How to disable SBS 2008 GP controlling XP firewall permissions

Posted on 2010-09-17
Medium Priority
Last Modified: 2012-08-13
I'm running SBS 2008 with a few XP clients.  I need to disable the firewall settings on the xp client computers.  The option to turn firewall "on" or "off" is greyed out on the client computers.  I've tried to make some GP changes but nothing is working so I'm missing something.  Thanks
Question by:Cizombs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 33706381
Run gpresult on the client, pipe it in to a text file, then look for any firewall references in there

gpresult /v > results.txt
LVL 77

Accepted Solution

Rob Williams earned 2000 total points
ID: 33706478
There are 3 GPO's that affect the firewall on client machines in and SBS 2008 domain.
Open the group policy management console on the SBS and edit each of the 3 following GPO's, or the ones that match the types of client PC's you have. They can be found under My Business | Computers | SBS Computers or  under Group Policy Objects:
   Windows SBS Client - Windows Vista Policy
   Windows SBS Client - Windows XP Policy
   Windows SBS Client

The item to edit is:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled. Setting to disabled will turn it of, setting to not configured allows administrators to enable or disable the firewall on the PC.

Note this only affects computers while connected to your domain. If you want to affect them while outside of your domain (not recommended) you also need to edit:
Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | STANDARD Profile | Protect All Network connections

There is another GPO:  Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Prohibit use of Internet Connection Firewall on your DNS domain network", which can override the above. The default is set to not configured, but if has been changed to enabled or disabled it will force enabling or disabling of the firewall and administrators have no control. This should be left as "not configured"

Remember it can take up to 90 minutes for the policy to be applied to the workstations. You can force this almost immediately by running at a command line, on the workstation:
gpupdate /force
LVL 35

Expert Comment

by:Cris Hanna
ID: 33706510
Not sure why you'd want to mess with this but the GP is found by starting the GPMC > Group Policy Objects > Windows SBS Client - Windows XP Policy  right click and choose Edit.
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.


Author Comment

ID: 33706543
Thanks RobWill, "Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
By default this is set to enabled"  Mine is already set to not configured? as well as the "other GPO Policy"
Maybe disable instead of not configured?

CrisHanna, We have a stand alone SQL program that runs on an XP client and until we lower the firewall for the initial connection the other client computers can't access the SQL database on the client running SQL.
LVL 77

Expert Comment

by:Rob Williams
ID: 33706562
>>"Mine is already set to not configured?"
Assuming an XP machine, this is under the "Windows SBS Client - Windows XP Policy"  policy?
That should allow you to change. This assumes the machine is a member of this domain.

If you just need to allow SQL you would be better just to create an exception, which is allowed by default. I believe it is TCP port 1433


Author Comment

ID: 33706581
Thanks again. Can you explain steps for creating a SQL exception.  
LVL 77

Expert Comment

by:Rob Williams
ID: 33706608
You can do so with group policy but where it is one machine and only incoming is blocked on XP by default the simplest thing to do is just edit the XP firewall.

The default port used by SQL is TCP 1433, but you should verify that with your application.
To create the exception open the windows firewall from the control panel, click on the advanced tab, click on add port | select TCP, and enter 1433. You can do the same all over again for UDP to be sure.
The other option is to select add program and browse to your application on the XP machine, but personally I find the port more dependable as there can be multiple .exe's

Author Comment

ID: 33708829
Tried to open the SQL port and the program exe to no avail.

So, I DISABLED > Computer Configuration | Policies | Administrative Templates | Network |  Network Connections | Windows Firewall | DOMAIN Profile | Protect All Network connections
and now the SQL based progam on the XP client can connect with all other clients which is what I need.

Now, all the firewall settings on the XP clients are greay out stilled but the firewall is disabled so the SQL database can be accessed by all cleints.  Any reason I cannot disable or inable the firewall settings directly on each client???  It seems like SBS is still in control of the cleint firewall settings?

Author Comment

ID: 33709470
Thanks for all your help.  I also had to add UDP 1434 along with TCP 1433 to make this work.
LVL 77

Expert Comment

by:Rob Williams
ID: 33709607
You disabled the policy. If set to not configured an administrator (only administrators) should be able to disable/enable the firewall.

Glad to hear you have it working.
Thanks Cizombs.

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question