?
Solved

How to disable SBS 2008 GP controlling XP firewall permissions

Posted on 2010-09-17
10
Medium Priority
?
901 Views
Last Modified: 2012-08-13
I'm running SBS 2008 with a few XP clients.  I need to disable the firewall settings on the xp client computers.  The option to turn firewall "on" or "off" is greyed out on the client computers.  I've tried to make some GP changes but nothing is working so I'm missing something.  Thanks
0
Comment
Question by:Cizombs
10 Comments
 
LVL 3

Expert Comment

by:arweeks
ID: 33706381
Run gpresult on the client, pipe it in to a text file, then look for any firewall references in there

gpresult /v > results.txt
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 33706478
There are 3 GPO's that affect the firewall on client machines in and SBS 2008 domain.
Open the group policy management console on the SBS and edit each of the 3 following GPO's, or the ones that match the types of client PC's you have. They can be found under My Business | Computers | SBS Computers or  under Group Policy Objects:
   Windows SBS Client - Windows Vista Policy
   Windows SBS Client - Windows XP Policy
   Windows SBS Client

The item to edit is:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled. Setting to disabled will turn it of, setting to not configured allows administrators to enable or disable the firewall on the PC.

Note this only affects computers while connected to your domain. If you want to affect them while outside of your domain (not recommended) you also need to edit:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | STANDARD Profile | Protect All Network connections

There is another GPO:  Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Prohibit use of Internet Connection Firewall on your DNS domain network", which can override the above. The default is set to not configured, but if has been changed to enabled or disabled it will force enabling or disabling of the firewall and administrators have no control. This should be left as "not configured"

Remember it can take up to 90 minutes for the policy to be applied to the workstations. You can force this almost immediately by running at a command line, on the workstation:
gpupdate /force
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 33706510
Not sure why you'd want to mess with this but the GP is found by starting the GPMC > Group Policy Objects > Windows SBS Client - Windows XP Policy  right click and choose Edit.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 

Author Comment

by:Cizombs
ID: 33706543
Thanks RobWill, "Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled"  Mine is already set to not configured? as well as the "other GPO Policy"
Maybe disable instead of not configured?

CrisHanna, We have a stand alone SQL program that runs on an XP client and until we lower the firewall for the initial connection the other client computers can't access the SQL database on the client running SQL.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 33706562
>>"Mine is already set to not configured?"
Assuming an XP machine, this is under the "Windows SBS Client - Windows XP Policy"  policy?
That should allow you to change. This assumes the machine is a member of this domain.

If you just need to allow SQL you would be better just to create an exception, which is allowed by default. I believe it is TCP port 1433

0
 

Author Comment

by:Cizombs
ID: 33706581
Thanks again. Can you explain steps for creating a SQL exception.  
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 33706608
You can do so with group policy but where it is one machine and only incoming is blocked on XP by default the simplest thing to do is just edit the XP firewall.

The default port used by SQL is TCP 1433, but you should verify that with your application.
To create the exception open the windows firewall from the control panel, click on the advanced tab, click on add port | select TCP, and enter 1433. You can do the same all over again for UDP to be sure.
The other option is to select add program and browse to your application on the XP machine, but personally I find the port more dependable as there can be multiple .exe's
0
 

Author Comment

by:Cizombs
ID: 33708829
Tried to open the SQL port and the program exe to no avail.

So, I DISABLED > Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
and now the SQL based progam on the XP client can connect with all other clients which is what I need.

Now, all the firewall settings on the XP clients are greay out stilled but the firewall is disabled so the SQL database can be accessed by all cleints.  Any reason I cannot disable or inable the firewall settings directly on each client???  It seems like SBS is still in control of the cleint firewall settings?
0
 

Author Comment

by:Cizombs
ID: 33709470
Thanks for all your help.  I also had to add UDP 1434 along with TCP 1433 to make this work.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 33709607
You disabled the policy. If set to not configured an administrator (only administrators) should be able to disable/enable the firewall.

Glad to hear you have it working.
Thanks Cizombs.
Cheers!
--Rob
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month14 days, 18 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question