Solved

Unable to manage Windows XP Firewall using Group Policy

Posted on 2007-11-16
15
1,643 Views
Last Modified: 2008-06-01
I try to configure Win XP Firewall using Group Policy.
I have to open 4 ports: 137 UDP, 138 UDP, 139 TCP and 2967 TCP
I've created a Policy named Firewall Settings:
Under Computer Config -> Admin templates -> Network -> Windows Firewall -> Domain Policy.
iI've edited "Windows Firewall: Define port exceptions" and add 4 lines
137:UDP:192.x.x.x:enabled:Symantec Endpoint 137UDP
138:UDP:192.x.x.x:enabled:Symantec Endpoint 138UDP
139:TCP:192.x.x.x:enabled:Symantec Endpoint 137TCP
2967:TCP:192.x.x.x:enabled:Symantec Endpoint 2967TCP

Apply the policy, refresh Policy on the Client by runinng "gpupdate /force"
Reboot the client
The I go in the Firewall management on the client and I see only one port open using Group Policy, the 2967 TCP.

Somebody can help me ?
Thanks in advance.
0
Comment
Question by:polarisit
  • 5
  • 5
  • 3
  • +2
15 Comments
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
Is there a reason you're using the firewall to begin with? Most admins forgo the use of a firewall on client machines in a domain.
0
 

Author Comment

by:polarisit
Comment Utility
We've got a lot of users with Latops travelling all over the world, in hotel, web cafe, other network
I need to secure these laptop.
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
If you look, you will see two sets of options under firewall: Standard and Domain.  Go to domain and turn the firewall off, as this is what it uses when you login and authenticate to a dc.  If you login and fail to connect to the dc (say you are in a hotel somewhere), then the password is verified through cache and the Standard settings are used instead of Domain.  Here is where you go into the Standard section and set all of the lockdown policies for firewall that you want set, which I typically make fairly stringent.  This way, when your users login at work they have the firewall off, but when they are anywhere else, the firewall is on and allows only your specific exceptions, if any.  
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
k...but when they aren't attached to the domain, your domain settings won't matter.

Taylor has the answer.
0
 

Author Comment

by:polarisit
Comment Utility
Already tested
I say that I see one of the 4 ports open using the Group Policy !
That's not logical :(
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
Are they connected to the domain when you're seeing this? Logoff and unplug the network cable, then logon to the domain and see what settings are applied. Still see the same port open?
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
Well if you aren't seeing all 4 and for whatever reason you don't to just turn off the firewall, then you can trouble shoot it some more.  Create a new GPO and add one of the 4 ports not working.  See if that works.  Run RSoP on a user and see if all 4 are listed under the applied settings.  Run gpupdate /force /y on the DC just to be sure.  Run set and verify client is logging into DC.  Check DC and verify it sees the client.  Reboot the client (as it can sometimes take more than one reboot in order to get settings to be applied in XP if fast boot is enabled).  Create a test OU and add your user that is logging in on the laptop.  Link the GPO(s) there and see what gets applied.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
Also, it is probably much more likely that there is another GPO that is opening the one port and your GPO isn't getting applied at all, rather than 1 port of the GPO you wrote is getting applied and the rest are not.
0
 

Author Comment

by:polarisit
Comment Utility
I did some test again
I deleted all GPO related to Firewall settings
I created a new one and open 137 and 138 UDP -> gpupdate /force on all DC and client
Firewall policy is well applied because the firewall is enable on the client but I did not see 137 and 138 UDP open.
I add 2967 TCP and rune again gpudate /force, reboot the client and miracle, 2967 TCP is open (Group Policy Colum: Yes).
Why the Policy did not work for 137 and 138 UDP, is there any restricition on these ports ?
I will do a test with a Vista right now.

Thanks for you help.
0
 

Author Comment

by:polarisit
Comment Utility
I confirm that the same Policy work well on Vista, the 3 ports: 137, 138 UDP and 2967 TCP are open.
That the 1st time that I see something not working on XP and working on Vista :)
Somebody has an idea why this GPO is not applied correctly on XP Laptop ?

PS: I test the policy on 3 different XP machine with teh same result

Thanks in advance.
0
 
LVL 2

Accepted Solution

by:
t_taylor earned 250 total points
Comment Utility
Not entirely sure what is going on yet.  Just for the sake of testing, have you tried to use the applications that use those UDP ports to see if they work?  It is possible that they are configured but just not showing up as such for some reason.
0
 

Author Comment

by:polarisit
Comment Utility
Dear T Taylor,
You're right.
I just did the test to deploy Symantec Endpoint that use ports 137 and 138 UDP and that worked.
That mean that the port are opnened but not visible ine the XP fiirewall management console
But why did I see the 2967 TCP ?
Very strange but as you know computer science is not a exact science :)

Thanks for your help
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
To be honest, I really couldn't tell you.  My guess is just a bug in some combination of those ports, group policy, and XP.  Who knows, but I did figure it should work since the policy was enabled.  Anyway, glad you got it sorted out.
0
 
LVL 3

Expert Comment

by:bdibene
Comment Utility
I'm guessing you also had 'File and Printer Sharing' checked as an exception (i.e. allowing it through the firewall ), which are the ports 137, 138, 139 you are trying to explicitly allow.  Since those ports are already included with File and Printer Sharing perhaps they weren't shown?  Just a guess.
0
 
LVL 3

Expert Comment

by:mreece983
Comment Utility
Ports 137 and 138 are the one listed for File and Print Sharing.  That is why you do not see the ports listed specifically.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now