Diabling windows firewall for all pc's

jvuz
jvuz used Ask the Experts™
on
Hello,

first let me explain our situtation: we have a lot of pc's (for these, no problem) and a lot of notebooks. I want to disable the firewall when the user is at work. When the user takes the notebook back home, he should be allowed to enable the firewall. What are my options? I also need to tell you we have linux servers so we don't use active directory and therefore no group policies. I know you can disable the following via gpedit.msc: Local policy\computer configuration\administrative templates\network\net work connection\windows firewall\domain profile\windows firewall: protect all network connections, but if I do this, the users won't be able to enable the firewall when they're at home, or am I wrong here?

Jvuz
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Only thing I can think of for you to try since you can't use GPo is to create a batch file enabling and disabling the FW service and put them in scheduled tasks.

Author

Commented:
We use a logon script so I could put it in there.
Other possibilities?
Senior infrastructure engineer
Top Expert 2012
Commented:
Logon script sounds like a good option. I think you would also need a logout script to ensure the firewall is reenabled when they leave the network.
I would go with the group policy, but set it to be enabled permanently and just add the local domain I.P's to the trusted networks. You could use a script for logon and logoff but generally on some machines you will still have issues

Are you aware all antivirus products now include fire-walling with NLD (network location detection)
The logon script would run whenever the user logs on regardless of where he is located, so that would probably not resolve this.  


Author

Commented:
@confucious: I know, we just changed to Sophos, so I need to have a look there, maybe there is a way to do this.

Author

Commented:
@nipponsoul: i don't think so, because when he/she logs on at home, it cannot connect to our server, so no logon script will run.
Indeed if the script runs from shared folder on local server :)  It is Monday and I am doing a mail server migration ... so I can be excused for this lol !

What if the user puts the laptop in hibernation and continues from home ?

Author

Commented:
@nipponsoul: no problem ;) I'm already very happy you all are trying to help here.

Author

Commented:
What if the user puts the laptop in hibernation and continues from home ?

Then it will be as if it still at the workplace. Good suggestion.
u only need to put
net stop "Windows Firewall/Internet Connection Sharing (ICS)"
in your login script to stop it in office
when they go back home and power on, the service will start again automatically
u can also give them a short cut on desktop to restart the firewall service (net start "Windows Firewall/Internet Connection Sharing (ICS)") if they just put their laptop to sleep rather than power off when going home
There is always the " educate the user" and remind them to turn it on (in case someone does hibernate) by creating a shortcut for them to stop the service (one click batch for user) :)
* to start the service* ... ok i am gonna stop giving advice now xD   I thin it's unsafe today !

Author

Commented:
@raysonlee: is this also for windows 7, because when I do this, I get the following error message: The filename, directory name, or volume label syntax is incorrect.
For Windows 7 :   net start MpsSvc

Author

Commented:
Shouldn't that be net stop MpsSvc?
Yes I just copied the MpsSvc part so you know the service :)
should be both for local logon and local logoff, but this seems far too drastic...

Does adding the network as a trusted network with windows firewall not help, if not turn your eyes to the Sophos, it must have something from the central administration server

Author

Commented:
I found out that, when the service is set as automatic and you stop the service. After you reboot, it will be restarted again. So, in my opinion, I need to set in the logon script that first the service needs to be set to auto and the stop the service.

But when I try this in XP with the following command:

sc.exe config "Windows Firewall/Internet Connection Sharing (ICS)" start=auto

I get:

Modifies a service entry in the registry and Service Database.
SYNTAX:
sc <server> config [service name] <option1> <option2>...
CONFIG OPTIONS:
NOTE: The option name includes the equal sign.
 type= <own|share|interact|kernel|filesys|rec|adapt>
 start= <boot|system|auto|demand|disabled>
 error= <normal|severe|critical|ignore>
 binPath= <BinaryPathName>
 group= <LoadOrderGroup>
 tag= <yes|no>
 depend= <Dependencies(separated by / (forward slash))>
 obj= <AccountName|ObjectName>
 DisplayName= <display name>
 password= <password>


What am I doing wrong?
simply run a batch file stating:
Logon
echo off
net stop mpssvc.exe

Logoff
echo off
net stop mpssvc.exe

bare in mind that the user then would need to have the machine request password (lock) on hibernation / screensaver
Java language for a *.vbs - normally quicker to process than a batch file
<script>
oShell = new ActiveXObject("WSCript.shell");
oShell.run("NET START [mpssvc]");
////Or ////
oShell.run("NET STOP [mpssvc]");
</script>
jvuz, if their firewall service was not set to auto, they probably don't want to enable it even at home. Therefore I think simply stop it during login is enough, no need to change the service to auto for them. If they want firewall protection, that should be done already.
Your Sophos should provide enough protection for firewalling at home to disable the service altogether would be idle, or upgrade to Windows 7 and say "Good-bye" to all those silly hassles
:)

Author

Commented:
With Windows 7? Why?
windows 7 has much smarter firewalling capabilities and smart network location profile switching, you no longer have to disable the firewall to remotely access services or registry's for example, it is worth trying one out and noting the differences, XP truly has become a less preferred OS due to windows 7

Author

Commented:
Sorry, but when I try to access a windows 7 notebook who has enabled the firewall, I cannot get access.
most likely cause the network has been set to public as opposed to work or home under the network profiles

Author

Commented:
I'll have to check, but that means he has changed it himself. It's standard we configure the notebooks with a work network profile. I'll let you know.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial