Solved

GPO firewall program exceptions not applying

Posted on 2009-04-10
11
1,382 Views
Last Modified: 2013-12-05
I cannot get the program exceptions setting in the GPO to apply to the windows XP firewall.  What is weird is that at one time it worked.  All the other settings are applied.  I have tried creating a new policy, removing the computer from the domain and re-adding.  I ran RSOP and it says that the policy was applied to the computer and I can see  the GPO (program exception) settings when viewing the GPO on the target machine.  All the program exceptions are displayed however when opening up the windows xp firewall, the exceptions are not displayed.  I thought that it was our 3rd party firewall that was blocking the GPO but I uninstalled the 3rd party software and the GPO still does not apply correctly.  I ran a virus scan on the machine and came up with nothing.  I'm going to run a spyware cleaner on the workstation but I suspect that I will not find anythink other than the usual cookie.  Some of the XP workstations have SP2 and some have SP3.  I manage GPO's from my XP SP3 workstation with GPMC.  All other policies appear to be applying except the program exceptions.  However, given that RSOP and GPRESULTS both show the policy applying I am not sure that the windows firewall is working properly at all except that everytime a user logs in they get a Windows Firewall Alert.  So I guess it is working but I cannot add the program exception to stop the alert from popping up.  I have ran a spyware detection program and found nothing.  Thee are not settings blocking inheritance.  I have even tried to "enforce" the firewall policy.  I downloaded xp .adm files but when i go to import the templates I get a message that the file being copied is older than the current so I chose not to replace it.  

Any suggestions?
0
Comment
Question by:PlazaProp
  • 9
  • 2
11 Comments
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 100 total points
ID: 24119818
"However, given that RSOP and GPRESULTS both show the policy applying I am not sure that the windows firewall is working properly at all except that everytime a user logs in they get a Windows Firewall Alert"

Sounds like the machines are getting the policy indeed, but perhaps for the wrong profile?

start>run>cmd.exe

netsh firewall show opmode

Paste the output here please....
0
 
LVL 1

Author Comment

by:PlazaProp
ID: 24129151
Johnb - here is the output from the netsh firewall show opmode:
Domain profile configuration (current):-------------------------------------------------------------------Operational mode                  = DisableException mode                    = EnableStandard profile configuration:-------------------------------------------------------------------Operational mode                  = DisableException mode                    = EnableLocal Area Connection firewall configuration:-------------------------------------------------------------------Operational mode                  = Enable


Here is the output from netsh firewall show state:
Firewall status:-------------------------------------------------------------------Profile                           = DomainOperational mode                  = EnableException mode                    = EnableMulticast/broadcast response mode = EnableNotification mode                 = EnableGroup policy version              = Windows FirewallRemote admin mode                 = Enable

Here is the output from netsh firewall show config:


Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Disable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Domain profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          File and Printer Sharing
Enable   No          Remote Desktop
Enable   No          Remote Administration

Allowed programs configuration for Domain profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   File Transfer Program / C:\WINDOWS\system32\ftp.exe
Enable   Firefox / C:\Program Files\Mozilla Firefox\firefox.exe
Enable   fm_mon.msc / C:\Program Files\GFI\FAXmaker\fm_mon.msc
Enable   Internet Explorer / C:\Program Files\Internet Explorer\iexplore.exe
Enable   SysAid Remote Control Viewer listening - VNCViewer / C:\Program Files\SysAidTools\SysAidRC.exe
Enable   VNCViewer / C:\Program Files\UltraVNC\vncviewer.exe
Enable   Look@LAN / C:\Program Files\Look@LAN\LookAtLan.exe
Enable   Microsoft Office Outlook / C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
Enable   CallControl / C:\Program Files\UM Client\CallControl.exe
Enable   CreateVoicePAB / C:\Program Files\UM Client\CreateVoicePAB.exe
Enable   32-bit Borland Database Engine Config / C:\IDAPI\bdecfg32.exe
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   MerX .NETwork Scanner / C:\Program Files\MerX.NetworkScanner\MerX.NetworkScanner.exe
Enable   Logical Disk Manager component / C:\WINDOWS\system32\dmremote.exe
Enable   McAfee Managed Services Agent / C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
Enable   mdbvu32 / C:\Program Files\UM Client\mdbvu32.exe
Enable   Messenger / C:\Program Files\MSN Messenger\msnmsgr.exe

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
4228   TCP       Enable   Sysaid RC TCP port
5356   TCP       Enable   sql port 5356
1433   TCP       Enable   SQL port 1433
13000  TCP       Enable   kav13000
14000  TCP       Enable   kav14000
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service
3389   TCP       Enable   Remote Desktop

Standard profile configuration:
-------------------------------------------------------------------
Operational mode                  = Disable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Standard profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          File and Printer Sharing
Enable   No          UPnP Framework
Enable   No          Remote Desktop
Enable   No          Remote Administration

