How to disable SBS 2008 GP controlling XP firewall permissions

Posted on 2010-09-17
Last Modified: 2012-08-13
I'm running SBS 2008 with a few XP clients.  I need to disable the firewall settings on the xp client computers.  The option to turn firewall "on" or "off" is greyed out on the client computers.  I've tried to make some GP changes but nothing is working so I'm missing something.  Thanks
Question by:Cizombs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 33706381
Run gpresult on the client, pipe it in to a text file, then look for any firewall references in there

gpresult /v > results.txt
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 33706478
There are 3 GPO's that affect the firewall on client machines in and SBS 2008 domain.
Open the group policy management console on the SBS and edit each of the 3 following GPO's, or the ones that match the types of client PC's you have. They can be found under My Business | Computers | SBS Computers or  under Group Policy Objects:
   Windows SBS Client - Windows Vista Policy
   Windows SBS Client - Windows XP Policy
   Windows SBS Client

The item to edit is:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled. Setting to disabled will turn it of, setting to not configured allows administrators to enable or disable the firewall on the PC.

Note this only affects computers while connected to your domain. If you want to affect them while outside of your domain (not recommended) you also need to edit:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | STANDARD Profile | Protect All Network connections

There is another GPO:  Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Prohibit use of Internet Connection Firewall on your DNS domain network", which can override the above. The default is set to not configured, but if has been changed to enabled or disabled it will force enabling or disabling of the firewall and administrators have no control. This should be left as "not configured"

Remember it can take up to 90 minutes for the policy to be applied to the workstations. You can force this almost immediately by running at a command line, on the workstation:
gpupdate /force
LVL 35

Expert Comment

by:Cris Hanna
ID: 33706510
Not sure why you'd want to mess with this but the GP is found by starting the GPMC > Group Policy Objects > Windows SBS Client - Windows XP Policy  right click and choose Edit.
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Author Comment

ID: 33706543
Thanks RobWill, "Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled"  Mine is already set to not configured? as well as the "other GPO Policy"
Maybe disable instead of not configured?

CrisHanna, We have a stand alone SQL program that runs on an XP client and until we lower the firewall for the initial connection the other client computers can't access the SQL database on the client running SQL.
LVL 77

Expert Comment

by:Rob Williams
ID: 33706562
>>"Mine is already set to not configured?"
Assuming an XP machine, this is under the "Windows SBS Client - Windows XP Policy"  policy?
That should allow you to change. This assumes the machine is a member of this domain.

If you just need to allow SQL you would be better just to create an exception, which is allowed by default. I believe it is TCP port 1433


Author Comment

ID: 33706581
Thanks again. Can you explain steps for creating a SQL exception.  
LVL 77

Expert Comment

by:Rob Williams
ID: 33706608
You can do so with group policy but where it is one machine and only incoming is blocked on XP by default the simplest thing to do is just edit the XP firewall.

The default port used by SQL is TCP 1433, but you should verify that with your application.
To create the exception open the windows firewall from the control panel, click on the advanced tab, click on add port | select TCP, and enter 1433. You can do the same all over again for UDP to be sure.
The other option is to select add program and browse to your application on the XP machine, but personally I find the port more dependable as there can be multiple .exe's

Author Comment

ID: 33708829
Tried to open the SQL port and the program exe to no avail.

So, I DISABLED > Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
and now the SQL based progam on the XP client can connect with all other clients which is what I need.

Now, all the firewall settings on the XP clients are greay out stilled but the firewall is disabled so the SQL database can be accessed by all cleints.  Any reason I cannot disable or inable the firewall settings directly on each client???  It seems like SBS is still in control of the cleint firewall settings?

Author Comment

ID: 33709470
Thanks for all your help.  I also had to add UDP 1434 along with TCP 1433 to make this work.
LVL 77

Expert Comment

by:Rob Williams
ID: 33709607
You disabled the policy. If set to not configured an administrator (only administrators) should be able to disable/enable the firewall.

Glad to hear you have it working.
Thanks Cizombs.

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question