Preventing Administrators from Turning Windows Firewall On or Off
Updated: March 28, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
By default, you must be a member of the Administrators group (or a member of a group that is a member of the Administrators group) to enable or disable Windows Firewall. This prevents users from inadvertently turning Windows Firewall on or off, which can result in individualized configurations that are difficult to troubleshoot and can reduce your organization's overall security.
You can secure Windows Firewall even further by preventing local administrators from enabling or disabling Windows Firewall. This is useful if you rely on Windows Firewall and you always want it enabled, or you use a non-Microsoft host firewall and you always want Windows Firewall disabled. Preventing local administrators from turning Windows Firewall on or off is also useful in a centrally-managed environment, such as a Group Policy environment or an environment in which you want to strictly enforce Windows Firewall configuration and policy settings.
When to perform this task
You should perform this task when required by your organization's security plan or when you want to strictly enforce Windows Firewall configuration and policy settings.
No special tools are required to complete this task.
To complete this task, perform the following procedures: