Step 6: Configuring the Rest of Your Client Computer Firewall Settings

  • Article

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

At this point, you have the firewall enabled, and a local administrator cannot disable it. In this step, you complete the configuration of the client computer GPO by adding other frequently used settings to further control the behavior of the firewall on a computer that is running either Windows 7 or Windows Vista.

Any settings in the GPO that you leave on the default value of "Not configured" can be configured by a local administrator. Therefore, you might not want to depend on the default settings. Instead, you should explicitly set those values that you want configured a certain way. The procedures in this section illustrate how to configure other common settings that you typically do not want a local administrator to be able to change.

To see that a local administrator can modify settings that are not enforced by a GPO

  1. On CLIENT1, in the Windows Firewall with Advanced Security snap-in, in the navigation pane, right-click the top node Windows Firewall with Advanced Security, and then click Properties.

  2. On the Domain Profile tab, change Outbound connections to Block, and then click OK.

  3. In Administrator: Command Prompt, type ping dc1, and then press ENTER.

    Notice that the command fails, because all outgoing network traffic is blocked by Windows Firewall with Advanced Security.

  4. In the Windows Firewall with Advanced Security snap-in, right-click the top Windows Firewall with Advanced Security node, and then click Properties.

  5. Change Outbound connections back to Allow (default) to restore ordinary operation, and then click OK.

In the next procedure, you configure the settings in Group Policy so that a local administrator cannot change or disable them.

To configure other common firewall settings in Group Policy

  1. On MBRSVR1, in the Group Policy Management Editor, right-click Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, and then click Properties.

  2. On the Domain Profile tab, in the State section, set Inbound connections to Block (default), and set Outbound connections to Allow (default). This is, of course, the same behavior to which the client is already set, but setting it in the GPO prevents local administrators from changing the settings.

  3. Click OK to save your settings and return to the Group Policy Management Editor.

In the next procedure, you refresh Group Policy on the client, and confirm that locally defined rules and settings cannot block network communications.

To test your new restrictions on local administrators

  1. On CLIENT1, in Administrator: Command Prompt, type gpupdate /force, and then press ENTER. Wait until the command finishes.

  2. In the navigation pane of the Windows Firewall with Advanced Security snap-in, right-click the top Windows Firewall with Advanced Security node, and then click Properties.

  3. On the Domain Profile tab, notice that the restrictions now prevent a local user, even an administrator, from modifying the settings.

Note

The Inbound connection setting still enables you to select Block all connections. This is a security feature to support a quick mitigation of a malware threat, and cannot be blocked by Group Policy.

  1. In the Settings section, click Customize, and then notice that the settings that you configured in Group Policy cannot be locally changed.

  2. Click Cancel two times to return to the Windows Firewall with Advanced Security snap-in.

  3. Close the Windows Firewall with Advanced Security snap-in.

Next topic: Step 7: Creating WMI and Group Filters