Firewall and Group Policy

Hello:
I currently have disabled MS firewall on LAN connections and enabled on
Wireless and Dialup not allowing file and print sharing or remote
desktop/assistance. For my users it is more important to keep them secure
when not on our LAN which has a nice hardware firewall to protect them.

I have been toying with the idea of enabling the firewall on XP machines and
maybe 2003 servers through Group Policy allowing the exceptions necessary for
me to remotely administer the services, update virus software, install
patches, etc. My concern is Windows firewall does not allow exception for
each individual connection, seems it is a one for all configuration.

If you have Group Policy firewall connections will they also be applied when
the user is not physically connected to the domain? Even if they sign onto
domain using cached credentials?

Needless to say it is more important to protect my laptops over unsupervised
wireless and dialup connections than on our protected LAN. It would be a
nice improvement to MS firewall to allow different exceptions for each
connection.

Thanks, Cindy

Yes, the GPO settings will remain intact using cached credentials.
--
David Davis, MCSE, CCNA, Security +
Network Engineer


"Cindy" wrote:

> Hello:
> I currently have disabled MS firewall on LAN connections and enabled on
> Wireless and Dialup not allowing file and print sharing or remote
> desktop/assistance. For my users it is more important to keep them secure
> when not on our LAN which has a nice hardware firewall to protect them.
>
> I have been toying with the idea of enabling the firewall on XP machines and
> maybe 2003 servers through Group Policy allowing the exceptions necessary for
> me to remotely administer the services, update virus software, install
> patches, etc. My concern is Windows firewall does not allow exception for
> each individual connection, seems it is a one for all configuration.
>
> If you have Group Policy firewall connections will they also be applied when
> the user is not physically connected to the domain? Even if they sign onto
> domain using cached credentials?
>
> Needless to say it is more important to protect my laptops over unsupervised
> wireless and dialup connections than on our protected LAN. It would be a
> nice improvement to MS firewall to allow different exceptions for each
> connection.
>
> Thanks, Cindy
>
>

Thanks, that means I will not be able to enable the firewall on the LAN
settings. I certainly don't want wireless settings to be the same as LAN
settings. And I can not rely on my users to remember to change those
settings. So much for using MS firewall internally.
Cindy
"David Davis" wrote:

> Yes, the GPO settings will remain intact using cached credentials.
> --
> David Davis, MCSE, CCNA, Security +
> Network Engineer
>
>
> "Cindy" wrote:
>
> > Hello:
> > I currently have disabled MS firewall on LAN connections and enabled on
> > Wireless and Dialup not allowing file and print sharing or remote
> > desktop/assistance. For my users it is more important to keep them secure
> > when not on our LAN which has a nice hardware firewall to protect them.
> >
> > I have been toying with the idea of enabling the firewall on XP machines and
> > maybe 2003 servers through Group Policy allowing the exceptions necessary for
> > me to remotely administer the services, update virus software, install
> > patches, etc. My concern is Windows firewall does not allow exception for
> > each individual connection, seems it is a one for all configuration.
> >
> > If you have Group Policy firewall connections will they also be applied when
> > the user is not physically connected to the domain? Even if they sign onto
> > domain using cached credentials?
> >
> > Needless to say it is more important to protect my laptops over unsupervised
> > wireless and dialup connections than on our protected LAN. It would be a
> > nice improvement to MS firewall to allow different exceptions for each
> > connection.
> >
> > Thanks, Cindy
> >
> >

I must be missing something.
You can configure exception that are unique per network interface.
If you do as you say and enable remote management exception then
I would highly recommend that you also customize the scope of IPs
for which the exception will be allowed.

--
Roger Abell
Microsoft MVP (Windows Server: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Cindy" <Cindy@discussions.microsoft.com> wrote in message
news:CFBB7837-9B11-4594-83A6-D75B2A5B0229@microsoft.com...
> Hello:
> I currently have disabled MS firewall on LAN connections and enabled on
> Wireless and Dialup not allowing file and print sharing or remote
> desktop/assistance. For my users it is more important to keep them secure
> when not on our LAN which has a nice hardware firewall to protect them.
>
> I have been toying with the idea of enabling the firewall on XP machines
> and
> maybe 2003 servers through Group Policy allowing the exceptions necessary
> for
> me to remotely administer the services, update virus software, install
> patches, etc. My concern is Windows firewall does not allow exception for
> each individual connection, seems it is a one for all configuration.
>
> If you have Group Policy firewall connections will they also be applied
> when
> the user is not physically connected to the domain? Even if they sign
> onto
> domain using cached credentials?
>
> Needless to say it is more important to protect my laptops over
> unsupervised
> wireless and dialup connections than on our protected LAN. It would be a
> nice improvement to MS firewall to allow different exceptions for each
> connection.
>
> Thanks, Cindy
>
>

I know that you can do this manually on servers and workstations, but by
using GPO's it is all or nothing. If I am missing something here please
share. Sometimes I like to think I know everything, but I am always learning.
--
David Davis [MCSE, CCNA, Security +]



"Roger Abell [MVP]" wrote:

> I must be missing something.
> You can configure exception that are unique per network interface.
> If you do as you say and enable remote management exception then
> I would highly recommend that you also customize the scope of IPs
> for which the exception will be allowed.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server: Security)
> MCDBA, MCSE W2k3+W2k+Nt4
> "Cindy" <Cindy@discussions.microsoft.com> wrote in message
> news:CFBB7837-9B11-4594-83A6-D75B2A5B0229@microsoft.com...
> > Hello:
> > I currently have disabled MS firewall on LAN connections and enabled on
> > Wireless and Dialup not allowing file and print sharing or remote
> > desktop/assistance. For my users it is more important to keep them secure
> > when not on our LAN which has a nice hardware firewall to protect them.
> >
> > I have been toying with the idea of enabling the firewall on XP machines
> > and
> > maybe 2003 servers through Group Policy allowing the exceptions necessary
> > for
> > me to remotely administer the services, update virus software, install
> > patches, etc. My concern is Windows firewall does not allow exception for
> > each individual connection, seems it is a one for all configuration.
> >
> > If you have Group Policy firewall connections will they also be applied
> > when
> > the user is not physically connected to the domain? Even if they sign
> > onto
> > domain using cached credentials?
> >
> > Needless to say it is more important to protect my laptops over
> > unsupervised
> > wireless and dialup connections than on our protected LAN. It would be a
> > nice improvement to MS firewall to allow different exceptions for each
> > connection.
> >
> > Thanks, Cindy
> >
> >
>
>
>