calin radoni's humble web presence |
homedocstoolboxabout |
Applying Windows Firewall settings through Group Policy
I have applied the setting for Windows Firewall in a network of Windows XP SP2, machines and a Windows Server 2003 Domain Controller. According to Microsoft this can be done even if you have an Active Directory Domain Controller running Windows 2000 Server. This document is showing you, step by step, how to do it.
First you have to login, either local or remote, to your Domain Controller
and open
the Group Policy Management
snap-in.
In the Group Policy Management
snap-in window expand your domain then right-click the
Group Policy Objects
item and from the contextual menu choose the
New
option.
Now you have to give a name to the new GPO. I am strongly advise you to used descriptive names, especially if you have a lot of GPO's and more then one administrator.
To establish the GPO settings for Windows Firewall you have to edit the previously created object on a domain member Windows XP SP2 machine because the Windows server does not have the required Windows Firewall settings.
The easyest way to do it, at least in my opinion, is the folowing:
mmc.exe
application;Run as...
and enter the credentials of
a domain account with enough rights to modify the previously created GPO;
Group Policy Object Editor
snap-in and when asked for
Group Policy Object click the Browse...
button;
OK
Browse for a Group Policy Object
window select the
All
tab and from the displayed list choose the GPO that you have created
previously.
mmc
's main window.
<your_GPO_name>
->
Computer Configuration
->
Administrative Templates
->
Network
->
Network Connections
Before setting anyting, do the following:
Disable
for
the "Windows Firewall: Allow file and printer sharing exception" if you use are sharing files and/or printers
in you network.
If you have a policy that deals with system services you can set there the
Windows Firewall/Internet Connection Sharing (ICS)
to be
started automatically. Otherways use the previously created policy to set the service to
automatically start.
Warning
Be sure to give the Read
permission for the
NETWORK SERVICE account or your domain member computers
will log the event with id "560" and source "Security".
About the event with id "560" and source "Security" you can read more in my articles Automatic Updates are not performed and error 0x80004015 is logged and IISADMIN failed to start with a stupid error: 2147549183.
This is something you should now allready, but if not, follow these steps:
Group Policy Management
snap-in;
organizational unit
for which you want the policy to be applied and,
from the contextual menu, choose the Link an Existing GPO...
item;
OK
button.
To test the policy, execute gpupdate /force
on a computer that is member in the
organizational unit for what you have applied the GPO.
Check the setting applyed through GPO. For this task you may read my article How to find the settings applied through GPO in Windows XP
This document is copyrighted (c) 2005 by Calin Radoni. Permission is granted to copy and/or distribute this document.
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.
All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.