SP2 Windows Firewall programs exceptions list issues...

Happy Labaour Day Weekend y'all!!! Just wanted to point out an odd occurrence in the Windows Firewall that now comes w/SP2. I've noticed that if you have added all the programs that you want to have an exception to the Firewall list, that it disappears when you join the system to a domain.

Windows Software 5498 This topic was started by ,


data/avatar/default/avatar04.webp

146 Posts
Location -
Joined 2001-07-13
Happy Labaour Day Weekend y'all!!!
 
Just wanted to point out an odd occurrence in the Windows Firewall that now comes w/SP2. I've noticed that if you have added all the programs that you want to have an exception to the Firewall list, that it disappears when you join the system to a domain. Can anyone tell me how I can prevent the execeptions list going back to it's default settings after joining to the domain? Is there a way at least in the registry or otherwise to backup the exceptions list? I only ask because the multiple systems I look after have multiple apps that require to be on the Windows Firewall exceptions list that are duplicate on all the systems. Pretty much a pain in the a$$ to re-add to the exceptions list for every machine every time I choose to re-ghost and rejoin them all to the domain again.
 
Thanks in advance all.
 
 

Participate on our website and join the conversation

You have already an account on our website? Use the link below to login.
Login
Create a new user account. Registration is free and takes only a few seconds.
Register
This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic


data/avatar/default/avatar04.webp

146 Posts
Location -
Joined 2001-07-13
OP
Thanks for the response back Adamvjackson.
 
Did you mean the GP on the AD itself or the local GP? And if so, where in the GP would you find the option to keep the exceptions list or prepare a template for it?
 
Thanks again.

data/avatar/default/avatar35.webp

2172 Posts
Location -
Joined 2002-08-26
Group policy for the Domain. Have you updated the Group Policy schema with the XP SP2 administrative templates?
 
After you do, you will be unable to access the new templates on a Pre-SP2 machine (DC included) until this hotfix is applied:
 
http://support.microsoft.com/default.aspx?kbid=842933
 
Let me know if that helps.

data/avatar/default/avatar35.webp

2172 Posts
Location -
Joined 2002-08-26
More specifically:
 
1. Open gpedit.msc on your administrative console/pc
2. Expand to the following area:
 
Local Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile -> "Windows Firewall: Define port exceptions"
 
Requirements:
At least Microsoft Windows XP Professional with SP2
 
Description:
Allows you to view and change the port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel.
 
If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a port, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that is defined by the Windows Firewall component in Control Panel, also enable the "Windows Firewall: Allow local port exceptions" policy setting.
 
If you disable this policy setting, the port exceptions list defined by Group Policy is deleted, but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the "Windows Firewall: Allow local port exceptions" policy setting.
 
If you do not configure this policy setting, Windows Firewall uses only the local port exceptions list that administrators define by using the Windows Firewall component in Control Panel. Other policy settings can continue to open or block ports.
 
Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If entries have different Status values, any definition with the Status set to "disabled" overrides all definitions with the Status set to "enabled," and the port does not receive messages. Therefore, if you set the Status of a port to "disabled," you can prevent administrators from using the Windows Firewall component in Control Panel to enable the port.
 
Note: The only effect of setting the Status value to "disabled" is that Windows Firewall ignores other definitions for that port that set the Status to "enabled." If another policy setting opens a port, or if a program in the program exceptions list asks Windows Firewall to open a port, Windows Firewall opens the port.
 
Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define port exceptions."
 


data/avatar/default/avatar04.webp

146 Posts
Location -
Joined 2001-07-13
OP
Thanks Adamvjackson.
 
I'll give it a try.