Deploying Windows Firewall Settings With Group Policy

The best way to manage Windows Firewall settings in an organization network is to use Active Directory and the new Windows Firewall settings in Computer Configuration Group Policy. This method requires the use of Active Directory with either Windows 2000 or Windows Server 2003 domain controllers. Group Policy updates are requested by the domain member computer, and are therefore solicited traffic that is not dropped when Windows Firewall is enabled.

When you use Group Policy to configure Windows Firewall, by default local administrators will be unable to change some elements of its configuration locally, using the Windows Firewall component in Control Panel. Some tabs and options in the Windows Firewall dialog box will be grayed out and unavailable.

The basic steps for deploying Windows Firewall settings for Windows XP SP2 with Active Directory are the following:

  1. Update your Group Policy objects with the new Windows Firewall settings.

  2. Specify Windows Firewall settings for your Group Policy objects.

The following sections describe these steps in detail.

Notes It is strongly recommended that you test your Windows Firewall Group Policy settings in a test environment before you deploy them in your production environment to ensure that your Windows Firewall Group Policy configuration does not result in unintended vulnerabilities. The procedure to update your Group Policy object with the new Windows Firewall settings will replace the System.adm file that is stored for the Group Policy object being modified with the version that is provided with Windows XP SP2, which includes the new Windows Firewall settings. If a Group Policy administrator on your production network performs this procedure, your production environment will be updated.
Once you update your Group Policy objects, you can only modify them from a computer running Windows XP with SP2. An update is available through Microsoft Product Support Services (PSS) to allow you to modify Group Policy settings from computers running Windows 2000. Microsoft is working on updates for Windows XP SP1 and Windows Server 2003.

Bb490626.3squares(en-us,TechNet.10).gif

On This Page

Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings
Step 2: Specifying Windows Firewall Settings for Your Group Policy Objects
Group Policy Settings in Mixed Windows XP Environments

Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings

To update your Group Policy objects with the new Windows Firewall settings using the Group Policy snap-in (provided with Windows XP), do the following:

  1. Install Windows XP SP2 on a computer that is a member of the domain that contains the computer accounts of the other computers running Windows XP on which you plan to install Windows XP SP2.

  2. Restart the computer and log on to the Windows XP with SP2-based computer as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

  3. From the Windows XP desktop, click Start, click Run, type mmc, and then click OK.

  4. On the File menu, click Add/Remove Snap-in.

  5. On the Standalone tab, click Add.

  6. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.

  7. In the Select Group Policy Object dialog box, click Browse.

  8. In the Browse for a Group Policy Object, click the Group Policy object that you want to update with the new Windows Firewall settings. An example is shown in the following figure.

    WSFP1202_big.gif

  9. Click OK.

  10. Click Finish to complete the Group Policy Wizard.

  11. In the Add Standalone Snap-in dialog box, click Close.

  12. In the Add/Remove Snap-in dialog box, click OK.

  13. In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. An example is shown in the following figure.

    WSFP1203_big.gif

Repeat this procedure for every Group Policy object that is being used to apply Group Policy to computers that will have Windows XP SP2 installed.

Note To update your Group Policy objects for network environments using Active Directory and Windows XP SP1, Microsoft recommends that you use the Group Policy Management Console, a free download. For more information, see Group Policy Management Console with Service Pack 1.

Step 2: Specifying Windows Firewall Settings for Your Group Policy Objects

After a Group Policy object has been updated, it can be configured for Windows Firewall settings that are appropriate for Windows Firewall and the use of management, server, listener, or peer applications and services that are being run on your computers running Windows XP with SP2.

There are two sets of Windows Firewall settings to configure:

  • The domain profile settings that are used by the computers when they are connected to a network that contains domain controllers for the domain of which the computer is a member.

  • The standard profile settings that are used by the computers when they are connected to a network that does not contain domain controllers for the domain of which the computer is a member.

If you do not configure standard profile settings, their default values are still applied. Therefore, it is highly recommended that you configure both domain and standard profile settings and that you enable the Windows Firewall for both profiles, except if you are already using a third-party host firewall product.

As previously described, the standard profile settings are typically more restrictive that the domain profile because the standard profile settings do not need to include applications and services that are only used in a managed domain environment.

Both the domain profile and standard profile contain the same set of Windows Firewall settings, as shown in the following figure.

WSFP1204_big.gif

The Windows Firewall Group Policy settings for the domain and standard profiles consist of the following:

  • Windows Firewall: Protect all network connections Used to specify that all network connections have Windows Firewall enabled.

  • Windows Firewall: Do not allow exceptions  Used to specify that all unsolicited incoming traffic be dropped, including excepted traffic.

  • Windows Firewall: Define program exceptions  Used to define excepted traffic in terms of program file names.

  • **Windows Firewall: Allow local program exceptions  **Used to enable local configuration of program exceptions.

  • Windows Firewall: Allow remote administration exception  Used to enable remote configuration using tools such as Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).

  • Windows Firewall: Allow file and print sharing exception  Used to specify whether file and printer sharing traffic is allowed.

  • Windows Firewall: Allow ICMP exceptions  Used to specify the types of Internet Control Message Protocol (ICMP) messages that are allowed.

  • Windows Firewall: Allow Remote Desktop exception  Used to specify whether the Windows XP-based computer can accept a Remote Desktop-based connection request.

