| Books Co-Authored by Charlie Russel: |
|
After a year of lists from your favorite authors, check out the ultimate list --
the Top Ten of the Top Ten Computer Books of the Last Ten Years List.
|
|
|
|
Using Group Policy to Manage Windows Firewall in Windows XP SP2
|
Date: February 9, 2005
By Charlie Russel
Article is provided courtesy of Microsoft Press.
The new Windows Firewall included with Windows XP Service Pack 2 (SP2) is a significant enhancement from the Internet Connection Firewall that was included with Windows 2000 and prior versions of Windows XP. This enhanced functionality gives a much finer grain control over exactly what exceptions are allowed and under what circumstances.
|
|
The new Windows Firewall Control Panel icon  gives you access to configuring on an individual machine. In an enterprise setting, however, not only would it be a major pain to have to set each individual machine's firewall settings, but the system administrators probably need to control exactly which settings are available and used within their network. You can completely manage the new Windows Firewall using Group Policy, making the task of the system administrator much easier.
|
Updating Group Policy Editor
In order to manage the Group Policy objects for Windows Firewall, you may need to update the version of the Group Policy Editor you are using. If you attempt to edit the settings for Windows Firewall on a computer running Windows 2000, Windows Server 2003, or Windows XP SP1 or prior versions, you may get an error message:
|
The following entry in the [strings] section is too long and has been truncated.
|
To update the Group Policy Editor, see the Microsoft Knowledge Base article 842933.
Additionally, if you are running in a Microsoft Windows Small Business Server 2003 environment, you need to obtain the Windows Small Business Server 2003 Update for Windows XP SP2 from the Microsoft download site.
Because of the way Group Policy Objects (GPO) are distributed in a domain environment, once you open an existing GPO from an administrative computer running Windows XP SP2, the domain GPO will be upgraded to include the new .adm. This will cause problems with existing versions of gpedit.msc that haven't been updated, so you will either need to update these, as described in 842933, or only use a Windows XP SP2 computer to manage Group Policy.
Installing the Group Policy Administrative Template
To install and edit the Group Policy Administrative Template for Windows Firewall, follow these steps:
- Log on to a computer that is a member of the domain and has Windows XP SP2 installed, with an account that is a member of the Domain Admins, Enterprise Admins or Group Policy Creator Owners security groups.
- Click Start >Run and type mmc to open a new MMC console.
- On the File menu, select Add/Remove Snap-in.
- Click Add and select Group Policy Object Editor from the list.
- In the Select Group Policy Object dialog box, click Browse.
- Select the Default Domain Policy, as shown here, and click your way back to the main MMC console.
See full-sized image.
- In the console tree, navigate to Computer Configuration, Administrative Templates, Network, Network Connections and then Windows Firewall, as shown:
See full-sized image.
- Highlight the policy you want to edit. The default choices are "Domain Profile" or "Standard Profile." The Standard Profile is used when a domain-managed computer is not physically connected to the domain, such as a laptop taken home.
- Edit the policies for that profile. Note: You should edit both sets of policies to have the desired settings. By default, both policies are the same initially.
Configuring Deployment Settings
By default, the Group Policy settings for the Windows Firewall are "Not Configured" for all objects. This allows the Windows Firewall to use its default settings, which are quite restrictive.
The following table describes the policies that are available.
|
Policy |
Configuration |
Behavior |
|
Windows Firewall: Allow authenticated IPSec bypass |
Enabled |
IPSec traffic is not inspected by the Firewall. |
|
Windows Firewall: Protect all network connections |
Not Configured |
Local administrators can enable or disable the Windows Firewall on any network connections. |
|
Enabled |
Windows Firewall is enabled on all network connections, and a local administrator cannot disable it. |
|
Disabled |
Windows Firewall is turned off on all network connections, and local administrators cannot enable it. |
|
Windows Firewall: Do not allow exceptions |
Not Configured |
Local administrators can control whether the No Exceptions mode is used. |
|
Enabled |
No exceptions are allowed. You should enable the Windows Firewall: Protect all network connections setting as well, or local administrators could bypass this setting. |
|
Disabled |
Local administrators cannot enable the No exceptions mode. |
|
Windows Firewall: Define program exceptions |
Not Configured |
Local administrators can configure exceptions. (Overridden by the Windows Firewall: Allow local program exceptions setting.) |
|
Enabled |
A list of exceptions is entered in the Group Policy Editor, and these are enabled. Any locally configured exceptions are ignored. |
|
Disabled |
No exceptions are configured, and locally configured exceptions are ignored. |
|
Windows Firewall: Allow local program exceptions |
Not Configured |
Local administrators can add program exceptions. |
|
Enabled |
Local administrators can add program exceptions. |
|
Disabled |
Local administrators cannot add program exceptions. |
|
Windows Firewall: Allow remote administration exception |
