How to Control the Windows Firewall With a GPO
http://www.howtogeek.com/wp-content/.../sshot-312.png
The Windows Firewall can be one of the biggest nightmares for system administrators to configure, with the addition of Group Policy precedence it just becomes a headache. Here we will take you from start to finish on how to easily configure the Windows Firewall via Group Policy and as a bonus show you how to fix one of the biggest gotchas. Our Mission It has come to our attention that a lot of users have Skype installed on their machines and it is making them less productive. We have been given the task of making sure that users cant use Skype at work, however they are welcome to keep it installed on their laptops and use it at home or during lunch breaks on a 3G/4G connection. Given this information we decide to make use of the Windows Firewall and Group Policy. The Method The easiest way to start controlling the Windows Firewall through Group Policy is to set up a reference PC and create the rules using Windows 7, we can then export that policy and import it into Group Policy. By doing this, we have the extra advantage of being able to see if all the rules are set up and working as we want them to be, before deploying them to all the client machines. Creating a Firewall Template In order to create a template for the Windows Firewall we need to launch the Network and Sharing Center, the easiest way to do this is to right-click on the network icon and select Open Network and Sharing Center fromthe context menu. http://www.howtogeek.com/wp-content/...2/sshot-84.png http://www.howtogeek.com/wp-content/...2/sshot-84.png When the Network and Sharing Center opens, click on the Windows Firewall link in the lower left hand corner. http://www.howtogeek.com/wp-content/...2/sshot-95.pnghttp://www.howtogeek.com/wp-content/...2/sshot-95.png When creating a template for Windows Firewall it is best done through the Windows Firewall with Advanced Security console, to launch this click on Advanced Settings on the left hand side. http://www.howtogeek.com/wp-content/.../sshot-122.pnghttp://www.howtogeek.com/wp-content/.../sshot-122.png Note: At this point I am going to edit the Skype specific rules, however you can add your own rules for ports or even applications. Whatever modifications you need to make to the firewall should be done now. From here we can start editing our firewall rules, in our case when the Skype application is installed it creates its own Firewall exceptions that allow skype.exe to communicate on the Domain, Private and Public network profiles. http://www.howtogeek.com/wp-content/.../sshot-154.pnghttp://www.howtogeek.com/wp-content/.../sshot-154.png Now we need to edit our Firewall rule, to edit it double click on the rule. This will bring up the properties of the Skype rule. http://www.howtogeek.com/wp-content/.../sshot-162.pnghttp://www.howtogeek.com/wp-content/.../sshot-162.png Switch over to the Advanced tab and uncheck the Domain check box. http://www.howtogeek.com/wp-content/.../sshot-172.pnghttp://www.howtogeek.com/wp-content/.../sshot-172.png When you try launch Skype now, you will be prompted to ask if it can communicate on the Domain Network Profile, uncheck the box and click allow access. http://www.howtogeek.com/wp-content/.../sshot-181.pnghttp://www.howtogeek.com/wp-content/.../sshot-181.png If you now go back to your Inbound Firewall Rules you will see that there are two new rules, this is because when you were prompted you chose not to allow Inbound Skype traffic. If you look over to the profile column you will see that they are both for the Domain network profile. Note: The reason there is two rules is because there is separate rules for TCP and UDP http://www.howtogeek.com/wp-content/.../sshot-193.pnghttp://www.howtogeek.com/wp-content/.../sshot-193.png Everything is good so far, however if you launch Skype you will still be able to log in. http://www.howtogeek.com/wp-content/.../sshot-203.pnghttp://www.howtogeek.com/wp-content/.../sshot-203.png Even if you change the rules to block inbound traffic for skype.exe and set it to block traffic using ANY protocol its is still able to somehow get back in. The fix is simple, stop it from being able to communicate in the first place. To do this switch to Outbound Rules and start creating a new rule. http://www.howtogeek.com/wp-content/.../sshot-218.pnghttp://www.howtogeek.com/wp-content/.../sshot-218.png Since we want to create a rule for the Skype program just click next, then browse for the Skype executable file and click next. http://www.howtogeek.com/wp-content/.../sshot-223.pnghttp://www.howtogeek.com/wp-content/.../sshot-223.png You can leave the action at the default which is to block the connection and click next. http://www.howtogeek.com/wp-content/.../sshot-232.pnghttp://www.howtogeek.com/wp-content/.../sshot-232.png Deselect the Private and Public check boxes and click