Re: Changing firewall settings in Group Policy Editor
- From: Owen Williams <Owen@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 12 Jul 2006 20:34:33 -0400
Luke:
SBS2003 by default includes 2 GPOs to configure the Windows XP firewall:
* Small Business Server Internet Connection Firewall
* Small Business Server Windows Firewall
The first has a WMI filter which causes it to be applied only to PCs
running versions of Windows XP which are pre-SP2. (Hopefully, you do
not have any PCs like this!)
The second has a WMI filter which causes it to be applied only to PCs
running versions of Windows XP which post-SP2.
Among other things, the GPOs enable firewall exceptions to support stuff
like Remote Assistance. These settings should not be changed unless you
have specific reasons to do so and know what you are doing.
Since GPOs are in effect, the XP firewall cannot be configured
individually on each machine. This is by design.
If the client really needs to change the firewall settings, there are
two choices:
1. Add a GPO with the required exceptions so the all PCs are affected.
This is the best choice if the changes should apply to all PCs.
2. Modify the existing GPO (or add a new one) so local exceptions can be
defined on a PC by PC basis. You need to be cautious with this one
since individual users can then change their firewall settings, which
may be a security risk. (It is possible to use GPO Security Filtering
to restrict when a GPO is applied.)
For method #1:
* Launch the Group Policy Management Console and navigate to Forrest |
Domains | <YourDomain>
* Right-click <YourDomain> and select Create and Link a GPO here.
* In the New GPO dialog box, provide a name, such as <Company> Windows
Firewall Exceptions.
* Right-click the new GPO and select Edit.
* In the GPO Editor, go to Computer Configuration | Administrative
Templates | Network | Network Connections | Windows Firewall | Domain
Profile
* To define a PROGRAM exception, double-click Windows Firewall: Define
program exceptions, Enable the setting, and follow the instructions to
add one or more exceptions.
* To define a PORT exception, double-click Windows Firewall: Define port
exceptions, Enable the setting, and follow the instructions to add one
or more exceptions.
* Click Apply or OK as required and exit the GPO editor and the Group
Policy Management Console
For method #2 (and modifying the existing GPO):
* Launch the Group Policy Management Console and navigate to Forrest |
Domains | <YourDomain>
* Right-click Small Business Server Windows Firewall and select Edit.
* In the GPO Editor, go to Computer Configuration | Administrative
Templates | Network | Network Connections | Windows Firewall | Domain
Profile
* Double-click Windows Firewall: Allow local program exceptions and/or
Windows Firewall: Allow local port exceptions. In either case, Enable
the setting.
* Click Apply or OK as required and exit the GPO editor and the Group
Policy Management Console
Wait for the GPO to refresh (~90 minutes) -OR- refresh manually on the
clients -OR- reboot the clients and you should be good to go.
-- Owen Williams (SBS MVP)
In article <2B8FF7A0-A0F0-42AD-A3EC-0FE292435690@xxxxxxxxxxxxx>,
lfheb@xxxxxxxxxxxxxxxxxxxxxxxxx says...
I have a client on my network who cannot change his firewall settings, and he.
is his computer's administrator. I think it has something to do with the
Group Policy Editor, but I'm not sure what. Please help.
Thanks,
Luke
- Prev by Date: fax services - cannot send faxes to area code setup in modem properties
- Next by Date: Re: exceed 5 CAL
- Previous by thread: fax services - cannot send faxes to area code setup in modem properties
- Next by thread: RE: Changing firewall settings in Group Policy Editor
- Index(es):
Relevant Pages
|
Loading