  • Windows Firewall: Allow UPnP framework exception  Used to specify whether the computer can receive unsolicited UPnP messages.

  • **Windows Firewall: Prohibit notifications  **Used to disable notifications.

  • Windows Firewall: Allow logging  Used to enable logging of discarded traffic, successful connections, and to configure log file settings.

  • Windows Firewall: Prohibit unicast response to multicast or broadcast requests  Used to discard the unicast packets received in response to a multicast or broadcast request message.

  • Windows Firewall: Define port exceptions  Used to specify excepted traffic in terms of TCP and UDP ports.

  • Windows Firewall: Allow local  port exceptions  Used to enable local configuration of port exceptions.

For detailed information about these settings, including example dialog boxes, see Appendix A.

Use the Group Policy snap-in to modify the Windows Firewall settings in the appropriate Group Policy objects. Note that you only need to modify Windows Firewall settings for Group Policy objects that are applied to Active Directory system containers (domains, organizational units, and sites) that contain computer accounts corresponding to computers that are or will be running Windows XP with SP2.

Once you configure the Windows Firewall settings, the next refresh of Computer Configuration Group Policy downloads the new Windows Firewall settings and applies them for computers running Windows XP with SP2. Computers that are running Windows 2000, Windows Server 2003, Windows XP with SP1, or Windows XP with no service packs installed ignore the new Windows Firewall settings.

The following are the recommendations for the Windows Firewall Group Policy settings for Windows XP SP2:

  • Windows Firewall: Protect all network connections  Enabled

  • Windows Firewall: Do not allow exceptions  Not configured

  • Windows Firewall: Define program exceptions  Enabled and configured with the programs (applications and services) used by the computers running Windows XP with SP2 on your network for managed, server, listener, or peer applications.

  • **Windows Firewall: Allow local program exceptions  **Enabled, unless you don't want local administrators to be able to configure program exceptions locally.

  • Windows Firewall: Allow remote administration exception  Disabled, unless you want to be able to remotely administer with MMC snap-ins or remotely monitor using WMI computers running Windows XP with SP2.

  • Windows Firewall: Allow file and print sharing exception  Enabled only if the computers running Windows XP with SP2 are sharing local folders and printers.

  • Windows Firewall: Allow ICMP exceptions  Enabled only to allow diagnostic or management capabilities that are based on ICMP traffic.

  • Windows Firewall: Allow Remote Desktop exception  Enabled only if you use Remote Desktop to connect to Windows XP with SP2-based computers.

  • Windows Firewall: Allow UPnP framework exception  Enabled only if you use UPnP devices on your network.

  • Windows Firewall: Prohibit notifications  Disabled

  • Windows Firewall: Allow logging  Not configured

  • Windows Firewall: Prohibit unicast response to multicast or broadcast requests  Disabled

  • Windows Firewall: Define port exceptions  Enabled and configured with the TCP and UDP ports used by the computers running Windows XP with SP2 on your network for managed, server, listener, or peer programs that cannot be specified by filename.

  • Windows Firewall: Allow local  port exceptions  Enabled, unless you don't want local administrators to be able to configure port exceptions locally.

Group Policy Settings in Mixed Windows XP Environments

A mixed Windows XP environment is one in which there are both Windows XP with SP1 or Windows XP with no service packs installed and Windows XP with SP2-based computers present. For computers running Windows XP with SP1 or Windows XP with no service packs installed, the only way to control Windows Firewall behavior through Group Policy is to use the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting in Computer Configuration/Administrative Templates/Network/Network Connections. This Group Policy setting is still present when Group Policy objects are updated for the new Windows Firewall settings. Computers running Windows XP with SP1 or Windows XP with no service packs installed only implement the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting.

Computers running Windows XP with SP2 implement both the Prohibit use of Internet Connection Firewall on your DNS domain network setting and the new Windows Firewall settings in the following way:

  • If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and there are no changes to the default values of the new Windows Firewall settings, then Windows Firewall is disabled when connected to the network from which the Group Policy object was obtained.

  • If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and the Windows Firewall: Protect all network connections setting is enabled, then Windows Firewall is enabled when connected to the network from which the Group Policy object was obtained with new Windows Firewall settings.

Disabling the Use of Windows Firewall Across Your Network

If you are already using a third-party host firewall product, then it is recommended that you disable Windows Firewall. If you are not already using a third-party host firewall product, then it is recommended that you enable Windows Firewall to prevent the spread of malicious programs that make it past the firewall that separates your network from the Internet.

If you decide to disable the use of Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP with SP2, Windows XP with SP1, and Windows XP with no service packs installed, and you are using a third-party host firewall, then you should configure the following Group Policy settings:

  • Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

  • Domain profile – Windows Firewall: Protect all network connections is set to Disabled

  • Standard profile – Windows Firewall: Protect all network connections is set to Disabled

These settings ensure that Windows Firewall is not used, whether the computers are connected to your organization network or not.

If you decide to disable the use of Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP with SP2, Windows XP with SP1, and Windows XP with no service packs installed, and you are not using a third-party host firewall, then you should configure the following Group Policy settings:

  • Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

  • Domain profile – Windows Firewall: Protect all network connections is set to Disabled

  • Standard profile – Windows Firewall: Protect all network connections is set to Enabled

These settings ensure that the Windows Firewall is not used on your organization network, but is used when the computers are not connected to the organization network.