Solved

Activating internet connection firewall with a GPO...

Posted on 2004-09-03
6
194 Views
Last Modified: 2013-11-16
I would like to know if its possible to actually turn on the ICF in windows XP SP1 with a GPO. So far I am able to allow the option when users are not logged into the local domain, but all it does when a user connects elsewhere is allow the option to be checked, but does not actually do it for them. I know with SP2 you can have it actually be on, but I am not deploying that just yet.

Thanks!
0
Comment
Question by:cbtech
6 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11980136
I don't think so.  If you enable ICF on a domain machine, then it will no longer co-operate and you won't be able to reach it !
You'd be better off using ISA and the ISA Firewall Client ?
0
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 11982238
From what I know, MS didn't want to use ICF in a domain (corporate) environment due to potential printer, file, application, etc. problems.  In fact, the GPO setting only allows for you to turn off ICF while inside a domain - basically confirming that ICF wasn't meant originally for a secure domain environment (even though it may work).  The reason why ICF can be enabled outside of the office is probably because MS figured that domain laptops would need some protection outside the office.

With XP SP2, they did a 180 and turned it on by default and gave the ability for admins enforce this in the GPO.  I am guessing more testing was done on Windows Firewall for them to be comfortable with leaving it on (as opposed to ICF).
0
 
LVL 8

Accepted Solution

by:
pjcrooks2000 earned 200 total points
ID: 11986415
Yep it isSeems as though it is possible

http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.mspx
read under where it says "Location-aware Group Policy in ICF"


I hope this helps you

pjcrooks2000
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 11988376
The location aware GP means that GP can turn off the ICF if it finds it enabled and on the domain.
There are no means for GP to turn the ICF back on again.
0
 

Author Comment

by:cbtech
ID: 11990447
This seems to be an easier thing to do with XP SP2, as its on by defualt if its not in a domain. With SP1 I am able to use a GPO to diable the ICF within my domain,  and then if the machine is disconnected from the domain, the advanced tab appears on the connections property page, and it allows you to click the checkbox to turn on the ICF, then once you connect again to the domain, it disables it, but if you disconnect from the domain again, it enables it and the ICF remembers your setting that you check it on. How can I get that initial checking of the the ICF to enable it with a GPO instead of visiting each individual machine?
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 12128137
Thanks cbtech ;)

good luck to you!
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question