• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

Activating internet connection firewall with a GPO...

I would like to know if its possible to actually turn on the ICF in windows XP SP1 with a GPO. So far I am able to allow the option when users are not logged into the local domain, but all it does when a user connects elsewhere is allow the option to be checked, but does not actually do it for them. I know with SP2 you can have it actually be on, but I am not deploying that just yet.

Thanks!
0
cbtech
Asked:
cbtech
1 Solution
 
Tim HolmanCommented:
I don't think so.  If you enable ICF on a domain machine, then it will no longer co-operate and you won't be able to reach it !
You'd be better off using ISA and the ISA Firewall Client ?
0
 
LimeSMJCommented:
From what I know, MS didn't want to use ICF in a domain (corporate) environment due to potential printer, file, application, etc. problems.  In fact, the GPO setting only allows for you to turn off ICF while inside a domain - basically confirming that ICF wasn't meant originally for a secure domain environment (even though it may work).  The reason why ICF can be enabled outside of the office is probably because MS figured that domain laptops would need some protection outside the office.

With XP SP2, they did a 180 and turned it on by default and gave the ability for admins enforce this in the GPO.  I am guessing more testing was done on Windows Firewall for them to be comfortable with leaving it on (as opposed to ICF).
0
 
pjcrooks2000Commented:
Yep it isSeems as though it is possible

http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.mspx
read under where it says "Location-aware Group Policy in ICF"


I hope this helps you

pjcrooks2000
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Tim HolmanCommented:
The location aware GP means that GP can turn off the ICF if it finds it enabled and on the domain.
There are no means for GP to turn the ICF back on again.
0
 
cbtechAuthor Commented:
This seems to be an easier thing to do with XP SP2, as its on by defualt if its not in a domain. With SP1 I am able to use a GPO to diable the ICF within my domain,  and then if the machine is disconnected from the domain, the advanced tab appears on the connections property page, and it allows you to click the checkbox to turn on the ICF, then once you connect again to the domain, it disables it, but if you disconnect from the domain again, it enables it and the ICF remembers your setting that you check it on. How can I get that initial checking of the the ICF to enable it with a GPO instead of visiting each individual machine?
0
 
pjcrooks2000Commented:
Thanks cbtech ;)

good luck to you!
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now