Questions About Windows Firewall and Domain Policy Enforce..

G

Guest

Guest
Archived from groups: microsoft.public.windows.networking.firewall,microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

I have a Windows 2000 domain that has 200 workstations most of which are
still only running XP w/SP1. We haven't been able to move everyone to SP2
because of the problems that have arisen.

Problem 1: 90% of the workstations need to have the firewalls activated
because of the way they travel around and the networks that they are subject
to attach to.

Problem 2: The workstations need to be able to be managed on all the
workstations when they are connected to the domain.

Problem 3: If we enable the firewall locally on the workstations then the
domain policies do not over ride the local setting.

Problem 4: If we disable the firewall settings locally then the domain
policy Domain Profile settings takes over and functions properly as long as
there is no Standard Profile configured. If you created a Standard Profile
in the policy then it applies that setting over the Domain Profile. This
problem doesn't matter whether you are on the domain network or not.

Question 1: Is there a way to enforce the domain policy firewall settings
even if the firewall was activated locally?

Question 2: Is there a way to enforce the Domain Profile to work over the
Standard Profile when connected to the domain and the Standard to be the
default when not connected to the domain?

TIA,
Leo
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.networking.firewall,microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

I have a Windows 2000 domain that has 200 workstations most of which are
still only running XP w/SP1. We haven't been able to move everyone to SP2
because of the problems that have arisen when trying to apply firewall
settings through domain GPO (Some issues came up this week and we were
forced to install SP2 on about 70 XP workstations).

Problem 1: 90% of the workstations need to have the firewalls activated
because of the way the users travel around and the networks that they are
subject to attach their laptop to. Our users travel all over the state and
have requirements forcing them to get on networks that do not belong to our
office. Users access the office through hardware VPN tunnels normally and
are authenticated to the domain. There may be times that a user will have to
connect without the
hardware VPN device and will then be required to make a software tunnel on
one of these uncontrolled networks.

Problem 2: All the workstations have software that will need to be managed
on all the workstations when they are connected to the domain. (Anti-Virus
Updates push, Software Inventory pull).

Problem 3: If we enable the firewall on the workstations then the domain
policies do not over ride the local setting (we tried to take the default
SP2 settings on firewall activation).

Problem 4: If we disable the firewall settings on the workstation then the
domain policy Domain Profile settings takes over and functions properly as
long as there is no Standard Profile configured. If you created a Standard
Profile in the policy then it applies that setting over the Domain Profile.
This problem doesn't matter whether you are on the domain network or not.
After checking further this may or may not be true. It worked for a while
and after I added the standard profile the domain profile quit working. Once
I reset the standard settings back to not configured the domain settings
were not detected. The command "netsh firewall show state" displays the info
below:
Profile = Standard
Operational Mode = Disable
Exception Mode = Enable
Multicast/Broadcast Response Mode = Enable
Notification Mode = Enable
Group Policy Version = Windows Firewall
Remote Admin Mode = Disable

Question 1: Is there a way to enforce the domain policy firewall settings
even if the firewall was activated on the workstation by a default install
of SP2? I've already applied the ADM files to all DCs and I've made the
settings that I want in the GPO, but I can not get them to work properly.

Question 2: Is there a way to enforce the Domain Profile to work over the
Standard Profile when connected to the domain and the Standard to be the
default when not connected to the domain?

Question 3: What am I missing here. Everyone authenticates to the DCs fine.
All the computers that I am trying to manage are domain authorized computers
and can be accessed from all DCs.

TIA,
Leo


"Leo Alls" <Leo_Alls@ncauditor.net> wrote in message
news:OG77cpj$EHA.2032@tk2msftngp13.phx.gbl...
>I have a Windows 2000 domain that has 200 workstations most of which are
>still only running XP w/SP1. We haven't been able to move everyone to SP2
>because of the problems that have arisen.
>
> Problem 1: 90% of the workstations need to have the firewalls activated
> because of the way they travel around and the networks that they are
> subject to attach to.
>
> Problem 2: The workstations need to be able to be managed on all the
> workstations when they are connected to the domain.
>
> Problem 3: If we enable the firewall locally on the workstations then the
> domain policies do not over ride the local setting.
>
> Problem 4: If we disable the firewall settings locally then the domain
> policy Domain Profile settings takes over and functions properly as long
> as there is no Standard Profile configured. If you created a Standard
> Profile in the policy then it applies that setting over the Domain
> Profile. This problem doesn't matter whether you are on the domain network
> or not.
>
> Question 1: Is there a way to enforce the domain policy firewall settings
> even if the firewall was activated locally?
>
> Question 2: Is there a way to enforce the Domain Profile to work over the
> Standard Profile when connected to the domain and the Standard to be the
> default when not connected to the domain?
>
> TIA,
> Leo
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windows.networking.firewall,microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

"Leo Alls" <Leo_Alls@ncauditor.net> wrote in message
news:Ob9XdjXBFHA.2012@TK2MSFTNGP15.phx.gbl...
> I have a Windows 2000 domain that has 200 workstations most of which are
> still only running XP w/SP1. We haven't been able to move everyone to SP2
> because of the problems that have arisen when trying to apply firewall

It can be configured to activate the Firewall when the machnes are not on
the local network,...but when they are on the local network the Firewall is
deactivated.

Deploying Windows Firewall Settings for Microsoft Windows XP with Service
Pack 2: Using Group Policy
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2wgp.mspx


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com