Group Policy Windows XP Firewall - Disable for Internal Networks Only?

Posted on 2011-10-03
Last Modified: 2012-06-27
Currently I have a group Policy for all machines: Domain Profile & Standard Profile where "Protect all network connections" = Disabled.  This is a quick basic GP to disable the firewall on all machines.

I would like to allow the firewall to Enable when the Laptops are out-side the office.

It appears I need to allow allow the firewall to come on under the Standard Profile.  Is this correct?

If so how do I define my local networks?  We have 4 sites and only 2 have DC's\Global Catalogs.

For Example where can I say that when on subnets: & & & the firewall is completely disabled?

I know this sounds simple, but since 2004 it appears firewall articles are junked up and I cannot find a simple and CONFIRMED explanation to this.

Please Help, Thanks
Question by:NiceShotMan
    LVL 3

    Accepted Solution

    There are two sets of Windows Firewall settings to configure:

    The domain profile settings that are used by the computers when they are connected to a network that contains domain controllers for the domain of which the computer is a member.

    The standard profile settings that are used by the computers when they are connected to a network that does not contain domain controllers for the domain of which the computer is a member. I.E. @ Home, Outside the office.

    If you do not configure standard profile settings, their default values are still applied. Therefore, it is highly recommended that you configure both domain and standard profile settings and that you enable the Windows Firewall for both profiles, except if you are already using a third-party host firewall product.

    The standard profile settings are typically more restrictive that the domain profile because the standard profile settings do not need to include applications and services that are only used in a managed domain environment.

    Both the domain profile and standard profile contain the same set of Windows Firewall settings.

    Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings
    To update your Group Policy objects with the new Windows Firewall settings using the Group Policy snap-in (provided with Windows XP), do the following:

    Ensure Windows XP SP2 on a computer that is a member of the domain that contains the computer accounts of the other computers running Windows XP on which you plan to install Windows XP SP2.

    Restart the computer and log on to the Windows XP with SP2-based computer as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

    From the Windows XP desktop, click Start, click Run, type mmc, and then click OK.
    On the File menu, click Add/Remove Snap-in.
    On the Standalone tab, click Add.
    In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.
    In the Select Group Policy Object dialog box, click Browse.
    In the Browse for a Group Policy Object, click the Group Policy object that you want to update with the new Windows Firewall settings. An example is shown in the following figure.
    Click OK.
    Click Finish to complete the Group Policy Wizard.
    In the Add Standalone Snap-in dialog box, click Close.
    In the Add/Remove Snap-in dialog box, click OK.
    In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. An example is shown in the following figure.

    Here is a good Microsoft link with a process flow.
    LVL 1

    Author Comment

    Are we seeing that a domain controller is required on each subnet that I would like the domain profile to apply?  If this is the case, how can we have those subnets not restrictive?
    LVL 3

    Assisted Solution

    Yes with Windows XP they only offered the two profiles Standard & Domain.  In Vista and Windows 7 they offere the "Private" profile which would give you some more options.  This is all based on NLA Network Location Awareness see this link for detailed explanation

    You could set the standard profile settings to be the same as your domain profile settings and hence the domain firewall profile wout be applied all the time because the standard profile is applied by default when a DC is not present.
    LVL 59

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now