Windows Firewall

When you go on to Control Panel and Windows Firewall you see three. 1) Domain Networks 2) Private Networks and 3) Guest/Public Networks

When you go in to GPEDIT=Computer Configuration=Administrative Templates=Network=NetworkConnections=Windows Firewall you only see two 1) Domain Profile and 2) Standard Profile. Obviously there is a one to one correlation on the Domain Profile but what does the "Standard Profile" control  with respect to Private Networks and Guest/Public Networks?
LVL 15
LockDown32OwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Guest Network Profile does not get access to the computer. You need Private for that. So there is no need for an additional Firewall group - nothing for it to do.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LockDown32OwnerAuthor Commented:
Not at all clear on what you are saying.
0
JohnBusiness Consultant (Owner)Commented:
I thought I was clear. If the computer profile is Guest, they only have Internet and local application access. No file sharing or like..  So the Firewall does not need access rules for that.
0
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

LockDown32OwnerAuthor Commented:
Not at all clear. So to kind of direct it back to the question..... the "Standard Profile" in GPEDIT directly relates to the "Private" Firewall? Guest/Public networks have no firewall settings at all?
0
JohnBusiness Consultant (Owner)Commented:
In GP Edit, there are numerous settings for a Domain Network Profile and there are numerous settings for a Private Network Profile and no setting (no group) for Public because outsiders have no access to the machine using the Public Profile. It is locked down inside Windows.
0
Shaun VermaakTechnical SpecialistCommented:
You need to look under Windows Firewall with Advanced Security
windowsfirewallgpofiga0817-1-.jpg
0
LockDown32OwnerAuthor Commented:
Right now I am talking about the firewall setting in GPEDIT. Screen shot attached. There is a "Domain Profile" and a "Standard Profile". There is not a "Private" profile. I think that is kind of what you are missing John. I know that when I edit items in the "Domain Profile" if directly affects the Domain Firewall. The questions is ..... what does changing things under the "Standard Profile" do?

   It is looking like it directly affects the "Private" firewall but so far no one has said......
Capture.PNG
0
JohnBusiness Consultant (Owner)Commented:
I am not missing it. The Standard Profile is for Private (not Domain) and to repeat, no need for the Public Portion.
0
Shaun VermaakTechnical SpecialistCommented:
GPEDIT only supports old Firewall. Set Firewall via GUI and export policy via NET SH or GUI

And yes, you need to configure all three as per CIS recommendations (Domain, Private and Public)

firewallexpoer.png
0
LockDown32OwnerAuthor Commented:
OK John. For the first time you finally said Standard correlates to Private. That is what I was looking for and you kept saying "Private" settings in GPEDIT and there are no "Private Settings" just Standard. Whew.

Shaun I have to ask... in a domain environment this is how I control firewalls via GPO. Are you saying that is no longer viable?
0
Shaun VermaakTechnical SpecialistCommented:
You do not use GPEdit in domain environment, you use GPMC.msc

Extract from CIS
CISPF.png
0
LockDown32OwnerAuthor Commented:
Yes Shaun that is kind of a given. GPEDIT just edits the computer you are running it on. GPMC does it domain wide.
0
Shaun VermaakTechnical SpecialistCommented:
No, it is not. And you have actually proven it to yourself by not finding Windows Firewall with Advanced Security
0
LockDown32OwnerAuthor Commented:
What? On one line you say "You do not use GPEdit in domain environment, you use GPMC.msc". I concur and then you say no? I am a little lost at where you are right now. You can go in to the GUI on any workstation or server. I am missing the point.
0
Shaun VermaakTechnical SpecialistCommented:
My only point is that you should use Windows Firewall with Advance Security, not the legacy settings. Windows Firewall with Advance security has Private, Domain and Public
0
JohnBusiness Consultant (Owner)Commented:
I assumed you would not need / want Public profile settings in a work / domain environment.
0
LockDown32OwnerAuthor Commented:
Got ya. And where is that again?
0
Shaun VermaakTechnical SpecialistCommented:
Your assumption is incorrect. You configure the public profile for mobile devices and secure it by not allowing admins to amend public network rules

[b]See 9.3.7 (L1) Set 'Windows Firewall: Public: Apply local connection security
rules' to 'No' (Scored) in CIS document[/b]

[embed=file 1276077]
cisfw.png
0
Shaun VermaakTechnical SpecialistCommented:
Got ya. And where is that again?
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall
with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall
Properties
0
LockDown32OwnerAuthor Commented:
That is interesting. Windows Firewall with Advance Security is actually easier to use. Thanks for the heads-up.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.