Questions About Windows Firewall and Domain Policy Enforce..

Archived from groups: microsoft.public.windows.networking.firewall,microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

I have a Windows 2000 domain that has 200 workstations most of which are
still only running XP w/SP1. We haven't been able to move everyone to SP2
because of the problems that have arisen.

Problem 1: 90% of the workstations need to have the firewalls activated
because of the way they travel around and the networks that they are subject
to attach to.

Problem 2: The workstations need to be able to be managed on all the
workstations when they are connected to the domain.

Problem 3: If we enable the firewall locally on the workstations then the
domain policies do not over ride the local setting.

Problem 4: If we disable the firewall settings locally then the domain
policy Domain Profile settings takes over and functions properly as long as
there is no Standard Profile configured. If you created a Standard Profile
in the policy then it applies that setting over the Domain Profile. This
problem doesn't matter whether you are on the domain network or not.

Question 1: Is there a way to enforce the domain policy firewall settings
even if the firewall was activated locally?

Question 2: Is there a way to enforce the Domain Profile to work over the
Standard Profile when connected to the domain and the Standard to be the
default when not connected to the domain?

TIA,
Leo
2 answers Last reply
More about questions windows firewall domain policy enforce
  1. Archived from groups: microsoft.public.windows.networking.firewall,microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    I have a Windows 2000 domain that has 200 workstations most of which are
    still only running XP w/SP1. We haven't been able to move everyone to SP2
    because of the problems that have arisen when trying to apply firewall
    settings through domain GPO (Some issues came up this week and we were
    forced to install SP2 on about 70 XP workstations).

    Problem 1: 90% of the workstations need to have the firewalls activated
    because of the way the users travel around and the networks that they are
    subject to attach their laptop to. Our users travel all over the state and
    have requirements forcing them to get on networks that do not belong to our
    office. Users access the office through hardware VPN tunnels normally and
    are authenticated to the domain. There may be times that a user will have to
    connect without the
    hardware VPN device and will then be required to make a software tunnel on
    one of these uncontrolled networks.

    Problem 2: All the workstations have software that will need to be managed
    on all the workstations when they are connected to the domain. (Anti-Virus
    Updates push, Software Inventory pull).

    Problem 3: If we enable the firewall on the workstations then the domain
    policies do not over ride the local setting (we tried to take the default
    SP2 settings on firewall activation).

    Problem 4: If we disable the firewall settings on the workstation then the
    domain policy Domain Profile settings takes over and functions properly as
    long as there is no Standard Profile configured. If you created a Standard
    Profile in the policy then it applies that setting over the Domain Profile.
    This problem doesn't matter whether you are on the domain network or not.
    After checking further this may or may not be true. It worked for a while
    and after I added the standard profile the domain profile quit working. Once
    I reset the standard settings back to not configured the domain settings
    were not detected. The command "netsh firewall show state" displays the info
    below:
    Profile = Standard
    Operational Mode = Disable
    Exception Mode = Enable
    Multicast/Broadcast Response Mode = Enable
    Notification Mode = Enable
    Group Policy Version = Windows Firewall
    Remote Admin Mode = Disable

    Question 1: Is there a way to enforce the domain policy firewall settings
    even if the firewall was activated on the workstation by a default install
    of SP2? I've already applied the ADM files to all DCs and I've made the
    settings that I want in the GPO, but I can not get them to work properly.

    Question 2: Is there a way to enforce the Domain Profile to work over the
    Standard Profile when connected to the domain and the Standard to be the
    default when not connected to the domain?

    Question 3: What am I missing here. Everyone authenticates to the DCs fine.
    All the computers that I am trying to manage are domain authorized computers
    and can be accessed from all DCs.

    TIA,
    Leo


    "Leo Alls" <Leo_Alls@ncauditor.net> wrote in message
    news:OG77cpj$EHA.2032@tk2msftngp13.phx.gbl...
    >I have a Windows 2000 domain that has 200 workstations most of which are
    >still only running XP w/SP1. We haven't been able to move everyone to SP2
    >because of the problems that have arisen.
    >
    > Problem 1: 90% of the workstations need to have the firewalls activated
    > because of the way they travel around and the networks that they are
    > subject to attach to.
    >
    > Problem 2: The workstations need to be able to be managed on all the
    > workstations when they are connected to the domain.
    >
    > Problem 3: If we enable the firewall locally on the workstations then the
    > domain policies do not over ride the local setting.
    >
    > Problem 4: If we disable the firewall settings locally then the domain
    > policy Domain Profile settings takes over and functions properly as long
    > as there is no Standard Profile configured. If you created a Standard
    > Profile in the policy then it applies that setting over the Domain
    > Profile. This problem doesn't matter whether you are on the domain network
    > or not.
    >
    > Question 1: Is there a way to enforce the domain policy firewall settings
    > even if the firewall was activated locally?
    >
    > Question 2: Is there a way to enforce the Domain Profile to work over the
    > Standard Profile when connected to the domain and the Standard to be the
    > default when not connected to the domain?
    >
    > TIA,
    > Leo
    >
  2. Archived from groups: microsoft.public.windows.networking.firewall,microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    "Leo Alls" <Leo_Alls@ncauditor.net> wrote in message
    news:Ob9XdjXBFHA.2012@TK2MSFTNGP15.phx.gbl...
    > I have a Windows 2000 domain that has 200 workstations most of which are
    > still only running XP w/SP1. We haven't been able to move everyone to SP2
    > because of the problems that have arisen when trying to apply firewall

    It can be configured to activate the Firewall when the machnes are not on
    the local network,...but when they are on the local network the Firewall is
    deactivated.

    Deploying Windows Firewall Settings for Microsoft Windows XP with Service
    Pack 2: Using Group Policy
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2wgp.mspx


    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
Ask a new question

Read More

Policy Domain Workstations Firewalls Microsoft Windows