Not Configured |
Remote administration is not allowed. |
|
Enabled |
Unsolicited incoming traffic for remote administration is allowed. Specific details are as configured and cannot be overridden by a local administrator. |
|
Disabled |
Remote administration is not allowed. Port 135 is blocked and port 445 is not opened. |
|
Windows Firewall: Allow file and print sharing exception |
Not Configured |
Local administrators can enable the pre-defined File and Printer Sharing exception. This pre-defined exception opens up ports 137 and 138 for UDP traffic, and ports 139 and 445 for TCP traffic. |
|
Enabled |
Ports 137 and 138 are opened for UDP traffic, and ports 139 and 445 are opened for TCP traffic. ICMP Echo messages are enabled. |
|
Disabled |
Local administrators cannot enable the pre-defined File and Printer Sharing exception. |
|
Windows Firewall: Allow ICMP exceptions |
Not Configured |
Local administrators can configure ICMP exceptions. |
|
Enabled |
The specified incoming ICMP traffic is allowed. |
|
Disabled |
No unsolicited incoming ICMP traffic is allowed, and no local ICMP exceptions are allowed. |
|
Windows Firewall: Allow Remote Desktop exception |
Not Configured |
Remote desktop connections are disabled, but local administrators can enable the pre-configured Remote Desktop exception. |
|
Enabled |
Remote desktop connections are allowed and TCP port 3389 is enabled. |
|
Disabled |
Remote desktop connections are disabled, and local administrators cannot enable the pre-configured Remote Desktop exception. |
|
Windows Firewall: Allow UPnP framework exception |
Not Configured |
The UPnP ports are not opened, but local administrators can enable the pre-configured UPnP Framework exception. |
|
Enabled |
Ports UDP 1900 and TCP 2869 are opened. |
|
Disabled |
The UPnP ports are not opened, and local administrators cannot enable the pre-configured UPnP Framework exception. |
|
Windows Firewall: Prohibit notifications |
Not Configured |
Notification messages are displayed to the logged-on user. Local administrators can override the setting |
|
Enabled |
Notification messages are not displayed. |
|
Disabled |
Notification messages are displayed to the logged-on user. Local administrators cannot override the setting. |
|
Windows Firewall: Allow logging |
Not Configured |
Logging is not enabled, but can be enabled and configured by a local administrator. |
|
Enabled |
Logging is enabled, and the settings for name, location and maximum size of the log file are entered in the Group Policy Editor. |
|
Disabled |
Logging is not enabled, and cannot be enabled by a local administrator. |
|
Windows Firewall: Prohibit unicast response to multicast or broadcast requests |
Not Configured |
The incoming unicast response is accepted if received within 3 seconds. The setting can be overridden by a local administrator. |
|
Enabled |
The incoming unicast response is dropped. This cannot be overridden by a local administrator. |
|
Disabled |
The incoming unicast response is accepted if received within 3 seconds. This cannot be overridden by a local administrator. |
|
Windows Firewall: Define port exceptions |
Not Configured |
No port exceptions are configured, but local administrators can configure exceptions. |
|
Enabled |
The specified port exceptions are configured, and locally configured exceptions are ignored. For example, to configure all group policy controlled Windows XP SP2 systems to act as Web servers to the local subnet only, you could define a port exception for port 80, as shown here:
|
|
Disabled |
No excepted ports are configured. Local configuration of exceptions is controlled by the setting of the Windows Firewall: Allow local port exceptions policy. |
|
Windows Firewall: Allow local port exceptions |
Not Configured |
Local administrators cannot add port exceptions unless the Windows Firewall: Define port exceptions setting is set to Not Configured. |
|
Enabled |
Local administrators can add port exceptions. |
|
Disabled |
Local administrators cannot add port exceptions. |
As you can see, you can control all the settings of the Windows Firewall using Group Policy:
- Where appropriate, you can leave the settings "Not Configured" to allow local administrators to manage their settings as needed using the Control Panel.
- Where this could cause conflicts with other domain applications or policies, you can explicitly enable or disable them, and even configure specific port and program exceptions as part of Group Policy. This allows the domain administrator to enable remote administration from any local subnet machine, or specific machines, while completely disabling all file and print sharing on machines running the Windows Firewall.
- Where an internal application requires specific settings, you can enable them as part of Group Policy so that they are enforced throughout the domain.
Return to top of page.
CHARLIE RUSSEL is a chemist by education, an electrician by trade, a UNIX sysadmin and Oracle DBA because he raised his hand when he should have known better, an IT director and consultant by default and a writer by choice. He is the author of more than two dozen computer books on operating systems and enterprise environments, including Microsoft Windows Server 2003 Administrator's Companion, Microsoft Windows Small Business Server 2003 Administrator's Companion and Oracle DBA Backup and Recovery Quick Reference. He has also written numerous white papers and case studies on Microsoft.com and is a regular columnist for the Windows XP ExpertZone.
Check out Charlie's Top 10 Books of the Last 10 Years list.
|
Networking
