| Author | Messages | |
schobie
Posts:17
 | | 02/04/2009 7:45 PM |
| I've been able to tentatively control 2003 firewall settings from a 2008 GPO (initial testing). I had to install the GPO client extensions on 2003 machine. The rules I define in Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules are being ignored on 2003 boxes. I had to apply rules in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
I'm managing 2008 firewall settings in the first path with NO issues. The 2nd path for 2003 seems to work for individual ports with no issues. The questions I'm not sure how would I grant 1000 dynamic RPC ports or something else that requires a range of ports. I have a few applications that have custom ranges of 150 ports for example.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
| | | |
| dougdelaney
Posts:43
| | 02/04/2009 8:04 PM |
| It is simpler to define the exceptions per application, rather than by
ports. The applications can then dynamically open any ports they
require.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx <mailto xxxxxxxxxxxxxxxx>
We deliver on our commitments
so you can deliver on yours.
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Wednesday, February 04, 2009 7:37 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Manage Windows firewall for 2003 boxes from
2008 GPO
I've been able to tentatively control 2003 firewall settings
from a 2008 GPO (initial testing). I had to install the GPO client
extensions on 2003 machine. The rules I define in Computer
Configuration > Policies > Windows Settings > Security Settings >
Windows Firewall with Advanced Security > Windows Firewall with Advanced
Security > Inbound Rules are being ignored on 2003 boxes. I had to apply
rules in Computer Configuration > Policies > Administrative Templates >
Network > Network Connections > Windows Firewall > Domain Profile.
I'm managing 2008 firewall settings in the first path with NO
issues. The 2nd path for 2003 seems to work for individual ports with no
issues. The questions I'm not sure how would I grant 1000 dynamic RPC
ports or something else that requires a range of ports. I have a few
applications that have custom ranges of 150 ports for example.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
| | | |
| Darren
Posts:103
| | 02/04/2009 8:10 PM |
| Steve-
What GPO client extensions for 2003 are you referring to? As far as I know,
Windows Firewall with Advanced Security only supports managing 2008 & Vista
boxes, although I could be wrong.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Delaney, Doug
Sent: Wednesday, February 04, 2009 4:57 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
It is simpler to define the exceptions per application, rather than by
ports. The applications can then dynamically open any ports they require.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: <mailtoxxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx
We deliver on our commitments
so you can deliver on yours.
_____
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Steve Schofield
Sent: Wednesday, February 04, 2009 7:37 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
I've been able to tentatively control 2003 firewall settings from a 2008 GPO
(initial testing). I had to install the GPO client extensions on 2003
machine. The rules I define in Computer Configuration > Policies > Windows
Settings > Security Settings > Windows Firewall with Advanced Security >
Windows Firewall with Advanced Security > Inbound Rules are being ignored on
2003 boxes. I had to apply rules in Computer Configuration > Policies >
Administrative Templates > Network > Network Connections > Windows Firewall
> Domain Profile.
I'm managing 2008 firewall settings in the first path with NO issues. The
2nd path for 2003 seems to work for individual ports with no issues. The
questions I'm not sure how would I grant 1000 dynamic RPC ports or something
else that requires a range of ports. I have a few applications that have
custom ranges of 150 ports for example.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
| | | |
| schobie
Posts:17
| | 02/04/2009 8:10 PM |
| Thanks Doug for the quick response. I looked at that and couldn't determine how to something like RPC which runs under svchost. Are you aware of a document or reference for which applications would be listed in GPO?
Steve
----- Original Message -----
From: Delaney, Doug
To: xxxxxxxxxxxxxxxx
Sent: Wednesday, February 04, 2009 7:57 PM
Subject: RE: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
It is simpler to define the exceptions per application, rather than by ports. The applications can then dynamically open any ports they require.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx
We deliver on our commitments
so you can deliver on yours.
----------------------------------------------------------------------------
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Wednesday, February 04, 2009 7:37 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
I've been able to tentatively control 2003 firewall settings from a 2008 GPO (initial testing). I had to install the GPO client extensions on 2003 machine. The rules I define in Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules are being ignored on 2003 boxes. I had to apply rules in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
I'm managing 2008 firewall settings in the first path with NO issues. The 2nd path for 2003 seems to work for individual ports with no issues. The questions I'm not sure how would I grant 1000 dynamic RPC ports or something else that requires a range of ports. I have a few applications that have custom ranges of 150 ports for example.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
| | | |
| schobie
Posts:17
| | 02/04/2009 8:23 PM |
| I couldn't get any Windows Firewall settings to apply on my test w2k3 machine. After I installed the update, I was able to get rules to apply using Windows Firewall settings under the 2nd location listed below.
Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)
Date last published: 11/25/2008
Download size: 690 KB
Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). Group Policy Preferences enable information technology professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. After you install this update, your computer will be able to process the new Group Policy Preference extensions. After you install this item, you may have to restart your computer.