Allowed programs configuration for Standard profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   SysAid Remote Control Viewer listening - VNCViewer / C:\Program Files\SysAidTools\SysAidRC.exe
Enable   Look@LAN / C:\Program Files\Look@LAN\LookAtLan.exe
Enable   Network Diagnostics for Windows XP / C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Enable   Windows Live Messenger 8.1 / C:\Program Files\MSN Messenger\msnmsgr.exe
Enable   Windows Live Messenger 8.1 (Phone) / C:\Program Files\MSN Messenger\livecall.exe
Enable   McAfee Managed Services Agent / C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
Enable   Database Service Manager / C:\PVSW\bin\w3dbsmgr.exe
Enable   BitTorrent / C:\Program Files\BitTorrent\bittorrent.exe

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
8010   TCP       Enable   Firebird server
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service
1900   UDP       Enable   SSDP Component of UPnP Framework
2869   TCP       Enable   UPnP Framework over TCP
3389   TCP       Enable   Remote Desktop

Log configuration:
-------------------------------------------------------------------
File location   = C:\WINDOWS\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Disable
Connections     = Disable

Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

VMware Network Adapter VMnet1 firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

VMware Network Adapter VMnet8 firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
0
 
LVL 1

Author Comment

by:PlazaProp
ID: 24129252
I should also note that the program exceptions that I have defined are appearing in the GPO settings under COMPUTER CONFIGURATION\ADMINISTRATIVE TEMPLATES\EXTRA REGISTRY SETTINGS

This also appears in that section:
Display names for some settings cannot be found. You might be able to resolve  this issue by updating the .ADM files used by Group Policy Management.

0
 
LVL 1

Author Comment

by:PlazaProp
ID: 24132873
I was doing some trouble shooting on another issue where the Windows Firewall was blocking a program and port so I edited a separate GPO that was applied to that OU/computer and it appears that the firewall settings applied for that program and port but they just don't show up in the Firewall control panel on the actual end computer.

0
 
LVL 1

Author Comment

by:PlazaProp
ID: 24146944
But, I still have a program that is being detected by the windows firewall and prompting the user, even though I have it defined in the GPO.

Since the programs are not being listed on the firewall on the workstation I cannot be sure the GPO is being applied.  Again, the program exceptions are showing defined by the GPO when using RSOP on the workstation, but windows firewall doesn't show.  So, who is correct, RSOP or Windows Firewall?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 66

Expert Comment

by:johnb6767
ID: 24152741
I would think that the Firewall is correct, as thats where the actual configurations take place. # different commands above though, and 1 shows that the operational mode is disabled. Inidcates to me that the FW isnt even enabled....

Whats the process name/port that you are trying to get allowed as an exception?
0
 
LVL 1

Author Comment

by:PlazaProp
ID: 24152899
There are several different programs.I  have tried using %statemdrive%\then rest of path. I have tried using the drive letter but some stations have f as the main drive letter. Neither work. It seems enabled because it keeps popping up a dialog box to add the database client engine that needs to be authorized.
0
 
LVL 1

Author Comment

by:PlazaProp
ID: 24160693
Ok, I have used NETSH FIREWALL SET OPMODE ENABLE.  After that the Domain shows enabled however the GPO is still not applying defined ports or applications.  If I manually add the port or application on the workstation windows abides by that.  It just simply is not accepting the exceptions from the GPO. Therfore I am inclined to say that the Windows firewall is working fine.  Something is going on between XP and the GPO.
0
 
LVL 1

Author Comment

by:PlazaProp
ID: 24160956
If I use NETSH FIREWALL ADD ALLOWEDPROGRAM C:\PVSW\BIN\W3DBSMGR.EXE "DATABASE SERVICE MANAGER".  That adds the program exception to the firewall. I could in the mean time write a script that happens at login or boot that adds the exception but it still does not solve the issue.  this is only a bandaid.
0
 
LVL 1

Author Comment

by:PlazaProp
ID: 24275465
Note: this may be related to the problem I am having with the Mcafee firewall that have going on in another post.  If I find they are related I will post solutions in both threads.
0
 
LVL 1

Accepted Solution

by:
PlazaProp earned 0 total points
ID: 24444432
Well, Mcafee was never a help.  Initially at the start of this issue I had tried to uninstall the Mcafee software and re-install and that did not fix the issue.  However, something must have changed in the firewall product and now after a firewall removal and re-install GPO's now apply, the firewall is properly enabled and program exceptions are being applied.  Since the firewall software is installed and updated directly from Mcafee, I really have no control over the updates and versioning.  I am not happy with Mcafee, I have lost many hours on this issue.

related thread:
http://www.experts-exchange.com/Security/Software_Firewalls/Consumer_Firewalls/Q_24358800.html#a24444320
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now