit it to subnet, local,
whatever.

You also need to "Allow local program exception" for this to work

You can also us the Define Port Exceptions as well to allow connections
from remote computers. I use these setting to make sure only requests
from my IP addresses are allowed and also prevent users from sharing
printers, drives, etc.


Zachary" wrote in message
...
I am trying to configure a group policy that will allow me to control the
windows built in firewall across our domain. What I don't know how to do
is configure it so that if a PC needs the firewall to be temporarily
disabled an administrator can come do that for the machine. I have a test
OU setup to do this so any suggestions can be tested.








 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 12:35 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.