[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Open firewall to a specific user.

Posted on 2006-04-04
12
Medium Priority
?
260 Views
Last Modified: 2013-11-16
All,

I have XP-Pro-SP2 on my Company Laptop which I can take home and use at home through my BroadBand connection.

Our Network Administrator needs to gain access to it for interrogation for FAST compliance. Is there a way I can open the Firewall for just him only?

I really dont want to drop the firewall completely while at work and raise it at home as I am sure to forget to raise it one-day.

Any other ideas?

Paul
0
Comment
Question by:PaulCaswell
  • 5
  • 4
  • 3
12 Comments
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 248 total points
ID: 16372543
You need to know what IP address you will see him coming from.  Then allow that IP address through.  If he is behind a many-to-one NAT device or a proxy server, this will allow everybody that is behind the same box to connect to you.

If this is truly a company laptop they can setup GPO's so that when connected to the LAN at work the firewall is disabled and when connect to your home LAN it is enabled.  This way you don't have to remember a thing.  I am not sure how this is done, but I know that my company does it.

0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 16372597
Hi giltjr,

>>You need to know what IP address you will see him coming from.
That can be arranged.

>>... I am not sure how this is done, but I know that my company does it.
That sounds exactly what we need. Can you find out?

Paul
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16373301
I will ask the person that set it up to see what he did.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 6

Accepted Solution

by:
campbelc earned 252 total points
ID: 16374194
One, it shouldn't be a problem for your work network to have access to your notebook at home only on a preticular port. Not a big risk at all.

To see your current firewall config:
    netsh firewall show config

To enable something through your firewall:
    netsh firewall add portopening protocol=all port=2323 name ="BLAH" mode=enable scope=CUSTOM addresses="1.1.1.1"

Make sure to change the protocol to:  all, tcp, or udp
Change port to the port he needs access to.
Give it a name that is meaningful.
Scope: leave at custom.
Addresses: Add in his public IP address that he will be using to access you.

To enable a program:
   netsh firewall add allowedprogram "C:\Program Files\Microsoft Office\office\Outlook.exe" Outook Enable

ALSO! If you have a router at home, you will also need to "fix" that as well as setting up port forwarding.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16374748
O.K, what I was told is that the Windows firewall has a domain and a non-domain GPO.  We only setup the domain GPO, which is applied when you logon and validated against the domain controller.

If you logon using cached crenditials, it will not appy the domain GPO to the firewall and whatever you have setup locally will be used.
0
 
LVL 6

Expert Comment

by:campbelc
ID: 16374942
What is the difference between a complex setup with GPOs which I use here as well or setting the local firewall to only allow a user to connect from a certain port and certain IP?

If you want complex, by all means go with GPOs.
If you want simple, with the EXACT same functionallity, use my script above. =)
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 16375099
Thanks all! This is going way over my head now but the:

  netsh firewall add portopening protocol=all port=2323 name ="BLAH" mode=enable scope=CUSTOM addresses="1.1.1.1"

Looks good to me (only because its got an IP address :-) ). Sorry to seem a dullard but do keep technical! I'll get our network manager to take a look in to see if he understands and pass on any more queries.

Paul
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16375188
If I understand everything correctly this is a end user with a company owned laptop.

He wants (may be required to) to use the Windows firewall while connected to his home network.

He does not need to use the Windows firewall when he is connected to his company's LAN.   However when on his company's LAN he must either disable the firewall or configure it to allow specific IP address(es) access through the firewall.  

As he is a end user, his company could implement GPO's to do the above without his knowledge and he would not even know the differece until, while connected to his work LAN, he attempted to use the GUI to configure something on the firewall.

On a company owned comptuter that is part of a AD domain, GPO's are the correct way to handle this.  

I would assume that you are NOT a domain admin or desktop support person.  If you are, I sure would like to get on your domain as  you seem to want to leave desktop security up to your end users. :)

I know that if I were responsible for desktop support at a company I would not want to be going around asking users to "pretty please" configure their firewall to allow me to do my job.  GPO's would be used and I would control (just like my company does) the status of the Windows firewall (or anyother firewall) while connected to our company network.  

While not on our company network the firewall would be enabled and configured the way I see fit to allow the users to do what they needed for work while away from the office.
0
 
LVL 16

Author Comment

by:PaulCaswell
ID: 16375725
Gentlemen! Lets leave the fisticuffs at dawn for another time OK?

Both your options sound excellent! giltjr's solution may be that chosen by our network manager because he may wish to have the level of control described. Besides, we have further security enhancements on the horizon that may lie in this direction.

To ME however, the 'netsh' solution looks neater and tidier, partly because I would prefer to know EXACTLY who has access to my laptop. As a programmer I am able to take responsibility for the security of my equipment. However, the non-technical in our company may benefit from the more structured approach.

However, the decision lies with our network manager and you have both provided excellent options.

Thankyou for your help, and any more assistance you can provide. I have sent a link to this question for him to look at. I hope to relay any further need for clarification.

Chatting with him earlier he was considering ensuring that no-one has internet access from home unless they come through the VPN. I hope we have managed to provide him with alternatives to that - in my opinion - draconian measure.

Paul
0
 
LVL 6

Expert Comment

by:campbelc
ID: 16375879
I actually have been both a client engineer for a health care environment with over 2800 workstations as well as a current network admin supporting over 50 Cisco switches and PIX firewalls.

My reasoning is this: his network administrator is asking for access to his "company owned" notebook. If they had GPOs in place though AD, I would figure their network team would have been aware of this and, as you stated, would have these set already and he would make a simple change to allow his address as well as the protocol and ports he needs opened on all laptops within a set OU.

Simply stating this is a easier solution since his company doesn't currently have a policy for this is the right approach, unless your a consultant and would like to reconfigure their AD domain and create OUs for them and move the computer objects into the various OUs for them?

I welcome you onto my network, all patients and visitors can use the public WIFI for free. For my clinical network you'll have to bypass the WPA,TKIP,Radius authenticating to our Win2k3 AD with a non-broadcasted SSID. Also our "company owned" notebooks include the Funk Odessey client that allows us to install and write scripts to lock down their abilities and the SSIDs they can attach to.
0
 
LVL 6

Expert Comment

by:campbelc
ID: 16375915
LOL agreed Paul. Just love people coming in here and telling people they lack experience and have never obviously held a job as "a domain admin or desktop support person". I've been doing this type of work my entire life. I find it quite amusing actually.

You were asking for a simple solution without changing your entire network/server infrastructure. Problem solved. =)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16375918
No fisticuffs meant, sorry if I came across that way.  I was just pointing out that for a company computer GPO's are the way to go.  For a home only computer netsh commands.

Even for our developers we secure their machines, in fact especially for our developers.  The tend to be the ones that download the software that can really cause problems on a network because they like to play.  :)   Of couse I'm a network guy so I do it also, it just I have a isolate network that I can play on.

Now we do allow employees that have laptops to use their home Internet access to access the Internet, part of the reason we enabled the Windows firewall to just incase they don't have one at home.  In fact when they connect to our VPN they loose Internet access and can only access resources on our internal network.  Our thinking is, if they are on the VPN, they need to access work resources not the Internet so why bog down the Internet with them accessing the Internet over the VPN which goes throug the Internet.   Did that make sense?

My main point was the difference between GPO and the netsh command is coporate control vs. end user control (even application developers are end users).  In the end the desktop/security/networking group has responsibility for protecting the computers not the end users.

As long as your support group has no problems with this, that is all that matters.  Have a nice day.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 22 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question