Solved

Disable Windows XP Internet Connection Firewall Remotely

Posted on 2004-08-06
28
232 Views
Last Modified: 2008-01-16
I am looking for a way to disable the internet connection firewall feature in XP remotely either by script or group policy. I am on a Windows 2000 domain and i dont see anything in group policies refering to the Internet Connection Firewall feature in Windows XP. The firewall prohibits the help desk technicians from remotly placing files on user's computer even with a domain admin account. Any suggestions? (Note: Going to each computer individually is out of the question)
0
Comment
Question by:gbarrientos
  • 9
  • 8
  • 7
  • +3
28 Comments
 
LVL 4

Expert Comment

by:novacopy
ID: 11737871
isnt the whole point of a firewall to prevent something like this?

i heard in xp service pack 2 it automatically turns your firewall on
0
 
LVL 2

Expert Comment

by:billyea
ID: 11738613
It does actually, but you can turn the firewall off if you use a wireless network, that is, you're not really connecting to the computer using the internet, but more rather a local (in the building) wireless network.
It should allow this because since the connection is coming through the trusted local wireless port and not the web.
0
 
LVL 2

Expert Comment

by:billyea
ID: 11738632
Or a simple solution would be keeping the firewall off and using a commercial firewall.
They have more configs. Just set the firewall to accept connections from your wireless device so that you can turn it off.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 16

Expert Comment

by:robrandon
ID: 11739028
Install the 2003 Administration Tools on an XP box.  From that box, if you configure your GPO, you'll see the Firewall Settings, where you can force the firewall to off and not allow it to turn on, set the default to off and let people turn it on, or just have your setting ignored.
0
 
LVL 2

Expert Comment

by:billyea
ID: 11739248
No, i still reccomend a commercial firewall, but you can download a FREE ultra configuable (for your switch-off needs) firewall.
Go to: http://www.download.com/ZoneAlarm/3000-2092-10306241.html?tag=list (it's zone alarm)
In fact this gives MORE configuration than GPO and its EASY!
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11739290
billyea, what do you mean, "No"?  I think gbarrientos was looking for a way to globally disable MS's FW.  That's how I've done is succesfully here.

If you are eluding to running without a FW, I would agree with you, that it isn't recommended.  We use ISS' Realsecure here for our laptops, which is deployed and configured centrally.  Also has a neat tool that lets me monitor events on all of the workstations.  Not free though.



0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11739601
Well our company does have a firewall. We use PIX between our router and the "outside world" salong with other hardware to stop things like virus and worms. So in this case there is no need for each computer to have an individual firewall.  
0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11739628
robrandon can i use the 2003 admin tools on a windows xp box to configure my domain policy? If so is there any issues that i should worry about....or keep an eye out for?
0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11739636
Or should i go ahead and purchase a license for Windows Server 2003 and configure the changes there?
0
 
LVL 2

Expert Comment

by:billyea
ID: 11739657
If he has a router firewall then he shouldn't be worred about this question at all, since you wont need a firewall on each computer
0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11739689
Yes i have hardware firewall...but my question is how to DISABLE the firewall of my clients so that I, as an Domain Administrator, can freely access files on my cliets computers.
0
 
LVL 2

Assisted Solution

by:billyea
billyea earned 250 total points
ID: 11739694
This is a script to turn off the firewall , its in Visual Basic.
I KNOW THIS ISN't THE PROGRAMMING SECTOR, but I think i could help, if you could figure out how to run it remotely.

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE

I'm sure you cant, but...who knows, you could set up a schedule so this can execute automatically.
0
 
LVL 16

Accepted Solution

by:
robrandon earned 250 total points
ID: 11739709
You don't need a 2003 server to do this.  You can do it just by loading the admin pak on the XP box.  I have not run into any compatibility problems and am doing the same thing before rolling out SP2 for XP (hopefully that will minimize some of the headaches...).  I log on as a domain admin to the XP box to configure the GP.



0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11739738
Thanx robrandon and  billyea i will try this out in my test lab and will post results.
0
 
LVL 2

Expert Comment

by:billyea
ID: 11739746
You're welcome.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11739755
FYI, the setting can be found at:

Computer Configuration\Administrative Templates\Network\Network Connections

0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11756688
robrandon,
I can’t seem to find the setting that you are talking about. Is there a need for a Windows 2003 serer to be in place to do this? I am using a Windows Xp Pro Computer with admin pack installed and I don’t see the setting that you are talking about.
I am looking at Computer Configuration>Admin Templates>Network>Network and Dial up Connections and the only thing I see there is the Prohibit configurations of connection sharing.

0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11756705
billyea,
Do you know what the script will do on a domain with both Windows 2000 and Windows XP systems? Will there be some type of error.  And does the script need to be ran under a user with Admin Rights?
0
 
LVL 2

Expert Comment

by:billyea
ID: 11756736
Probably with admin rights.
To be safe, make a system restore before executing the script. Currently, windows doesn't allow the script to be run remotely (as that would defeat the purpose of a firewall and hackers would come in). If you do find a way to run it remotely, you're on the right track.

This info is correct though. It simply creates a new object for the firewall and then turns that object off, nothing harmful, although you might need a Visual Basic technician to check it out.
0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11756786
billyea
I will have our programmer check it out.

However...i would prefer to use Group Policies to change this feature....
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11756845
gbarrientos,
Under Network, the subfolders I have are DNS Client, Offline Files, Network Connections, QoS Packet Scheduler, and SNMP.  I'm using Windows XP with Service Pack 1.   No need for a 2003 server on the network.  

Did you load up the 2003 admin tools or the 2000 admin tools?


0
 
LVL 16

Expert Comment

by:robrandon
ID: 11756856
Yeah, I think you have the 2000 tools loaded, because I see Network and Dial-up Connections when I check the Policy on my 2000 Server.

If you load up the 2003 Tools you should be fine to do this in GP.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11756927
0
 
LVL 9

Author Comment

by:gbarrientos
ID: 11757510
robrandon,
I see the problem...i am editing the existing policy already on the server. However when i created a new policy i see all the options you described above. Now my next question, and im not sure if this should be another post, is there a way to import the settings from the existing Default Domain Policy into a new policy which supports XP functions?
0
 
LVL 16

Expert Comment

by:robrandon
ID: 11757676
No idea on that one.  I wonder if it can't be the default domain policy at all because it is a 2000 domain.  But I'm really not sure of that, or if you can copy settings from one policy to another.  Sorry.



0
 

Expert Comment

by:NoahVail
ID: 12549194
You can launch the script remotely with the "at" command.  

at \\machine_name 12:00PM cmd /c "c:\scripts\nofirewall.vbs"

or at /? at a command prompt for more options.

NV
0
 

Expert Comment

by:apcsolution
ID: 12720288
NoahVail can you e-mail me that nofirewall.vbs script.  Thank you.
0
 

Expert Comment

by:NoahVail
ID: 12751209
I don't have your email address.  Anyway it's the script that's posted above.

Set objFirewall = CreateObject("HNetCfg.FwMgr")
Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
objPolicy.FirewallEnabled = FALSE

The soon command is better than the at command because you aren't dependant on the clock of the remote machine being accurate.

Microsoft posts info and a download link for soon.exe here.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/soon-o.asp

NV
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question