Deploying Windows Firewall Settings Without Group Policy

  • Article

Although Group Policy is the recommended and easiest method to deploy Windows Firewall settings for computers running Windows XP with SP2, there are situations in which this method is not possible or not used. For example, an environment that uses Windows NT® 4.0 domains or that uses workgroups cannot use Active Directory and Group Policy to propagate Windows Firewall settings to multiple computers on an organization network. Another example is an organization that uses Active Directory, but does not use Group Policy to centrally configure user or computer configuration settings. For information about deploying Windows Firewall settings in a Windows NT 4.0 domain, see Appendix C.

When Group Policy cannot be used or is not used, you have the following options to configure Windows Firewall settings for computers running Windows XP with SP2:

  • Use the Unattend.txt file to configure Windows Firewall settings

    The Unattend.txt file for Windows XP SP2 has options to configure Windows Firewall settings when running an unattended setup of Windows XP SP2. For more information, see Appendix E.

  • Use the Netfw.inf file to configure Windows Firewall settings

    The Netfw.inf file for Windows XP SP2 can configure the Windows Firewall by specifying a set of registry settings equivalent to the options available from the Windows Firewall component in Control Panel and through Windows Firewall Group Policy settings when a user is performing an interactive setup of Windows XP SP2. For more information, see Appendix F.

  • Run a script file that contains Netsh commands to configure Windows Firewall settings

    To configure computers running Windows XP with SP2 after SP2 has been installed, you can have your users run a script file, such as a batch file (*.BAT) or a command file (*.CMD), that contains the series of Netsh commands to configure the Windows Firewall operational mode, allowed programs, allowed ports, etc. For more information about using Netsh to configure Windows Firewall, see Appendix B. For more information about the Netsh tool, see Managing Windows 2000 Networking Components with Netsh.

  • Run a custom configuration program that uses the new Windows Firewall APIs to configure Windows Firewall settings

    To configure computer running Windows XP with SP2 after Windows XP SP2 has been installed, you can have your users run a custom configuration program that uses the new Windows Firewall configuration APIs to configure the Windows Firewall for operation mode, allowed programs, allowed ports, and other settings. For information about the new Windows Firewall APIs, see Windows Firewall in the Windows Software Development Kit (SDK).

For both the script file or the custom configuration program, you can deploy them to be run by your users in the following ways:

  • If you are running management software, configure it to have each computer running Windows XP with SP2 download the script or configuration program and run it or to run it from a network location.

  • Send either the script or program file or a link to the script or program file in an email message with instructions that users of computer running Windows XP with SP2 must run it.

  • Place the script or program on a Web page and instruct the users of computers running Windows XP with SP2 to access the Web page and run it.

Only local administrators can successfully execute scripts or custom configuration programs from an email message, a file share, or a Web page.

Disabling the Use of Windows Firewall Across Your Network

If you decide to disable the use of Windows Firewall across your entire network, and you are not or cannot use the Windows Firewall Group Policy settings, you can use the Unattend.txt or Netfw.inf to disable Windows Firewall as Windows XP SP2 is being installed. For an example of using Unattend.txt, see Appendix E. For an example of using Netfw.inf, see Appendix F.

Depending on your network policies, your users might elect, either intentionally or accidentally, to install Windows XP SP 2 through Windows Update, rather than through a central network location that contains the modified Netfw.inf file. If this occurs, the modified Netfw.inf file is not read during the installation and  Windows Firewall is enabled.

One solution to this possible problem is to create the registry settings on your client computers to disable Windows Firewall before your users have a chance to install Windows XP SP2 from Windows Update. ICF on computers running Windows XP with SP1 and Windows XP with no service packs installed ignores these registry settings. When the user installs Windows XP SP2 from Windows Update and restarts their computer, Windows Firewall reads the registry settings already in place and disables itself.

To add a registry setting on all of your computers running Windows XP, you can use the Regini.exe or Reg.exe tools. For either tool, you create a script file that is read by the tool to add a registry setting. The tool has to be run in the security context of a local administrator account.

Alternately, you can use network management software to change registry settings on managed computers.

The registry keys to add to disable Windows Firewall for both the domain and standard profiles are the following:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
    \DomainProfile \EnableFirewall=0 (DWORD data type)

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
    \StandardProfile \EnableFirewall=0 (DWORD data type)