SP2 Windows Firewall programs exceptions list issues...
Happy Labaour Day Weekend y'all!!! Just wanted to point out an odd occurrence in the Windows Firewall that now comes w/SP2. I've noticed that if you have added all the programs that you want to have an exception to the Firewall list, that it disappears when you join the system to a domain.
Happy Labaour Day Weekend y'all!!!
Just wanted to point out an odd occurrence in the Windows Firewall that now comes w/SP2. I've noticed that if you have added all the programs that you want to have an exception to the Firewall list, that it disappears when you join the system to a domain. Can anyone tell me how I can prevent the execeptions list going back to it's default settings after joining to the domain? Is there a way at least in the registry or otherwise to backup the exceptions list? I only ask because the multiple systems I look after have multiple apps that require to be on the Windows Firewall exceptions list that are duplicate on all the systems. Pretty much a pain in the a$$ to re-add to the exceptions list for every machine every time I choose to re-ghost and rejoin them all to the domain again.
Thanks in advance all.
Just wanted to point out an odd occurrence in the Windows Firewall that now comes w/SP2. I've noticed that if you have added all the programs that you want to have an exception to the Firewall list, that it disappears when you join the system to a domain. Can anyone tell me how I can prevent the execeptions list going back to it's default settings after joining to the domain? Is there a way at least in the registry or otherwise to backup the exceptions list? I only ask because the multiple systems I look after have multiple apps that require to be on the Windows Firewall exceptions list that are duplicate on all the systems. Pretty much a pain in the a$$ to re-add to the exceptions list for every machine every time I choose to re-ghost and rejoin them all to the domain again.
Thanks in advance all.
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Group policy for the Domain. Have you updated the Group Policy schema with the XP SP2 administrative templates?
After you do, you will be unable to access the new templates on a Pre-SP2 machine (DC included) until this hotfix is applied:
http://support.microsoft.com/default.aspx?kbid=842933
Let me know if that helps.
After you do, you will be unable to access the new templates on a Pre-SP2 machine (DC included) until this hotfix is applied:
http://support.microsoft.com/default.aspx?kbid=842933
Let me know if that helps.
More specifically:
1. Open gpedit.msc on your administrative console/pc
2. Expand to the following area:
Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile -> "Windows Firewall: Define port exceptions"
Requirements:
At least Microsoft Windows XP Professional with SP2
Description:
Allows you to view and change the port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.
If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a port, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local port exceptions" policy setting.
If you disable this policy setting, the port exceptions list defined by Group Policy is deleted, but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the "Windows Firewall: Allow local port exceptions" policy setting.
If you do not configure this policy setting, Windows Firewall uses only the local port exceptions list that administrators define by using the Windows Firewall component in Control Panel. Other policy settings can continue to open or block ports.
Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If entries have different Status values, any definition with the Status set to "disabled" overrides all definitions with the Status set to "enabled," and the port does not receive messages. Therefore, if you set the Status of a port to "disabled," you can prevent administrators from using the Windows Firewall component in Control Panel to enable the port.
Note: The only effect of setting the Status value to "disabled" is that Windows Firewall ignores other definitions for that port that set the Status to "enabled." If another policy setting opens a port, or if a program in the program exceptions list asks Windows Firewall to open a port, Windows Firewall opens the port.
Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define port exceptions."
1. Open gpedit.msc on your administrative console/pc
2. Expand to the following area:
Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile -> "Windows Firewall: Define port exceptions"
Requirements:
At least Microsoft Windows XP Professional with SP2
Description:
Allows you to view and change the port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.
If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a port, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local port exceptions" policy setting.
If you disable this policy setting, the port exceptions list defined by Group Policy is deleted, but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the "Windows Firewall: Allow local port exceptions" policy setting.
If you do not configure this policy setting, Windows Firewall uses only the local port exceptions list that administrators define by using the Windows Firewall component in Control Panel. Other policy settings can continue to open or block ports.
Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If entries have different Status values, any definition with the Status set to "disabled" overrides all definitions with the Status set to "enabled," and the port does not receive messages. Therefore, if you set the Status of a port to "disabled," you can prevent administrators from using the Windows Firewall component in Control Panel to enable the port.
Note: The only effect of setting the Status value to "disabled" is that Windows Firewall ignores other definitions for that port that set the Status to "enabled." If another policy setting opens a port, or if a program in the program exceptions list asks Windows Firewall to open a port, Windows Firewall opens the port.
Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define port exceptions."
No problem
BTW, if you want the XP SP2 ADM templates without installing SP2, you can get them here:
http://www.microsoft.com/downloads/detai...;DisplayLang=en
Last file (.msi) in the list.
BTW, if you want the XP SP2 ADM templates without installing SP2, you can get them here:
http://www.microsoft.com/downloads/detai...;DisplayLang=en
Last file (.msi) in the list.