next to continue. http://www.howtogeek.com/wp-content/.../sshot-244.pnghttp://www.howtogeek.com/wp-content/.../sshot-244.png Now give your rule a name and click finish http://www.howtogeek.com/wp-content/.../sshot-253.pnghttp://www.howtogeek.com/wp-content/.../sshot-253.png Now if you try and launch Skype while connected to a Domain network it will not work http://www.howtogeek.com/wp-content/.../sshot-272.pnghttp://www.howtogeek.com/wp-content/.../sshot-272.png However if they try and connect when they get home it will allow them to connect fine http://www.howtogeek.com/wp-content/.../sshot-282.png http://www.howtogeek.com/wp-content/.../sshot-282.png That’s all the Firewall rules we are going to create for now, don’t forget to test out your rules just like we did for Skype. Exporting the Policy To export the policy, in the left hand pane click on the root of the tree which says Windows Firewall with Advanced Security. Then click on Action and select Export Policy from the Menu. http://www.howtogeek.com/wp-content/.../sshot-292.png http://www.howtogeek.com/wp-content/.../sshot-292.png You should save this to either a network share, or even a USB if you have physical access to your server. We will go with a network share. Note: Be careful of viruses when using a USB, the last thing you want to do is infect a server with a virus http://www.howtogeek.com/wp-content/.../sshot-301.pnghttp://www.howtogeek.com/wp-content/.../sshot-301.png Importing the Policy Into Group Policy To import the firewall policy you need to open an existing GPO or create a new GPO and link it to an OU that contains computer accounts. We have an GPO called Firewall Policy that is linked to an OU called Geek Computers, this OU contains all our computers. We will just go ahead and use this policy. http://www.howtogeek.com/wp-content/.../sshot-322.pnghttp://www.howtogeek.com/wp-content/.../sshot-322.png Now navigate to: Open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced SecurityClick on Windows Firewall with Advanced Security and then click on Action and Import Policy http://www.howtogeek.com/wp-content/.../sshot-333.pnghttp://www.howtogeek.com/wp-content/.../sshot-333.png You will be told that if you import the policy it will overwrite all existing settings, click yes to continue and then browse for the policy that you exported in the previous section of this article. Once the policy has finished being Imported you will be notified. http://www.howtogeek.com/wp-content/.../sshot-342.pnghttp://www.howtogeek.com/wp-content/.../sshot-342.png If you go and look at our rules you will see that the Skype rules I created are still there. http://www.howtogeek.com/wp-content/.../sshot-351.pnghttp://www.howtogeek.com/wp-content/.../sshot-351.png Testing Note: You should not do any testing before you complete the next section of the article. If you do, any rules that have been configured locally will be adhered to. The only reason I did some testing now was to point out a few things. To see if the Firewall Rules have been deployed to clients, you will need to switch to a client machine and again open the Windows Firewall Settings. As you can see there should be a message saying that some of the firewall rules are managed by your system administrator. http://www.howtogeek.com/wp-content/.../sshot-361.pnghttp://www.howtogeek.com/wp-content/.../sshot-361.png Click on the Allow a program or feature through Windows Firewall link on the left hand side. http://www.howtogeek.com/wp-content/.../sshot-371.pnghttp://www.howtogeek.com/wp-content/.../sshot-371.png As you should see now, we have rules both applied by Group Policy as well as those created locally. http://www.howtogeek.com/wp-content/.../sshot-382.pnghttp://www.howtogeek.com/wp-content/.../sshot-382.png What’s Going On Here and How Can I Fix It? By default, rule merging is enabled between local firewall policies on Windows 7 computers and firewall policy specified in Group Policies that target those computers. This means that local administrators can create their own firewall rules, and these rules will be merged with the rules obtained through Group Policy. To fix this right click on Windows Firewall with Advanced Security and select properties from the context menu. When the dialog box opens click on the Customize button under the settings section. http://www.howtogeek.com/wp-content/.../sshot-391.pnghttp://www.howtogeek.com/wp-content/.../sshot-391.png Change the Apply local firewall rules option from Not Configured to No. http://www.howtogeek.com/wp-content/.../sshot-401.png http://www.howtogeek.com/wp-content/.../sshot-401.png Once you click ok, switch to the Private and Public profiles and do the same thing for both of them. That’s all there is to it guys, go have some firewall fun. Thanks to Geek Taylor Gibb |
All times are GMT. The time now is 17:48. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
SEO by vBSEO 3.5.2