Solved

How to disable SBS 2008 GP controlling XP firewall permissions

Posted on 2010-09-17
10
870 Views
Last Modified: 2012-08-13
I'm running SBS 2008 with a few XP clients.  I need to disable the firewall settings on the xp client computers.  The option to turn firewall "on" or "off" is greyed out on the client computers.  I've tried to make some GP changes but nothing is working so I'm missing something.  Thanks
0
Comment
Question by:Cizombs
10 Comments
 
LVL 3

Expert Comment

by:arweeks
ID: 33706381
Run gpresult on the client, pipe it in to a text file, then look for any firewall references in there

gpresult /v > results.txt
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 33706478
There are 3 GPO's that affect the firewall on client machines in and SBS 2008 domain.
Open the group policy management console on the SBS and edit each of the 3 following GPO's, or the ones that match the types of client PC's you have. They can be found under My Business | Computers | SBS Computers or  under Group Policy Objects:
   Windows SBS Client - Windows Vista Policy
   Windows SBS Client - Windows XP Policy
   Windows SBS Client

The item to edit is:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled. Setting to disabled will turn it of, setting to not configured allows administrators to enable or disable the firewall on the PC.

Note this only affects computers while connected to your domain. If you want to affect them while outside of your domain (not recommended) you also need to edit:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | STANDARD Profile | Protect All Network connections

There is another GPO:  Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Prohibit use of Internet Connection Firewall on your DNS domain network", which can override the above. The default is set to not configured, but if has been changed to enabled or disabled it will force enabling or disabling of the firewall and administrators have no control. This should be left as "not configured"

Remember it can take up to 90 minutes for the policy to be applied to the workstations. You can force this almost immediately by running at a command line, on the workstation:
gpupdate /force
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 33706510
Not sure why you'd want to mess with this but the GP is found by starting the GPMC > Group Policy Objects > Windows SBS Client - Windows XP Policy  right click and choose Edit.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Cizombs
ID: 33706543
Thanks RobWill, "Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled"  Mine is already set to not configured? as well as the "other GPO Policy"
Maybe disable instead of not configured?

CrisHanna, We have a stand alone SQL program that runs on an XP client and until we lower the firewall for the initial connection the other client computers can't access the SQL database on the client running SQL.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33706562
>>"Mine is already set to not configured?"
Assuming an XP machine, this is under the "Windows SBS Client - Windows XP Policy"  policy?
That should allow you to change. This assumes the machine is a member of this domain.

If you just need to allow SQL you would be better just to create an exception, which is allowed by default. I believe it is TCP port 1433

0
 

Author Comment

by:Cizombs
ID: 33706581
Thanks again. Can you explain steps for creating a SQL exception.  
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33706608
You can do so with group policy but where it is one machine and only incoming is blocked on XP by default the simplest thing to do is just edit the XP firewall.

The default port used by SQL is TCP 1433, but you should verify that with your application.
To create the exception open the windows firewall from the control panel, click on the advanced tab, click on add port | select TCP, and enter 1433. You can do the same all over again for UDP to be sure.
The other option is to select add program and browse to your application on the XP machine, but personally I find the port more dependable as there can be multiple .exe's
0
 

Author Comment

by:Cizombs
ID: 33708829
Tried to open the SQL port and the program exe to no avail.

So, I DISABLED > Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
and now the SQL based progam on the XP client can connect with all other clients which is what I need.

Now, all the firewall settings on the XP clients are greay out stilled but the firewall is disabled so the SQL database can be accessed by all cleints.  Any reason I cannot disable or inable the firewall settings directly on each client???  It seems like SBS is still in control of the cleint firewall settings?
0
 

Author Comment

by:Cizombs
ID: 33709470
Thanks for all your help.  I also had to add UDP 1434 along with TCP 1433 to make this work.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33709607
You disabled the policy. If set to not configured an administrator (only administrators) should be able to disable/enable the firewall.

Glad to hear you have it working.
Thanks Cizombs.
Cheers!
--Rob
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question