Solved

Disable Windows XP Internet Connection Firewall Remotely

Posted on 2004-08-06
28
229 Views
Last Modified: 2008-01-16
I am looking for a way to disable the internet connection firewall feature in XP remotely either by script or group policy. I am on a Windows 2000 domain and i dont see anything in group policies refering to the Internet Connection Firewall feature in Windows XP. The firewall prohibits the help desk technicians from remotly placing files on user's computer even with a domain admin account. Any suggestions? (Note: Going to each computer individually is out of the question)
0
Comment
Question by:gbarrientos
  • 9
  • 8
  • 7
  • +3
28 Comments
 
LVL 4

Expert Comment

by:novacopy
Comment Utility
isnt the whole point of a firewall to prevent something like this?

i heard in xp service pack 2 it automatically turns your firewall on
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
It does actually, but you can turn the firewall off if you use a wireless network, that is, you're not really connecting to the computer using the internet, but more rather a local (in the building) wireless network.
It should allow this because since the connection is coming through the trusted local wireless port and not the web.
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
Or a simple solution would be keeping the firewall off and using a commercial firewall.
They have more configs. Just set the firewall to accept connections from your wireless device so that you can turn it off.
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
Install the 2003 Administration Tools on an XP box.  From that box, if you configure your GPO, you'll see the Firewall Settings, where you can force the firewall to off and not allow it to turn on, set the default to off and let people turn it on, or just have your setting ignored.
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
No, i still reccomend a commercial firewall, but you can download a FREE ultra configuable (for your switch-off needs) firewall.
Go to: http://www.download.com/ZoneAlarm/3000-2092-10306241.html?tag=list (it's zone alarm)
In fact this gives MORE configuration than GPO and its EASY!
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
billyea, what do you mean, "No"?  I think gbarrientos was looking for a way to globally disable MS's FW.  That's how I've done is succesfully here.

If you are eluding to running without a FW, I would agree with you, that it isn't recommended.  We use ISS' Realsecure here for our laptops, which is deployed and configured centrally.  Also has a neat tool that lets me monitor events on all of the workstations.  Not free though.



0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
Well our company does have a firewall. We use PIX between our router and the "outside world" salong with other hardware to stop things like virus and worms. So in this case there is no need for each computer to have an individual firewall.  
0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
robrandon can i use the 2003 admin tools on a windows xp box to configure my domain policy? If so is there any issues that i should worry about....or keep an eye out for?
0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
Or should i go ahead and purchase a license for Windows Server 2003 and configure the changes there?
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
If he has a router firewall then he shouldn't be worred about this question at all, since you wont need a firewall on each computer
0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
Yes i have hardware firewall...but my question is how to DISABLE the firewall of my clients so that I, as an Domain Administrator, can freely access files on my cliets computers.
0
 
LVL 2

Assisted Solution

by:billyea
billyea earned 250 total points
Comment Utility
This is a script to turn off the firewall , its in Visual Basic.
I KNOW THIS ISN't THE PROGRAMMING SECTOR, but I think i could help, if you could figure out how to run it remotely.

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE

I'm sure you cant, but...who knows, you could set up a schedule so this can execute automatically.
0
 
LVL 16

Accepted Solution

by:
robrandon earned 250 total points
Comment Utility
You don't need a 2003 server to do this.  You can do it just by loading the admin pak on the XP box.  I have not run into any compatibility problems and am doing the same thing before rolling out SP2 for XP (hopefully that will minimize some of the headaches...).  I log on as a domain admin to the XP box to configure the GP.



0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
Thanx robrandon and  billyea i will try this out in my test lab and will post results.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 2

Expert Comment

by:billyea
Comment Utility
You're welcome.
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
FYI, the setting can be found at:

Computer Configuration\Administrative Templates\Network\Network Connections

0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
robrandon,
I can’t seem to find the setting that you are talking about. Is there a need for a Windows 2003 serer to be in place to do this? I am using a Windows Xp Pro Computer with admin pack installed and I don’t see the setting that you are talking about.
I am looking at Computer Configuration>Admin Templates>Network>Network and Dial up Connections and the only thing I see there is the Prohibit configurations of connection sharing.

0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
billyea,
Do you know what the script will do on a domain with both Windows 2000 and Windows XP systems? Will there be some type of error.  And does the script need to be ran under a user with Admin Rights?
0
 
LVL 2

Expert Comment

by:billyea
Comment Utility
Probably with admin rights.
To be safe, make a system restore before executing the script. Currently, windows doesn't allow the script to be run remotely (as that would defeat the purpose of a firewall and hackers would come in). If you do find a way to run it remotely, you're on the right track.

This info is correct though. It simply creates a new object for the firewall and then turns that object off, nothing harmful, although you might need a Visual Basic technician to check it out.
0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
billyea
I will have our programmer check it out.

However...i would prefer to use Group Policies to change this feature....
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
gbarrientos,
Under Network, the subfolders I have are DNS Client, Offline Files, Network Connections, QoS Packet Scheduler, and SNMP.  I'm using Windows XP with Service Pack 1.   No need for a 2003 server on the network.  

Did you load up the 2003 admin tools or the 2000 admin tools?


0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
Yeah, I think you have the 2000 tools loaded, because I see Network and Dial-up Connections when I check the Policy on my 2000 Server.

If you load up the 2003 Tools you should be fine to do this in GP.
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
0
 
LVL 9

Author Comment

by:gbarrientos
Comment Utility
robrandon,
I see the problem...i am editing the existing policy already on the server. However when i created a new policy i see all the options you described above. Now my next question, and im not sure if this should be another post, is there a way to import the settings from the existing Default Domain Policy into a new policy which supports XP functions?
0
 
LVL 16

Expert Comment

by:robrandon
Comment Utility
No idea on that one.  I wonder if it can't be the default domain policy at all because it is a 2000 domain.  But I'm really not sure of that, or if you can copy settings from one policy to another.  Sorry.



0
 

Expert Comment

by:NoahVail
Comment Utility
You can launch the script remotely with the "at" command.  

at \\machine_name 12:00PM cmd /c "c:\scripts\nofirewall.vbs"

or at /? at a command prompt for more options.

NV
0
 

Expert Comment

by:apcsolution
Comment Utility
NoahVail can you e-mail me that nofirewall.vbs script.  Thank you.
0
 

Expert Comment

by:NoahVail
Comment Utility
I don't have your email address.  Anyway it's the script that's posted above.

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE

The soon command is better than the at command because you aren't dependant on the clock of the remote machine being accurate.

Microsoft posts info and a download link for soon.exe here.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/soon-o.asp

NV
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now