Archived from groups: microsoft.public.windowsxp.security_admin (More info?)
I have applied Group Policies for XP Firewall in 'Computer
Configuration\Administrative Templates\Network\Network Connections\Windows
Firewall\Domain Profile', however users can easily subvert these by simply
turning off the firewall service.
I tried restricting access to the Firewall/ICS service via 'Computer
Configuration\Windows Settings\Security Settings\System Services', however
now the Firewall/ICS service on the client affected by this policy won't
start. I get " Error 0x80004015: The class is configured to run as a
security id different from the caller", which leads me to this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;892199
I followed the directions, but it doesn't seem to resolve my problem, well
it does if I delete the SD registry key for the 'SharedAccess' service
entirely and don't restore it. Then it behaves like I expected, the service
will start upon restart and the policy doesn't allow the user to stop the
service. However I don't want to remove this key on all my existing and new
users, it seems wrong. There must be a more appropriate resolution...
Any clue anyone?
Thanks,
-g
I have applied Group Policies for XP Firewall in 'Computer
Configuration\Administrative Templates\Network\Network Connections\Windows
Firewall\Domain Profile', however users can easily subvert these by simply
turning off the firewall service.
I tried restricting access to the Firewall/ICS service via 'Computer
Configuration\Windows Settings\Security Settings\System Services', however
now the Firewall/ICS service on the client affected by this policy won't
start. I get " Error 0x80004015: The class is configured to run as a
security id different from the caller", which leads me to this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;892199
I followed the directions, but it doesn't seem to resolve my problem, well
it does if I delete the SD registry key for the 'SharedAccess' service
entirely and don't restore it. Then it behaves like I expected, the service
will start upon restart and the policy doesn't allow the user to stop the
service. However I don't want to remove this key on all my existing and new
users, it seems wrong. There must be a more appropriate resolution...
Any clue anyone?
Thanks,
-g