Restrict stopping of XP Firewall service?

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have applied Group Policies for XP Firewall in 'Computer
Configuration\Administrative Templates\Network\Network Connections\Windows
Firewall\Domain Profile', however users can easily subvert these by simply
turning off the firewall service.

I tried restricting access to the Firewall/ICS service via 'Computer
Configuration\Windows Settings\Security Settings\System Services', however
now the Firewall/ICS service on the client affected by this policy won't
start. I get " Error 0x80004015: The class is configured to run as a
security id different from the caller", which leads me to this KB article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;892199

I followed the directions, but it doesn't seem to resolve my problem, well
it does if I delete the SD registry key for the 'SharedAccess' service
entirely and don't restore it. Then it behaves like I expected, the service
will start upon restart and the policy doesn't allow the user to stop the
service. However I don't want to remove this key on all my existing and new
users, it seems wrong. There must be a more appropriate resolution...

Any clue anyone?

Thanks,

-g
4 answers Last reply
More about restrict stopping firewall service
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    when will all you supposed admins realize that if the local user really
    wants to they can override anything you can come up with. believe it or not
    our admins locked OFF the xp firewall because they 'thought' it was causing
    problems. they would not unlock it on a laptop that i was going to travel
    with so i had to bypass their gpo to turn it on for my travel(and it is
    still off automatically on the lan, let them try to figure that out!). if
    you don't have physical control over the machine your next level of control
    is a disciplined user, if you can't discipline the user you are flat out of
    luck.

    "Greg" <nobody@nowhere.com> wrote in message
    news:42278fdf$0$38728$39cecf19@news.twtelecom.net...
    > I have applied Group Policies for XP Firewall in 'Computer
    > Configuration\Administrative Templates\Network\Network Connections\Windows
    > Firewall\Domain Profile', however users can easily subvert these by simply
    > turning off the firewall service.
    >
    > I tried restricting access to the Firewall/ICS service via 'Computer
    > Configuration\Windows Settings\Security Settings\System Services', however
    > now the Firewall/ICS service on the client affected by this policy won't
    > start. I get " Error 0x80004015: The class is configured to run as a
    > security id different from the caller", which leads me to this KB article:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;892199
    >
    > I followed the directions, but it doesn't seem to resolve my problem, well
    > it does if I delete the SD registry key for the 'SharedAccess' service
    > entirely and don't restore it. Then it behaves like I expected, the
    service
    > will start upon restart and the policy doesn't allow the user to stop the
    > service. However I don't want to remove this key on all my existing and
    new
    > users, it seems wrong. There must be a more appropriate resolution...
    >
    > Any clue anyone?
    >
    > Thanks,
    >
    > -g
    >
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi Greg,

    Thanks for posting here.

    I understand that you want to lock the Windows Firewall Service on the
    Windows XP SP2 computer to be on. If I am off base, please do not hesitate
    to let me know.

    Based on my research, the Group Policy defined on the domain controller
    does have the function to lock this service as always on. There could only
    be three options

    1. Automatic
    2. Manual
    3. Disable

    However, no mater you choose Automatic and Manual method, user could still
    start/stop the service freely. If you choose the "Disable", then the users
    can no longer start this service.

    Currently, I think there is no other workarounds for this issue and on my
    point of view you should educate your users and clients with the importance
    to enable the Windows Firewall.

    You could also let me know your questions or concerns on this issue. I
    would also be happy to help as possible as I can. Thanks for your
    understanding.

    I look forward to your reply.

    Thanks & Regards

    Amanda Wang[MSFT]

    Microsoft Online Partner Support

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    Business-Critical Phone Support (BCPS) provides you with technical phone
    support at no charge during critical LAN outages or "business down"
    situations. This benefit is available 24 hours a day, 7 days a week to all
    Microsoft technology partners in the United States and Canada.

