How to allow clients to control their own firewall in SBS 2011

Published:
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy.

In 2011, the client firewall policy has moved to the SBS computers container. If the computer is not in this AD container then the policy won’t work of course. The SBS 2008 policy in in the group policy objects folder, under SBS client policies.

When you Google this “turning off the client firewall policy in sbs 2011” you get this:

http://msmvps.com/blogs/robwill/archive/2011/04/06/disable-the-windows-firewall-on-client-computers-in-an-sbs-2008-domain.aspx

This article will lead you nowhere (it is for 2008 and not 2011) and that can be frustrating.

So… Here is the location if you have the need in SBS 2011 :
 SBS 2011 sbscomputers policy
The policy computer configuration-> windows settings->administrative templates->network->network connections->windows firewall->Domain Profile->make sure all the settings are changed to not configured. This will ensure the Clients have control of their own firewall.

 SBS 2011 windows firewall policy
Once they are all configured you can do your gpupdate/force and have the clients log off and back on again and viola.

Disclaimer :

I would not implement this in the organization unless you have a specific reason.

I wrote this article because there is currently not one out on the internet for how to do this in SBS 2011. One caveat is the public firewall setting on the server. If you do these GPS settings and then turn on the "public" firewall policy on the server, I think this will reset the settinngs. I havent verified this but at least you have an idea as to what is going on.

The Firewall policy for the server is in server manager-> configuration->windows firewall with advanced settings. Then you right click and go to properties. Or simply use the SBS console. Either way - you want to make sure your Server firewall settings are how you want them and then go ahead and make the change.

I hope this helps.

L
2
22,333 Views

Comments (2)

CERTIFIED EXPERT
Author of the Year 2010
Top Expert 2010

Administrative

Commented:
Hi louisreeves,

My first question, is why would you want to do this?

One of the most important features of any Windows Network is the centralised administration/control.

Giving the end users access to change security settings is a recipe for disaster, from that perspective, there has to be a clear reason to want to do this and a note indicating this is not best practice and should be avoided at all cost.

Thanks
demazter
Experts Exchange Page Editor

Commented:
If you want to allow the user to use alternative firewalls like one that comes with the Antivirus programs, do I really want both firewalls?  Also recently was trying to determine if the firewall was blocking something, I was not able to turn the firewall off.  Assuming there was no other options than to implement this type of approach.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community