Steve
----- Original Message -----
From: Darren Mar-Elia
To: xxxxxxxxxxxxxxxx
Sent: Wednesday, February 04, 2009 8:04 PM
Subject: RE: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
Steve-
What GPO client extensions for 2003 are you referring to? As far as I know, Windows Firewall with Advanced Security only supports managing 2008 & Vista boxes, although I could be wrong.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Wednesday, February 04, 2009 4:57 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
It is simpler to define the exceptions per application, rather than by ports. The applications can then dynamically open any ports they require.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx
We deliver on our commitments
so you can deliver on yours.
----------------------------------------------------------------------------
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Wednesday, February 04, 2009 7:37 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
I've been able to tentatively control 2003 firewall settings from a 2008 GPO (initial testing). I had to install the GPO client extensions on 2003 machine. The rules I define in Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules are being ignored on 2003 boxes. I had to apply rules in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
I'm managing 2008 firewall settings in the first path with NO issues. The 2nd path for 2003 seems to work for individual ports with no issues. The questions I'm not sure how would I grant 1000 dynamic RPC ports or something else that requires a range of ports. I have a few applications that have custom ranges of 150 ports for example.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
| | | |
| Darren
Posts:103
| | 02/04/2009 9:54 PM |
| Steve-
The GP Preferences install would not haved fixed Admin Template firewall policies. They are totally unrelated. I suspect policy was broken and started working for some reason.
Darren
*****
Darren Mar-Elia
www.gpoguy.com -- the Internet Resource for Group Policy Information and Utilities
-----Original Message-----
From: "Steve Schofield" <xxxxxxxxxxxxxxxx>
Date: Wed, 4 Feb 2009 20:17:55
To: <xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
I couldn't get any Windows Firewall settings to apply on my test w2k3 machine. After I installed the update, I was able to get rules to apply using Windows Firewall settings under the 2nd location listed below.
Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)
Date last published: 11/25/2008
Download size: 690 KB
Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). Group Policy Preferences enable information technology professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. After you install this update, your computer will be able to process the new Group Policy Preference extensions. After you install this item, you may have to restart your computer.
Steve
----- Original Message -----
From: Darren Mar-Elia
To: xxxxxxxxxxxxxxxx
Sent: Wednesday, February 04, 2009 8:04 PM
Subject: RE: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
Steve-
What GPO client extensions for 2003 are you referring to? As far as I know, Windows Firewall with Advanced Security only supports managing 2008 & Vista boxes, although I could be wrong.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Wednesday, February 04, 2009 4:57 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
It is simpler to define the exceptions per application, rather than by ports. The applications can then dynamically open any ports they require.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx
We deliver on our commitments
so you can deliver on yours.
----------------------------------------------------------------------------
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Wednesday, February 04, 2009 7:37 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
I've been able to tentatively control 2003 firewall settings from a 2008 GPO (initial testing). I had to install the GPO client extensions on 2003 machine. The rules I define in Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules are being ignored on 2003 boxes. I had to apply rules in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
I'm managing 2008 firewall settings in the first path with NO issues. The 2nd path for 2003 seems to work for individual ports with no issues. The questions I'm not sure how would I grant 1000 dynamic RPC ports or something else that requires a range of ports. I have a few applications that have custom ranges of 150 ports for example.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
| | | |
| schobie
Posts:17
| | 02/04/2009 11:17 PM |
| I concur, I'm not certain why yet. The box I was testing was 51 security patches behind. I started looking at this today and have realized I needed to handle W2k3 and W2k8 a little different. I've mainly worked on w2k8 boxes, so I hadn't tested much on w2k3. (I meant to).
I have a base 'services / windows firewall' policy that get applied to various OU's. It locks down services and applies windows firewall rules. It works like a champ on w2k8. For w2k3 machines, I was able to mimic the same behavior to open what I need using the built-in settings.
For those who are interested, here are my base rules.
Port 80, 443, 161, 3389 open to all boxes
WMI from certain boxes (monitoring, scripting)
File / Print Sharing from certain boxes
A handleful of programs (AV etc..)
Echo Reply in ICMP only
Doug's idea of using programs instead of ports got me doing a little more research and understanding the concept. That makes sense and I'll do further testing. I must say, implementing Windows Firewall has been a learning curve and still allowing to manage and monitor the servers. Now I realize why people just disable and let the parameter firewalls do the security. I'm stoked that I'll be able to lock down the 'MS Ports' (135-139,445) between boxes on the same VLAN. The main purpose is for web servers to not be able to talk except on the 4 'wide-open' ports.
Anywho, I'm glad there is a list for GPO's. Thanks guys for the direction, input.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
----- Original Message -----
From: Darren Mar-Elia
To: xxxxxxxxxxxxxxxx
Sent: Wednesday, February 04, 2009 9:47 PM
Subject: Re: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
Steve-
The GP Preferences install would not haved fixed Admin Template firewall policies. They are totally unrelated. I suspect policy was broken and started working for some reason.
