| Author | Messages | |
schobie
Posts:17
 | | 03/05/2009 9:46 PM |
| GPO Wait SettingsWonder if anyone has implemented GPO based windows firewall settings. I have a GPO that contains locking down windows firewall and services. The policy is linked at a higher level where settings are applied to all machines (w2k3 and w2k8 mixture). The way I found out to manage w2k3 was using the standard location of Computer > administrative templates > network > network connections > firewall settings. I can use the new location for managing w2k8 boxes. What I've done and things seemed to work for months was putting settings in both places when applying settings.
Here is the error.
Attempts to start the service result in Event ID 7024 The Windows Firewall service terminated with service-specific error 2150760483 (0x80320023).
Here is a thread I found that might help:
http://www.vistax64.com/vista-security/167084-windows-firewall-service-terminated-service-specific-erro.html
I like the idea of using WMI filters and separating w2k3 and w2k8 firewall settings. I've never used WMI filters. As far as I can determine, if I make a copy of the current policy, separate out the w2k3 and w2k8 settings, link both policies. It'll apply to the appropriate OS type. Any advice or direction is appreciated.
Steve
| | | |
| Darren
Posts:103
| | 03/06/2009 12:35 AM |
| Steve-
The approach is reasonable and probably advised given the different types of
Firewall policy now supported. You can use either WMI filters or security
groups. Obviously filters let you control GP processing without having to
maintain groups.
You could do something like this, assuming the GPOs are linked to OUs only
containing servers:
Select * From Win32_Operating System Where BuildNumber = 6001 (for Server
2008)
And
Select * From Win32_Operating System Where BuildNumber < 6001 (for Server
2003)
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Steve Schofield
Sent: Thursday, March 05, 2009 6:38 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Mix Windows Firewall settings?
Wonder if anyone has implemented GPO based windows firewall settings. I
have a GPO that contains locking down windows firewall and services. The
policy is linked at a higher level where settings are applied to all
machines (w2k3 and w2k8 mixture). The way I found out to manage w2k3 was
using the standard location of Computer > administrative templates > network
> network connections > firewall settings. I can use the new location for
managing w2k8 boxes. What I've done and things seemed to work for months
was putting settings in both places when applying settings.
Here is the error.
Attempts to start the service result in Event ID 7024 The Windows Firewall
service terminated with service-specific error 2150760483 (0x80320023).
Here is a thread I found that might help:
<http://www.vistax64.com/vista-security/167084-windows-firewall-service-term
inated-service-specific-erro.html>
http://www.vistax64.com/vista-security/167084-windows-firewall-service-termi
nated-service-specific-erro.html
I like the idea of using WMI filters and separating w2k3 and w2k8 firewall
settings. I've never used WMI filters. As far as I can determine, if I
make a copy of the current policy, separate out the w2k3 and w2k8 settings,
link both policies. It'll apply to the appropriate OS type. Any advice or
direction is appreciated.
Steve
| | | |
| pmgough
Posts:23
| | 03/06/2009 7:34 AM |
| Steve,
I had the same issue and ended up creating separate firewall policies for my
Server 2003 and 2008 boxes and using WMI filters to apply them to the
appropriate machines.
It was all fairly painless to setup as Darren described and has certainly
resolved the problem.
Pete
2009/3/6 Darren Mar-Elia <xxxxxxxxxxxxxxxx>
> Steve-
>
> The approach is reasonable and probably advised given the different types
> of Firewall policy now supported. You can use either WMI filters or security
> groups. Obviously filters let you control GP processing without having to
> maintain groups.
>
>
>
> You could do something like this, assuming the GPOs are linked to OUs only
> containing servers:
>
>
>
> Select * From Win32_Operating System Where BuildNumber = 6001 (for Server
> 2008)
>
>
>
> And
>
>
>
> Select * From Win32_Operating System Where BuildNumber < 6001 (for Server
> 2003)
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Steve Schofield
> *Sent:* Thursday, March 05, 2009 6:38 PM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Mix Windows Firewall settings?
