Re: Group Policy Firewall Exception Problem
- From: harrykrishna.nospam@xxxxxxxxx
- Date: Thu, 26 Apr 2007 15:38:01 GMT
Thie is a very long shot but is there the possibility that the
firewall was suddenly using its non-domain settings as opposed to the
domain ones? I don't know about server 2003 but an XP box joined to
the domain ends up with two sets of firewall settings.
If you had logging turned on you might want to peek at the domain and
non-domain logs and see if droipped packets are in there where you
weren't expecting them to be dropped.
Like I said, a very long shot....
HTH
Charlie <baboon@xxxxxxxxxxxxxx> wrote:
Hopefully this is the best NG for this issue:
I have set up about a dozen or more Windows 2003, R2 servers on our AD
domain of about 8000 computers. On each of these I have set up the Windows
Firewall with exceptions for things such as File Sharing and Remote Desktop,
limiting the scope to the Class B network represents our corporate network.
A few days ago, users suddenly and temporarily lost access to file sharing
on some of these servers. At that time the Firewalls on the servers showed
the File and Print exception as being applied through Group Policy. Later,
when the problem was gone, it showed up as not applied through Group Policy.
(Unfortunately I wasn't around, as I would have had the server admins run
RSOP and check the scope of the exception immediately.)
It was clear that the problem only affected those servers that were in a
couple of OUs, and those OUs had a common GPO linked to them. That GPO
includes nothing but a setting that limits Remote Administration to allow it
only from a small number of machines. I have to suspect that as the culprit,
since it includes port 445.
Looking at the GPMC and at the Sysvol folder itself, none of the GPOs that
apply to either of the OUs was modified within days of the occurence. Until
I realized that, I figured someone had applied a bad setting, but apparently
not, assuming the Modified attribute is reliable for that purpose. Also,
it's possible someone could have created a new GPO, applied it to these same
2 OUs, then deleted it, but it's unlikely. If you could see the structure of
the domain tree, you would see why it would be unlikely.
My fix to keep this from happening again will be to apply a GPO to the child
OUs that the servers are in, which will include a File Sharing exception with
a scope of the corporate network, (as well as exceptions for the other
services that are needed). Because I don't work at the domain admin level, I
will have to deal with politics in order to get this done, however.
Does anyone have another theory as to what would have caused this?
Has anyone seen anything similar to this?
If I am correct about the reason it happened, it's kind of scary since it
would involve a bug that acts as a denial of service.
Thanks for any answers or suggestions.
Ha®®y
HarryKrishna.nospam@xxxxxxxxx
.
- Follow-Ups:
- Re: Group Policy Firewall Exception Problem
- From: Charlie
- Re: Group Policy Firewall Exception Problem
- Prev by Date: Re: XP machine removed from domain still gets domain policy
- Next by Date: Re: Vista - Roaming Profiles
- Previous by thread: Re: Group Policy Firewall Exception Problem
- Next by thread: Re: Group Policy Firewall Exception Problem
- Index(es):
Relevant Pages
|
