Home

General GP Concepts
.. GPMC
.. Create/Edit GPOs
.. Targeting GPOs
.. Applying GPOs
.. Developer Issues

Extensions
.. Admin Templates
.... Windows Firewall
.... Internet Explorer
.. Security Policy
.. Software Installation
.. IE Maintenance
.. Scripts

Policy Exceptions
.. Loopback
.. Enforce/Block
.. Slow Links
.. WMI Filters

Reference
.. Third Party Products
.. KB Articles
.. Community

Terms of Use
Trademarks
Privacy Statement

Windows Firewall Policy

Windows Firewall (WF) configuration is available as an Administrative Template policy under Computer Configuration\Administrative Templates\Network\Network Connections Windows Firewall. Within these policy settings for WF, you can configure elements such as whether WF is enabled or disabled, whether any exceptions are allowed for applications, ports or administrative tools, and how WF behaves for protocols such ICMP.

Windows Firewall policy distinguishes between Standard and Domain Profiles. The Domain Profile will apply whenever a computer running WF is on the "corporate" network, as distinguished by the DNS suffix of the current active, non PPP or SLIP network connection. This suffix is compared to the DNS suffix of the connection used during the last time Group Policy was successfully applied. If they are the same, then it is assumed that the workstation is on the corporate network and the Domain Profile applies. If they are not, then the Standard Profile is applied. More information on this network determination process can be found at: http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

Note: Windows Firewall and its respective policies were greatly enhanced in Windows XP Service Pack 2. Many of these policies will have no effect on earlier releases of Windows.

The Windows Firewall and RSoP

By default, the Windows Firewall is enabled on XP SP2 machines. This is an appropriate default from a security perspective but has the drawback that it is not possible to retrieve RSoP data from XP SP2 machines using Group Policy Results in GPMC. One option is to open the appropriate ports and this is described in KB 883611. However, for many this may still represent an unacceptable security risk.

One workaround to this is the GPMonitor tool, part of the Windows Server 2003 Resource Kit. This involves a small agent that regularly sends RSoP data from the client to a central store, which can then be read using a simply user interface also provided with GPMonitor.

Comments:

From dragoran - 4/11/07 2:57 PM

I use System Services to disable Windows Firewall as a service.

Last Modified 3/8/05 1:42 AM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register