Solved

How to disable SBS 2008 GP controlling XP firewall permissions

Posted on 2010-09-17
10
851 Views
Last Modified: 2012-08-13
I'm running SBS 2008 with a few XP clients.  I need to disable the firewall settings on the xp client computers.  The option to turn firewall "on" or "off" is greyed out on the client computers.  I've tried to make some GP changes but nothing is working so I'm missing something.  Thanks
0
Comment
Question by:Cizombs
10 Comments
 
LVL 3

Expert Comment

by:arweeks
Comment Utility
Run gpresult on the client, pipe it in to a text file, then look for any firewall references in there

gpresult /v > results.txt
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
There are 3 GPO's that affect the firewall on client machines in and SBS 2008 domain.
Open the group policy management console on the SBS and edit each of the 3 following GPO's, or the ones that match the types of client PC's you have. They can be found under My Business | Computers | SBS Computers or  under Group Policy Objects:
   Windows SBS Client - Windows Vista Policy
   Windows SBS Client - Windows XP Policy
   Windows SBS Client

The item to edit is:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled. Setting to disabled will turn it of, setting to not configured allows administrators to enable or disable the firewall on the PC.

Note this only affects computers while connected to your domain. If you want to affect them while outside of your domain (not recommended) you also need to edit:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | STANDARD Profile | Protect All Network connections

There is another GPO:  Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Prohibit use of Internet Connection Firewall on your DNS domain network", which can override the above. The default is set to not configured, but if has been changed to enabled or disabled it will force enabling or disabling of the firewall and administrators have no control. This should be left as "not configured"

Remember it can take up to 90 minutes for the policy to be applied to the workstations. You can force this almost immediately by running at a command line, on the workstation:
gpupdate /force
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
Not sure why you'd want to mess with this but the GP is found by starting the GPMC > Group Policy Objects > Windows SBS Client - Windows XP Policy  right click and choose Edit.
0
 

Author Comment

by:Cizombs
Comment Utility
Thanks RobWill, "Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled"  Mine is already set to not configured? as well as the "other GPO Policy"
Maybe disable instead of not configured?

CrisHanna, We have a stand alone SQL program that runs on an XP client and until we lower the firewall for the initial connection the other client computers can't access the SQL database on the client running SQL.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Mine is already set to not configured?"
Assuming an XP machine, this is under the "Windows SBS Client - Windows XP Policy"  policy?
That should allow you to change. This assumes the machine is a member of this domain.

If you just need to allow SQL you would be better just to create an exception, which is allowed by default. I believe it is TCP port 1433

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Cizombs
Comment Utility
Thanks again. Can you explain steps for creating a SQL exception.  
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
You can do so with group policy but where it is one machine and only incoming is blocked on XP by default the simplest thing to do is just edit the XP firewall.

The default port used by SQL is TCP 1433, but you should verify that with your application.
To create the exception open the windows firewall from the control panel, click on the advanced tab, click on add port | select TCP, and enter 1433. You can do the same all over again for UDP to be sure.
The other option is to select add program and browse to your application on the XP machine, but personally I find the port more dependable as there can be multiple .exe's
0
 

Author Comment

by:Cizombs
Comment Utility
Tried to open the SQL port and the program exe to no avail.

So, I DISABLED > Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
and now the SQL based progam on the XP client can connect with all other clients which is what I need.

Now, all the firewall settings on the XP clients are greay out stilled but the firewall is disabled so the SQL database can be accessed by all cleints.  Any reason I cannot disable or inable the firewall settings directly on each client???  It seems like SBS is still in control of the cleint firewall settings?
0
 

Author Comment

by:Cizombs
Comment Utility
Thanks for all your help.  I also had to add UDP 1434 along with TCP 1433 to make this work.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
You disabled the policy. If set to not configured an administrator (only administrators) should be able to disable/enable the firewall.

Glad to hear you have it working.
Thanks Cizombs.
Cheers!
--Rob
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now