• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

Open firewall to a specific user.

All,

I have XP-Pro-SP2 on my Company Laptop which I can take home and use at home through my BroadBand connection.

Our Network Administrator needs to gain access to it for interrogation for FAST compliance. Is there a way I can open the Firewall for just him only?

I really dont want to drop the firewall completely while at work and raise it at home as I am sure to forget to raise it one-day.

Any other ideas?

Paul
0
PaulCaswell
Asked:
PaulCaswell
  • 5
  • 4
  • 3
2 Solutions
 
giltjrCommented:
You need to know what IP address you will see him coming from.  Then allow that IP address through.  If he is behind a many-to-one NAT device or a proxy server, this will allow everybody that is behind the same box to connect to you.

If this is truly a company laptop they can setup GPO's so that when connected to the LAN at work the firewall is disabled and when connect to your home LAN it is enabled.  This way you don't have to remember a thing.  I am not sure how this is done, but I know that my company does it.

0
 
PaulCaswellAuthor Commented:
Hi giltjr,

>>You need to know what IP address you will see him coming from.
That can be arranged.

>>... I am not sure how this is done, but I know that my company does it.
That sounds exactly what we need. Can you find out?

Paul
0
 
giltjrCommented:
I will ask the person that set it up to see what he did.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
campbelcCommented:
One, it shouldn't be a problem for your work network to have access to your notebook at home only on a preticular port. Not a big risk at all.

To see your current firewall config:
    netsh firewall show config

To enable something through your firewall:
    netsh firewall add portopening protocol=all port=2323 name ="BLAH" mode=enable scope=CUSTOM addresses="1.1.1.1"

Make sure to change the protocol to:  all, tcp, or udp
Change port to the port he needs access to.
Give it a name that is meaningful.
Scope: leave at custom.
Addresses: Add in his public IP address that he will be using to access you.

To enable a program:
   netsh firewall add allowedprogram "C:\Program Files\Microsoft Office\office\Outlook.exe" Outook Enable

ALSO! If you have a router at home, you will also need to "fix" that as well as setting up port forwarding.
0
 
giltjrCommented:
O.K, what I was told is that the Windows firewall has a domain and a non-domain GPO.  We only setup the domain GPO, which is applied when you logon and validated against the domain controller.

If you logon using cached crenditials, it will not appy the domain GPO to the firewall and whatever you have setup locally will be used.
0
 
campbelcCommented:
What is the difference between a complex setup with GPOs which I use here as well or setting the local firewall to only allow a user to connect from a certain port and certain IP?

If you want complex, by all means go with GPOs.
If you want simple, with the EXACT same functionallity, use my script above. =)
0
 
PaulCaswellAuthor Commented:
Thanks all! This is going way over my head now but the:

  netsh firewall add portopening protocol=all port=2323 name ="BLAH" mode=enable scope=CUSTOM addresses="1.1.1.1"

Looks good to me (only because its got an IP address :-) ). Sorry to seem a dullard but do keep technical! I'll get our network manager to take a look in to see if he understands and pass on any more queries.

Paul
0
 
giltjrCommented:
If I understand everything correctly this is a end user with a company owned laptop.

He wants (may be required to) to use the Windows firewall while connected to his home network.

He does not need to use the Windows firewall when he is connected to his company's LAN.   However when on his company's LAN he must either disable the firewall or configure it to allow specific IP address(es) access through the firewall.  

As he is a end user, his company could implement GPO's to do the above without his knowledge and he would not even know the differece until, while connected to his work LAN, he attempted to use the GUI to configure something on the firewall.

On a company owned comptuter that is part of a AD domain, GPO's are the correct way to handle this.  

I would assume that you are NOT a domain admin or desktop support person.  If you are, I sure would like to get on your domain as  you seem to want to leave desktop security up to your end users. :)

I know that if I were responsible for desktop support at a company I would not want to be going around asking users to "pretty please" configure their firewall to allow me to do my job.  GPO's would be used and I would control (just like my company does) the status of the Windows firewall (or anyother firewall) while connected to our company network.  

While not on our company network the firewall would be enabled and configured the way I see fit to allow the users to do what they needed for work while away from the office.
0
 
PaulCaswellAuthor Commented:
Gentlemen! Lets leave the fisticuffs at dawn for another time OK?

Both your options sound excellent! giltjr's solution may be that chosen by our network manager because he may wish to have the level of control described. Besides, we have further security enhancements on the horizon that may lie in this direction.

To ME however, the 'netsh' solution looks neater and tidier, partly because I would prefer to know EXACTLY who has access to my laptop. As a programmer I am able to take responsibility for the security of my equipment. However, the non-technical in our company may benefit from the more structured approach.

However, the decision lies with our network manager and you have both provided excellent options.

Thankyou for your help, and any more assistance you can provide. I have sent a link to this question for him to look at. I hope to relay any further need for clarification.

Chatting with him earlier he was considering ensuring that no-one has internet access from home unless they come through the VPN. I hope we have managed to provide him with alternatives to that - in my opinion - draconian measure.

Paul
0
 
campbelcCommented:
I actually have been both a client engineer for a health care environment with over 2800 workstations as well as a current network admin supporting over 50 Cisco switches and PIX firewalls.

My reasoning is this: his network administrator is asking for access to his "company owned" notebook. If they had GPOs in place though AD, I would figure their network team would have been aware of this and, as you stated, would have these set already and he would make a simple change to allow his address as well as the protocol and ports he needs opened on all laptops within a set OU.

Simply stating this is a easier solution since his company doesn't currently have a policy for this is the right approach, unless your a consultant and would like to reconfigure their AD domain and create OUs for them and move the computer objects into the various OUs for them?

I welcome you onto my network, all patients and visitors can use the public WIFI for free. For my clinical network you'll have to bypass the WPA,TKIP,Radius authenticating to our Win2k3 AD with a non-broadcasted SSID. Also our "company owned" notebooks include the Funk Odessey client that allows us to install and write scripts to lock down their abilities and the SSIDs they can attach to.
0
 
campbelcCommented:
LOL agreed Paul. Just love people coming in here and telling people they lack experience and have never obviously held a job as "a domain admin or desktop support person". I've been doing this type of work my entire life. I find it quite amusing actually.

You were asking for a simple solution without changing your entire network/server infrastructure. Problem solved. =)
0
 
giltjrCommented:
No fisticuffs meant, sorry if I came across that way.  I was just pointing out that for a company computer GPO's are the way to go.  For a home only computer netsh commands.

Even for our developers we secure their machines, in fact especially for our developers.  The tend to be the ones that download the software that can really cause problems on a network because they like to play.  :)   Of couse I'm a network guy so I do it also, it just I have a isolate network that I can play on.

Now we do allow employees that have laptops to use their home Internet access to access the Internet, part of the reason we enabled the Windows firewall to just incase they don't have one at home.  In fact when they connect to our VPN they loose Internet access and can only access resources on our internal network.  Our thinking is, if they are on the VPN, they need to access work resources not the Internet so why bog down the Internet with them accessing the Internet over the VPN which goes throug the Internet.   Did that make sense?

My main point was the difference between GPO and the netsh command is coporate control vs. end user control (even application developers are end users).  In the end the desktop/security/networking group has responsibility for protecting the computers not the end users.

As long as your support group has no problems with this, that is all that matters.  Have a nice day.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now