Windows firewall settings via group policy

1,110 pts.
Tags:
Firewalls
Group Policy
Group Policy management
Windows administration
Windows firewall
Windows Security
Can we push out windows firewall settings via group policy and then lock out the user from modifying or changing the rules in any way? Can administrators get around this?
ASKED: October 28, 2010  3:18 PM
UPDATED: October 29, 2010  5:49 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

I strongly recommended that you test your Windows Firewall Group Policy settings in a test environment before you deploy them in your production environment to ensure that your Windows Firewall Group Policy configuration does not result in unintended vulnerabilities….

When you use Group Policy to configure Windows Firewall, by default local administrators will be unable to change some elements of its configuration locally, using the Windows Firewall component in Control Panel. The basic steps for deploying Windows Firewall settings for Windows with Active Directory are the following:

1. Update your Group Policy objects with the new Windows Firewall settings.

2. Specify Windows Firewall settings for your Group Policy objects.

To update your Group Policy objects with the new Windows Firewall settings using the Group Policy snap-in & do the following:

a. Install Windows on a computer that is a member of the domain that contains the computer accounts of the other computers running Windows on which you plan to install Windows.

Restart the computer and log on to the Windows based computer as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

From the Windows desktop, click Start, click Run, type mmc, and then click OK.

On the File menu, click Add/Remove

On the Standalone tab, click Add.

In the Available Standalone list, click Group Policy Object Editor, and then click Add.

In the Select Group Policy Object dialog box, click Browse.

In the Browse for a Group Policy Object, click the Group Policy object that you want to update with the new Windows Firewall settings. An example is shown in the following figure and Click OK.

Click Finish to complete the Group Policy Wizard.

In the Add Standalone Snap-in dialog box, click Close.

In the Add/Remove dialog box, click OK.

In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. Repeat this procedure for every Group Policy object that is being used to apply Group Policy to computers

After a Group Policy object has been updated, it can be configured for Windows Firewall settings that are appropriate for Windows Firewall and the use of management, server, listener, or peer applications and services

Windows Firewall: Protect all network connections Used to specify that all network connections have Windows Firewall enabled.

Windows Firewall: Do not allow exceptions Used to specify that all unsolicited incoming traffic be dropped, including excepted traffic.

Windows Firewall: Define program exceptions Used to define excepted traffic in terms of program file names.

Windows Firewall: Allow local program exceptions Used to enable local configuration of program exceptions.

Windows Firewall: Allow remote administration exception Used to enable remote configuration using tools such as Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).

Windows Firewall: Allow file and print sharing exception Used to specify whether file and printer sharing traffic is allowed.

Windows Firewall: Allow ICMP exceptions Used to specify the types of Internet Control Message Protocol (ICMP) messages that are allowed.

Windows Firewall: Allow Remote Desktop exception Used to specify whether the Windows XP-based computer can accept a Remote Desktop-based connection request.

Windows Firewall: Allow UPnP framework exception Used to specify whether the computer can receive unsolicited UPnP messages.

Windows Firewall: Prohibit notifications Used to disable notifications.

Windows Firewall: Allow logging Used to enable logging of discarded traffic, successful connections, and to configure log file settings.

Windows Firewall: Prohibit unicast response to multicast or broadcast requests Used to discard the unicast packets received in response to a multicast or broadcast request message.

Windows Firewall: Define port exceptions Used to specify excepted traffic in terms of TCP and UDP ports.

Windows Firewall: Allow local port exceptions Used to enable local configuration of port exceptions.

Recommended Settings for Windows Firewall Group Policy Settings The following are the recommendations for the Windows Firewall Group Policy settings for Windows :

Windows Firewall: Protect all network connections Enabled

Windows Firewall: Do not allow exceptions Not configured

Windows Firewall: Define program exceptions Enabled and configured with the programs (applications and services) used by the computers running Windows on your network for managed, server, listener, or peer applications.

Windows Firewall: Allow local program exceptions Enabled, unless you don’t want local administrators to be able to configure program exceptions locally.

Windows Firewall: Allow remote administration exception Disabled, unless you want to be able to remotely administer with MMC snap-ins or remotely monitor using WMI computers running Windows
Windows Firewall: Allow file and print sharing exception Enabled only if the computers running Windows are sharing local folders and printers.

Windows Firewall: Allow ICMP exceptions Enabled only to allow diagnostic or management capabilities that are based on ICMP traffic.

Windows Firewall: Allow Remote Desktop exception Enabled only if you use Remote Desktop to connect to Windows computers.

Windows Firewall: Allow UPnP framework exception Enabled only if you use UPnP devices on your network.

Windows Firewall: Prohibit notifications Disabled

Windows Firewall: Allow logging Not configured

Windows Firewall: Prohibit unicast response to multicast or broadcast requests Disabled

Windows Firewall: Define port exceptions Enabled and configured with the TCP and UDP ports used by the computers running Windows on your network for managed, server, listener, or peer programs that cannot be specified by filename.

Windows Firewall: Allow local port exceptions Enabled, unless you don’t want local administrators to be able to configure port exceptions locally.

Hope it will help u !

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • NewnanIT
    [...] Windows firewall settings via group policy [...]
    0 pointsBadges:
    report
  • NewnanIT
    [...] Windows firewall settings via group policy To update your Group Policy objects with the new Windows Firewall settings Windows firewall settings via group policy [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following