>
>
>
> Wonder if anyone has implemented GPO based windows firewall settings. I
> have a GPO that contains locking down windows firewall and services. The
> policy is linked at a higher level where settings are applied to all
> machines (w2k3 and w2k8 mixture). The way I found out to manage w2k3 was
> using the standard location of Computer > administrative templates
> > network > network connections > firewall settings. I can use the new
> location for managing w2k8 boxes. What I've done and things seemed to work
> for months was putting settings in both places when applying settings.
>
>
>
> Here is the error.
>
>
>
> *Attempts to start the service result in Event ID 7024 The Windows
> Firewall service terminated with service-specific error 2150760483
> (0x80320023).*
>
> *Here is a thread I found that might help:*
>
>
> http://www.vistax64.com/vista-security/167084-windows-firewall-service-terminated-service-specific-erro.html
>
>
>
> I like the idea of using WMI filters and separating w2k3 and w2k8 firewall
> settings. I've never used WMI filters. As far as I can determine, if I
> make a copy of the current policy, separate out the w2k3 and w2k8 settings,
> link both policies. It'll apply to the appropriate OS type. Any advice or
> direction is appreciated.
>
>
>
> Steve
>
| | | |
| schobie
Posts:17
| | 03/06/2009 9:46 PM |
| Hi Peter,
I found the WMI filter technique easy to implement. If I can ask, I have initially implemented a 'base' firewall policy that is targeted to 'lockdown' boxes including Windows firewall settings by OS. Further down our OU structure, we have application types separated and additional app specific firewall polices. Between the 'base' and 'additional' firewall polices, this works pretty well when they blend together. I was wonder if you implemented a single policy or multiple policies?
Steve
----- Original Message -----
From: Peter Gough
To: xxxxxxxxxxxxxxxx
Sent: Friday, March 06, 2009 7:27 AM
Subject: Re: [gptalk] Mix Windows Firewall settings?
Steve,
I had the same issue and ended up creating separate firewall policies for my Server 2003 and 2008 boxes and using WMI filters to apply them to the appropriate machines.
It was all fairly painless to setup as Darren described and has certainly resolved the problem.
Pete
2009/3/6 Darren Mar-Elia <xxxxxxxxxxxxxxxx>
Steve-
The approach is reasonable and probably advised given the different types of Firewall policy now supported. You can use either WMI filters or security groups. Obviously filters let you control GP processing without having to maintain groups.
You could do something like this, assuming the GPOs are linked to OUs only containing servers:
Select * From Win32_Operating System Where BuildNumber = 6001 (for Server 2008)
And
Select * From Win32_Operating System Where BuildNumber < 6001 (for Server 2003)
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Thursday, March 05, 2009 6:38 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Mix Windows Firewall settings?
Wonder if anyone has implemented GPO based windows firewall settings. I have a GPO that contains locking down windows firewall and services. The policy is linked at a higher level where settings are applied to all machines (w2k3 and w2k8 mixture). The way I found out to manage w2k3 was using the standard location of Computer > administrative templates > network > network connections > firewall settings. I can use the new location for managing w2k8 boxes. What I've done and things seemed to work for months was putting settings in both places when applying settings.
Here is the error.
Attempts to start the service result in Event ID 7024 The Windows Firewall service terminated with service-specific error 2150760483 (0x80320023).
Here is a thread I found that might help:
http://www.vistax64.com/vista-security/167084-windows-firewall-service-terminated-service-specific-erro.html
I like the idea of using WMI filters and separating w2k3 and w2k8 firewall settings. I've never used WMI filters. As far as I can determine, if I make a copy of the current policy, separate out the w2k3 and w2k8 settings, link both policies. It'll apply to the appropriate OS type. Any advice or direction is appreciated.
Steve
------------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.8/1987 - Release Date: 03/06/09 07:20:00
| | | |
| pmgough
Posts:23
| | 03/06/2009 10:31 PM |
| I have separate firewall policies for servers (both 2003 and 2008), standard
workstations (currently all XP) and what we term 'executive workstations'.
