Saturday, 12 May 2007

Windows XP Firewall from Domain Policy

BP (best practice) for computers in a domain is to set a domain policy for workstation and laptop by placing them into an OU (organisation unit) for each type.

From the AD (active directory) create and new GP (group policy) and link it to the OU you want it to apply to, such as Laptops or Workstations even Servers remember computer components can only be applied to computers and user components to users so if the computer or user does not sit in that OU it will not apply to them.

In the GP you created you find lots of sub keys the one we are look for in this example is:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall

Under this you have two sub keys Standard Profile and Domain Profile.

The first is the Domain Profile is the profile that applies to the computer when it is on the domain LAN, the second Standard Profile applies to the computer when it is NOT on the domain LAN ie off site or disconnected.

Recommend for these policies is as follows,
Enable Protect all network connections – Local and Domain
Enable Define program exceptions – Local and Domain
Enable Allow local program exceptions – Local and Domain
Enable Allow file and printer sharing exception – Domain only
Enable Allow Remote Desktop exception – Domain only
Enable Define port exceptions – Local and Domain
Enable Define local port exceptions – Local and Domain

In the local port and program exceptions you will need to define some rules, if you click on the show button you will be shown a list of one’s that have already been defined.

Port syntax
6129:TCP:*:enabled:dameware
It breaks down into portnumber:tcp/udp:ip-range:enabled/disabled:portname

Program syntax
%Programfiles%\test.exe:172.16.0.1,172.16.1.1/24:enabled:test program
It breaks down into program-location: ip-range:enabled/disabled:portname

No comments: