A while back I set up a group policy which would turn on all our domain workstation firewalls (Windows Firewall with Advanced Security). We run 2008 R2 DC and 2008 R2 Terminal Services with thin clients and a handful of Windows 7 desktops.The firewall profiles for public, private and domain have been off for every single workstation and server in this company since I started. Not sure why, but I started tightening things up by turning on Windows Firewall for all workstations and then I also did our terminal servers since they are basically the workstation for several users at once.The problem I just ran into is that I was running Windows Update on two of our Terminal Servers and when I do this, I have to move them out of their main OU in AD to an 'unlocked' OU so I can properly install updates. When I do this, there are no group policies that apply (except for the domain level GPO I think).Anyway, after the updates, I rebooted and waited a while, then I noticed I couldn't connect or ping these servers. So I went to the server room and they were on and connected to the network. So I ran a gpupdate /force on them and then as soon as I did that, I was able to ping them again.So my thinking is that when I moved the servers to an unlocked OU and ran gpupdate and then rebooted after updates, their Windows Firewall prevented me from pinging or remoting into them, until I ran a gpupdate. But this doesn't really make sense to me since their firewall is one when they are in their main OU.For now, I am considering just turning off the Domain Firewall profile to prevent this from happening again.Any thoughts?
Michaelsteely2 wrote:When you moved it to a unlocked OU, I am assuming you mean an OU with no Group Policies applied, it probably reset the firewall back to defaults since it didn't have the group policy telling it to open certain ports. Once you moved it back the main OU those ports should open back up but only after it hits the the group policy refresh timer which is 2 hours by default or if you run gpupdate /force.Yes, that is what I meant.
Although, this 'unlocked' OU is still under the root domain.com and subject to the Default Domain Policy, which actually holds the original firewall settings for everything, and those settings turn off the Windows Firewall completely. So if anything, the firewall shouldn't even be on when it's in the 'unlocked' OU. Cavemanager wrote:To everyone replying: but I thought that all computers joined to a domain trusted each other, so why would the domain profile block things from other systems on the domain? I guess a better question I could have asked is, what is the point of the domain profile on the firewall (vs the other two)?
But then I could just google that I suppose.They don't if left to default. You need to make sure you allow only certain ports and services from other computers on your same domain. Private and Public profiles are for networks outside your LAN that might want to connect like let's say WAN connections or other networks in the office. Admin1536 wrote:all the steps you have Done are a work around to a problem. You havent focused on solving the problem just avoiding it.
I suggest you put your server back to where it was and find time to troubleshoot what is wrong with the firewall and fix. The domain firewall is not just affecting the said servers it affects lots of others so not a good idea.Actually, I don't think any of the steps I have taken have been a work around. I said that the firewalls have been disabled since before I started, and I have been ENABLING them because obviously it's not secure to have them off.
In this article I am going to talk about how you can use Group Policy to control the firewall that comes out of the box with Windows but first I want to give you a bit of history of the evolution of host based firewall in Windows. Firewalls have long been around for year. Go to Administrative Templates Network Network connections Windows Firewall Domain Profile. Disable the “Protect All Network.
Moving the server around to an unlocked OU is something I was shown by the person who set up the environment. I believe this is just a matter of reducing what group policies are applied to the system so as to not hinder Windows Update installation.
Every Windows OS comes with a native firewall as the basic protection against malicious programs. Controls the incoming and outgoing traffic from and to the local system based on the criteria defined in the rules.
The criteria can be program name, protocol, port, or IP address. In a domain environment, administrator can centrally configure Windows Firewall rule using Group Policy. This way, the rules will be automatically applied to all targeted computers in the domain and therefore increasing the security. How to Configure Windows Firewall Rule using Group PolicyThere are two ways to configure Windows Firewall rule using Group Policy:. Using the legacy configurationThe settings can be found under Computer Configuration Administrative Templates Network Network Connections Windows Firewall.
The settings in this section was intended for Windows Version before the release of Windows Vista and Windows Server 2008 but still work for newer release of Windows. However, it is not recommended to be used unless we’re still managing outdated OS in the domain. Using the new configurationThe settings can be found under Computer Configuration Windows Settings Security Settings Windows Firewall with Advanced Security. The settings in this section has been optimized for current Windows release, and it has the very same wizard GUI when creating the firewall rule directly on the client computer, making it easier for administrator.In this example, we are going to create a custom firewall rule using the new configuration.
The scenario is to allow an application named MustBeGeek.exe that communicates using random TCP port number 5 for inbound connection.The step by step configuration is as follows: 1. Defining the policy objectOpen up Group Policy Management console and decide whether to use an existing GPO or creating a new one. After that edit the GPO and go to configuration in Computer Configuration Windows Settings Security Settings Windows Firewall with Advanced Security2.
Set the firewall to be enabledClick on the Windows Firewall with Advanced Security on the left pane, then this menu below will show up in the right pane. Click on Windows Firewall Properties.On the first three tabs, Domain Profile, Private Profile, and Public Profile, make sure the firewall is set to On (recommended), and the following configuration is applied.
This will make sure that no computer in the domain having its firewall turned off. Click OK to confirm the setting.Verify the overview now looks like below screenshot3.
Configuring firewall rulesNow it is time to create the firewall rule. The action performed in this step may vary depending on what needs to be configured. In this example, an inbound rule will be created. Click on Inbound Rules on the left pane, then right click on an empty area in the right pane and select New Rule.There will be four types of rule to be created. Select Custom and click Next.In a custom rule, we can specify the program, ports, and IP address as necessary. According to the requirement in this example, the configuration will be like below screenshots.Program pathProtocol and portsScope (IP address)ActionAfter specifying the program path, ports, and IP address, now select the action to Allow the connection.ProfileTick all the box to ensure that this rule is applied on all profilesCompletionWhen all the settings has been completed, give a name for the rule for identification purpose.Once done, the summary of the newly created rule can be seen in the Group Policy Management console.4. Verify results on the clientApply the GPO to a computer OU, and see the result on the client firewall configuration.