The firewall settings on the servers and standard workstations are locked
down and regular users cannot make changes to these settings; they are all
controlled via GP. We also have a small number of 'executive' users who have
been granted the ability to change firewall settings on their devices. These
workstations are in a separate OU and we use GP to impose the same standard
set of app and port specific policies as the standard workstations but we
also allow the users to add / edit their own firewall settings.
It's a pretty simple model but it seems to give us a reasonable blend of
security, manageability and flexibility.
2009/3/7 Steve Schofield <xxxxxxxxxxxxxxxx>
> Hi Peter,
>
> I found the WMI filter technique easy to implement. If I can ask, I have
> initially implemented a 'base' firewall policy that is targeted to
> 'lockdown' boxes including Windows firewall settings by OS. Further down
> our OU structure, we have application types separated and additional app
> specific firewall polices. Between the 'base' and 'additional' firewall
> polices, this works pretty well when they blend together. I was wonder if
> you implemented a single policy or multiple policies?
>
> Steve
>
>
>
> ----- Original Message -----
> *From:* Peter Gough <xxxxxxxxxxxxxxxx>
> *To:* xxxxxxxxxxxxxxxx
> *Sent:* Friday, March 06, 2009 7:27 AM
> *Subject:* Re: [gptalk] Mix Windows Firewall settings?
>
> Steve,
>
> I had the same issue and ended up creating separate firewall policies for
> my Server 2003 and 2008 boxes and using WMI filters to apply them to the
> appropriate machines.
>
> It was all fairly painless to setup as Darren described and has certainly
> resolved the problem.
>
> Pete
>
> 2009/3/6 Darren Mar-Elia <xxxxxxxxxxxxxxxx>
>
>> Steve-
>>
>> The approach is reasonable and probably advised given the different types
>> of Firewall policy now supported. You can use either WMI filters or security
>> groups. Obviously filters let you control GP processing without having to
>> maintain groups.
>>
>>
>>
>> You could do something like this, assuming the GPOs are linked to OUs only
>> containing servers:
>>
>>
>>
>> Select * From Win32_Operating System Where BuildNumber = 6001 (for Server
>> 2008)
>>
>>
>>
>> And
>>
>>
>>
>> Select * From Win32_Operating System Where BuildNumber < 6001 (for Server
>> 2003)
>>
>>
>>
>> Darren
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Steve Schofield
>> *Sent:* Thursday, March 05, 2009 6:38 PM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* [gptalk] Mix Windows Firewall settings?
>>
>>
>>
>> Wonder if anyone has implemented GPO based windows firewall settings. I
>> have a GPO that contains locking down windows firewall and services. The
>> policy is linked at a higher level where settings are applied to all
>> machines (w2k3 and w2k8 mixture). The way I found out to manage w2k3 was
>> using the standard location of Computer > administrative templates
>> > network > network connections > firewall settings. I can use the new
>> location for managing w2k8 boxes. What I've done and things seemed to work
>> for months was putting settings in both places when applying settings.
>>
>>
>>
>> Here is the error.
>>
>>
>>
>> *Attempts to start the service result in Event ID 7024 The Windows
>> Firewall service terminated with service-specific error 2150760483
>> (0x80320023).*
>>
>> *Here is a thread I found that might help:*
>>
>>
>> http://www.vistax64.com/vista-security/167084-windows-firewall-service-terminated-service-specific-erro.html
>>
>>
>>
>> I like the idea of using WMI filters and separating w2k3 and w2k8 firewall
>> settings. I've never used WMI filters. As far as I can determine, if I
>> make a copy of the current policy, separate out the w2k3 and w2k8 settings,
>> link both policies. It'll apply to the appropriate OS type. Any advice or
>> direction is appreciated.