    This and other support options are available here:
    BCPS:
    https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
    Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

    If you are outside the United States, please visit our International
    Support page:
    http://support.microsoft.com/default.aspx?scid=%2finternational.aspx.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Greg wrote:
    > I have applied Group Policies for XP Firewall in 'Computer
    > Configuration\Administrative Templates\Network\Network
    > Connections\Windows Firewall\Domain Profile', however users can
    > easily subvert these by simply turning off the firewall service.

    Not if they don't have admin rights. And they shouldn't.
    >
    > I tried restricting access to the Firewall/ICS service via 'Computer
    > Configuration\Windows Settings\Security Settings\System Services',
    > however now the Firewall/ICS service on the client affected by this
    > policy won't start. I get " Error 0x80004015: The class is configured
    > to run as a security id different from the caller", which leads me to
    > this KB article:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;892199
    >
    > I followed the directions, but it doesn't seem to resolve my problem,
    > well it does if I delete the SD registry key for the 'SharedAccess'
    > service entirely and don't restore it. Then it behaves like I
    > expected, the service will start upon restart and the policy doesn't
    > allow the user to stop the service. However I don't want to remove
    > this key on all my existing and new users, it seems wrong. There must
    > be a more appropriate resolution...
    >
    > Any clue anyone?
    >
    > Thanks,
    >
    > -g
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Greg wrote:

    > I have applied Group Policies for XP Firewall in 'Computer
    > Configuration\Administrative Templates\Network\Network Connections\Windows
    > Firewall\Domain Profile', however users can easily subvert these by simply
    > turning off the firewall service.
    >
    > I tried restricting access to the Firewall/ICS service via 'Computer
    > Configuration\Windows Settings\Security Settings\System Services', however
    > now the Firewall/ICS service on the client affected by this policy won't
    > start. I get " Error 0x80004015: The class is configured to run as a
    > security id different from the caller", which leads me to this KB article:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;892199
    >
    > I followed the directions, but it doesn't seem to resolve my problem, well
    > it does if I delete the SD registry key for the 'SharedAccess' service
    > entirely and don't restore it. Then it behaves like I expected, the service
    > will start upon restart and the policy doesn't allow the user to stop the
    > service. However I don't want to remove this key on all my existing and new
    > users, it seems wrong. There must be a more appropriate resolution...
    >
    >

    Hey Greg,

    I'm not at work right now so I can't be 100% sure of everything I'm saying but
    I've ran into your SD problem just a week ago and I had issues with a Ghost
    client service being killed off and users not able to restart it due to
    permissions on the service. In my environment I have the firewall set to
    autmoatic using group policy under the Security Settings in System services.
    When you explicitly set permissions like that the default permissions don't
    include the Authenticated Users group, which is the group that the user who
    runs the Firewall service belongs to. I don't remember the user but I think
    it's Network Service. When you remove that group then the firewall is started
    with a different SID than what it is configured for and it fails to start.
    For me since Authenticated Users weren't included they were't allowed to start
    up the GHost client whenever it got killed off (that's another story that we
    eventually solved).

    It sounds like I may have to see at work whether some of our users are able to
    turn the firewall off , at least those users who have access to do so. By that
    I mean I turn off access to the Control Panel icons (all except DIsplay) and I
    turn off the Manage entry on the menu when you right click on My Computer.
    They also aren't allowed to run anything I don't want them to by explicitly
    listing application binary names. All those things are in Group Policies I
    setup. I suggest you attempt to do the same if you can so that users can't
    turn things off/on that you don't want them to. There shouldn't be anything in
    Control Pnael they need to access but it is granular within the GP setting.
    They shouldn't need access to anything under Manage either from My Computer.
    As far as application binaries, you can set an explicity list of allowed or
    denied applications so you don't have to worry about listing EVERYTHING they
    are allowed to run, you could just list stuff they aren't allowed to run (like
    mmc.exe for example)


    HTH
    Brandon
Ask a new question

Read More

Firewalls Security Windows XP