Darren
*****
Darren Mar-Elia
www.gpoguy.com -- the Internet Resource for Group Policy Information and Utilities
------------------------------------------------------------------------------
From: "Steve Schofield"
Date: Wed, 4 Feb 2009 20:17:55 -0500
To: <xxxxxxxxxxxxxxxx>
Subject: Re: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
I couldn't get any Windows Firewall settings to apply on my test w2k3 machine. After I installed the update, I was able to get rules to apply using Windows Firewall settings under the 2nd location listed below.
Group Policy Preference Client Side Extensions for Windows Server 2003 (KB943729)
Date last published: 11/25/2008
Download size: 690 KB
Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). Group Policy Preferences enable information technology professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. After you install this update, your computer will be able to process the new Group Policy Preference extensions. After you install this item, you may have to restart your computer.
Steve
----- Original Message -----
From: Darren Mar-Elia
To: xxxxxxxxxxxxxxxx
Sent: Wednesday, February 04, 2009 8:04 PM
Subject: RE: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
Steve-
What GPO client extensions for 2003 are you referring to? As far as I know, Windows Firewall with Advanced Security only supports managing 2008 & Vista boxes, although I could be wrong.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Wednesday, February 04, 2009 4:57 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
It is simpler to define the exceptions per application, rather than by ports. The applications can then dynamically open any ports they require.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx
We deliver on our commitments
so you can deliver on yours.
--------------------------------------------------------------------------
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Wednesday, February 04, 2009 7:37 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Manage Windows firewall for 2003 boxes from 2008 GPO
I've been able to tentatively control 2003 firewall settings from a 2008 GPO (initial testing). I had to install the GPO client extensions on 2003 machine. The rules I define in Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules are being ignored on 2003 boxes. I had to apply rules in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
I'm managing 2008 firewall settings in the first path with NO issues. The 2nd path for 2003 seems to work for individual ports with no issues. The questions I'm not sure how would I grant 1000 dynamic RPC ports or something else that requires a range of ports. I have a few applications that have custom ranges of 150 ports for example.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
| | | |
| dougdelaney
Posts:43
| | 02/05/2009 12:04 AM |
| Please make sure you define the same settings in both the domain profile
and the standard profile, as there is a known issue with Windows
determining the correct profile. I hoped for that to be fixed, but it
may not be.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx <mailtoxxxxxxxxxxxxxxxx>
We deliver on our commitments
so you can deliver on yours.
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Wednesday, February 04, 2009 8:18 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Manage Windows firewall for 2003 boxes
from 2008 GPO
I couldn't get any Windows Firewall settings to apply on my test
w2k3 machine. After I installed the update, I was able to get rules to
apply using Windows Firewall settings under the 2nd location listed
below.
Group Policy Preference Client Side Extensions for Windows Server 2003
(KB943729)
Date last published: 11/25/2008
Download size: 690 KB
Multiple Group Policy Preferences have been added to the Windows Server
2008 Group Policy Management Console (which are also available through
the Remote Server Administration Toolset (RSAT) for Windows Vista SP1).
Group Policy Preferences enable information technology professionals to
configure, deploy, and manage operating system and application settings
they previously were not able to manage using Group Policy. After you
install this update, your computer will be able to process the new Group
Policy Preference extensions. After you install this item, you may have
to restart your computer.
Steve
----- Original Message -----
From: Darren Mar-Elia <mailto:xxxxxxxxxxxxxxxx>
To: xxxxxxxxxxxxxxxx
Sent: Wednesday, February 04, 2009 8:04 PM
Subject: RE: [gptalk] Manage Windows firewall for 2003
boxes from 2008 GPO
Steve-
What GPO client extensions for 2003 are you referring
to? As far as I know, Windows Firewall with Advanced Security only
supports managing 2008 & Vista boxes, although I could be wrong.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Delaney, Doug
Sent: Wednesday, February 04, 2009 4:57 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Manage Windows firewall for 2003
boxes from 2008 GPO
It is simpler to define the exceptions per application,
rather than by ports. The applications can then dynamically open any
ports they require.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx
<mailtoxxxxxxxxxxxxxxxx>
We deliver on our commitments
so you can deliver on yours.
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Schofield
Sent: Wednesday, February 04, 2009 7:37 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Manage Windows firewall for
2003 boxes from 2008 GPO
I've been able to tentatively control 2003
firewall settings from a 2008 GPO (initial testing). I had to install
the GPO client extensions on 2003 machine. The rules I define in
Computer Configuration > Policies > Windows Settings > Security Settings
> Windows Firewall with Advanced Security > Windows Firewall with
Advanced Security > Inbound Rules are being ignored on 2003 boxes. I had
to apply rules in Computer Configuration > Policies > Administrative
Templates > Network > Network Connections > Windows Firewall > Domain
Profile.
I'm managing 2008 firewall settings in the first
path with NO issues. The 2nd path for 2003 seems to work for individual
ports with no issues. The questions I'm not sure how would I grant 1000
dynamic RPC ports or something else that requires a range of ports. I
have a few applications that have custom ranges of 150 ports for
example.
Thank you,
Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield
| | | |
|
|