>>
>>
>>
>> Steve
>>
>
> ------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.237 / Virus Database: 270.11.8/1987 - Release Date: 03/06/09
> 07:20:00
>
>
| | | |
| schobie
Posts:17
| | 03/07/2009 8:14 PM |
| Sounds like a simple and effective architecture. For servers, I have something similar except a machine could have the 'base' policy with firewall settings and a additional policy specific to the application. They seem to blend together with no issues.
On top of the new advanced firewall setttings, I used
1) Disable Local Ports
2) Disable Local Programs
3) Protect All Network connections
in the Computer > administrative templates > network > network connections > firewall settings.
This grayed out the ability to add programs, ports and ensures the firewall settings are turned on.
Steve
----- Original Message -----
From: Peter Gough
To: xxxxxxxxxxxxxxxx
Sent: Friday, March 06, 2009 10:26 PM
Subject: Re: [gptalk] Mix Windows Firewall settings?
I have separate firewall policies for servers (both 2003 and 2008), standard workstations (currently all XP) and what we term 'executive workstations'.
The firewall settings on the servers and standard workstations are locked down and regular users cannot make changes to these settings; they are all controlled via GP. We also have a small number of 'executive' users who have been granted the ability to change firewall settings on their devices. These workstations are in a separate OU and we use GP to impose the same standard set of app and port specific policies as the standard workstations but we also allow the users to add / edit their own firewall settings.
It's a pretty simple model but it seems to give us a reasonable blend of security, manageability and flexibility.
2009/3/7 Steve Schofield <xxxxxxxxxxxxxxxx>
Hi Peter,
I found the WMI filter technique easy to implement. If I can ask, I have initially implemented a 'base' firewall policy that is targeted to 'lockdown' boxes including Windows firewall settings by OS. Further down our OU structure, we have application types separated and additional app specific firewall polices. Between the 'base' and 'additional' firewall polices, this works pretty well when they blend together. I was wonder if you implemented a single policy or multiple policies?
Steve
----- Original Message -----
From: Peter Gough
To: xxxxxxxxxxxxxxxx
Sent: Friday, March 06, 2009 7:27 AM
Subject: Re: [gptalk] Mix Windows Firewall settings?
Steve,
I had the same issue and ended up creating separate firewall policies for my Server 2003 and 2008 boxes and using WMI filters to apply them to the appropriate machines.
It was all fairly painless to setup as Darren described and has certainly resolved the problem.
Pete
2009/3/6 Darren Mar-Elia <xxxxxxxxxxxxxxxx>
Steve-
The approach is reasonable and probably advised given the different types of Firewall policy now supported. You can use either WMI filters or security groups. Obviously filters let you control GP processing without having to maintain groups.
You could do something like this, assuming the GPOs are linked to OUs only containing servers:
Select * From Win32_Operating System Where BuildNumber = 6001 (for Server 2008)
And
Select * From Win32_Operating System Where BuildNumber < 6001 (for Server 2003)
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Thursday, March 05, 2009 6:38 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Mix Windows Firewall settings?
Wonder if anyone has implemented GPO based windows firewall settings. I have a GPO that contains locking down windows firewall and services. The policy is linked at a higher level where settings are applied to all machines (w2k3 and w2k8 mixture). The way I found out to manage w2k3 was using the standard location of Computer > administrative templates > network > network connections > firewall settings. I can use the new location for managing w2k8 boxes. What I've done and things seemed to work for months was putting settings in both places when applying settings.
Here is the error.
Attempts to start the service result in Event ID 7024 The Windows Firewall service terminated with service-specific error 2150760483 (0x80320023).
Here is a thread I found that might help:
http://www.vistax64.com/vista-security/167084-windows-firewall-service-terminated-service-specific-erro.html
I like the idea of using WMI filters and separating w2k3 and w2k8 firewall settings. I've never used WMI filters. As far as I can determine, if I make a copy of the current policy, separate out the w2k3 and w2k8 settings, link both policies. It'll apply to the appropriate OS type. Any advice or direction is appreciated.
Steve
--------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.8/1987 - Release Date: 03/06/09 07:20:00
------------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.8/1987 - Release Date: 03/06/09 07:20:00
| | | |
|
|