We help IT Professionals succeed at work.

Configuring Per User & Application Firewall Rules Using Windows Server 2008

 There has been a requirement from a client to get per user firewall rules including
 application configured on a Windows Server 2008 boxes which are going to have
 Terminal Services installed on the members sever boxes in a domain.

 My understanding is that these features are only available on Windows Server 2008 R2,
 only, is that correct? Plus only Vista, Windows 7, Windows Server 2003 clients can
 utilise these per user firewall rules include application features. Can someone
 please clarify the above for me as there seems to be some confusion every corner
 I turn? Apparently this is supposed to be part of Advanced Firewall in Win2K8?

 Thanks
Comment
Watch Question

Most Valuable Expert 2011

Commented:
I never heard of such a thing even existing.   Nobody I ever knew uses Windows Firewall and the only setting used is the one that turns it off.

You control what the user do on Terminal Service via Group Policy and Software Restriction Policies via GPO.

What firewall rules you do apply will happen on the "real" firewall at the edge of the LAN where it meets the Internet.

Author

Commented:
Please read on Windows Advannced Firewall in Win2K8.
Top Expert 2010

Commented:
Windows Vista, Windows 7 and Windows 2008 have this feature.  I'm not sure what you mean by only Windows 2003 server "can utilise these per user firewall rules include application features."  The advanced firewall is specific to the client where the firewall is running.  I'm not sure I understand how this possibly would apply to Windows XP Pro connecting to a Windows 2008 server running the Advanced Firewall.

I also understand that there is a new RDP client associated with Windows 2008 server and to utilize the new features of TS, you need to download the new version.  Newer windows have this client, but it can be downloaded for Windows XP.

A little more detail regarding your scenario might help flesh out the detailed information you are seeking.  I read through a few articles on the new firewall, but I see no dependency on using one OS or another.  It seems that the configuration settings are OS dependent as far as the client is concerned.

http://bit.ly/bhPuUU
http://bit.ly/4UONvm - Check the last bullet point and client "Get more information"
http://bit.ly/3Rv3qF

Author

Commented:

I'm not sure what you mean by only Windows 2003 server "can utilise these per user
firewall rules include application features."

>> What I meant with the above was that when creating a Firewall Rule for an
application will it be possible to have only certain users applied to it and exclude everyone else?
same applies to an application on the server. Bear in mind these are Terminal Server member machines

I have read through some of the articles you posted and they have shed a little
light on the issue which is good, at least I know now where to find the WFAS MMC :)

On a much serious note will I have to configure each member TS Services firewall or is
that done through Group Policies (GPO)

Also where do I find reference material to read and educate on TS lockdown with
Group Policies (GPOs)?
Top Expert 2010
Commented:
Here's a link that should give you all you will ever need to know about managing the firewall policies via GPOs.

http://technet.microsoft.com/en-us/network/bb545423.aspx

Here are a couple of links that I've used when configuring 2008 TS and 2008 RemoteApps.

http://technet.microsoft.com/en-us/library/cc730673%28WS.10%29.aspx

http://www.windowsecurity.com/articles/Locking-Down-Windows-Server-2008-Terminal-Services.html
Most Valuable Expert 2011

Commented:
>> What I meant with the above was that when creating a Firewall  Rule for an application will it be possible to have only certain  users applied to it and exclude everyone else?same applies to an  application on the server. Bear in mind these are Terminal Server member  machines
I really,..really,..really think the answer to that is "No".   If it is not "No", then it should be.  Yes, I am really "down" on the Windows Firewall, I think it is horrible,..but that is just my opinion of course.

On a much serious note will I have to configure each member TS Services  firewall or is that done through Group Policies (GPO)

Yes GPO can be used to effect the Windows Firewall,...it even has a Domain and a Non-Domain "branch" of settings which is useful for machines that travel such as Laptops.  but the exact things you can adjust with GPO depend on:
1. The OS version and version of the Admin Templates the GPO is built from
2. The OS version (and hence the Firewall version) of the exact machine that you are trying to have the changes effect.

Also where do I find reference material to read and educate on TS  lockdown withGroup Policies (GPOs)?

There is no "TS Lockdown".   The things you can restrict with GPOs on a TS box is only slightly different than what they would be on any machine.   Problaby 90% of the available settings you can alter exist with any Server,...not just a Terminal Server.   What you are looking for are the Software Restriction Policies.   You can google that name for details.  These can be applied to any machine,..they are not unique to a Terminal Server box.
Most Valuable Expert 2011

Commented:
This part of the link that Digitap's posted looks like the closest you will find.

http://technet.microsoft.com/en-us/library/cc730857%28WS.10%29.aspx

(Thanks for posting the links Digitap.  I'll probably add them to my stack of stuff)
Top Expert 2010

Commented:
@pwindell:  Thanks for the feedback!

Author

Commented:
I am done with this question.
Top Expert 2010

Commented:
Thanks for the points!