Which Registry Values store these Windows Firewall GPO settings......

G

gayle

In PolicySettings.xls - a spreadsheet that lists all GPO settings ,
some settings have multiple registry value paths associated with them.
In GPO Editor , when enabling these settings , a user must specify
more than whether the setting is Enabled/Disabled .

Are all these registry paths required to store 1 Windows Firewall GPO
Setting ? For instance::

1.For the policy setting - Windows Firewall: Allow remote
administration exception
there are 2 registry values associated :
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
\RemoteAdminSettings!Enabled, HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses
Are both neccessary for the GPO setting to be Enabled. To determine
if the setting is Enabled, isn't the first 1 sufficient?

Similar case for :

Windows Firewall: Allow file and printer sharing exception

Its 2 registry values are:
1] HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
\Services\FileAndPrint!Enabled, 2] HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Services\FileAndPrint!RemoteAddresses

If the 1st Registry value is set to enabled, is it neccessary to check
for the Address List.What will the behaviour be , if only the
1stregistry value is present?

2. On enabling the Logging setting in gpedit.msc , 2 registry values
get created - LogFileSize & LogFilePath & on disabling the setting,
both registry values get deleted

If 1 registry value say LogFileSize is deleted, is Logging enabled/
disabled effectively? In GPO Editor, the setting before the value was
deleted is maintained.i.e. To check if logging is enabled using a
script, are the values of both registry values[LogFileSize &
LogFilePath] required?
 
S

Steve Riley [MSFT]

What is it that you're trying to do? Check to see whether something is
configured, or create rules by editing the registry? Please note that the
only supported way to modify the rules is through group policy or the
advanced configuration MMC. Editing the rulebase directly in the registry is
unsupported.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"gayle" <gayle.ribeiro@gmail.com> wrote in message
news:1187520338.877636.148100@50g2000hsm.googlegroups.com...
> In PolicySettings.xls - a spreadsheet that lists all GPO settings ,
> some settings have multiple registry value paths associated with them.
> In GPO Editor , when enabling these settings , a user must specify
> more than whether the setting is Enabled/Disabled .
>
> Are all these registry paths required to store 1 Windows Firewall GPO
> Setting ? For instance::
>
> 1.For the policy setting - Windows Firewall: Allow remote
> administration exception
> there are 2 registry values associated :
> HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
> \RemoteAdminSettings!Enabled, HKLM\SOFTWARE\Policies\Microsoft
> \WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses
> Are both neccessary for the GPO setting to be Enabled. To determine
> if the setting is Enabled, isn't the first 1 sufficient?
>
> Similar case for :
>
> Windows Firewall: Allow file and printer sharing exception
>
> Its 2 registry values are:
> 1] HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
> \Services\FileAndPrint!Enabled, 2] HKLM\SOFTWARE\Policies\Microsoft
> \WindowsFirewall\DomainProfile\Services\FileAndPrint!RemoteAddresses
>
> If the 1st Registry value is set to enabled, is it neccessary to check
> for the Address List.What will the behaviour be , if only the
> 1stregistry value is present?
>
> 2. On enabling the Logging setting in gpedit.msc , 2 registry values
> get created - LogFileSize & LogFilePath & on disabling the setting,
> both registry values get deleted
>
> If 1 registry value say LogFileSize is deleted, is Logging enabled/
> disabled effectively? In GPO Editor, the setting before the value was
> deleted is maintained.i.e. To check if logging is enabled using a
> script, are the values of both registry values[LogFileSize &
> LogFilePath] required?
>
 
G

gayle

Thanks for your response.I'm not trying to modify the firewall rules
from the registry - just seeing if some Windows Firewall GPO settings
[ those that have more than 1 registry value associated with them ]
are configured by looking up their registry values by following
details in PolicySettings.xls - The Security Policy Reference from
Technet

Since some Windows Firewall GPO settings have multiple Registry values
listed, I would like to know whether this registry value
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
\DomainProfile\RemoteAdminSettings!Enabled,
when set to enabled, is sufficient for this setting to be enabled
Windows Firewall: Allow remote
administration exception

Does Windows Firewall work like this? Is it correct to assume that the
other associated Registry values like HKLM\SOFTWARE
\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!
RemoteAddresses
are not essential to determine if the GPO setting is configured to
Enabled/Disabled?

What about the Allow Logging setting ? There is no value that stores
'Enabled' , only 2 values LogFileSize & LogFilePath..How do I
determine if Logging is Enabled? Is the presence of both values
essential?
 
R

Roger Abell [MVP]

"gayle" <gayle.ribeiro@gmail.com> wrote in message
news:1187579782.232243.211510@r34g2000hsd.googlegroups.com...
> Thanks for your response.I'm not trying to modify the firewall rules
> from the registry - just seeing if some Windows Firewall GPO settings
> [ those that have more than 1 registry value associated with them ]
> are configured by looking up their registry values by following
> details in PolicySettings.xls - The Security Policy Reference from
> Technet
>

Previously you referred to PolicySetting.xls as the doc of all
GPO policies. That is incorrect. It docs the adm/admx settings.

> Since some Windows Firewall GPO settings have multiple Registry values
> listed, I would like to know whether this registry value
> HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
> \DomainProfile\RemoteAdminSettings!Enabled,
> when set to enabled, is sufficient for this setting to be enabled
> Windows Firewall: Allow remote
> administration exception
>

You know, the most quick way to answer these sorts of things is to
set up a brief experiment.
In this case, I believe that the Enable reg entry enables/disables
remote admin exception, and if used without the other setting is
a rather unsafe thing to do as the exception will be enabled for
all origin IPs (rather than a normally highly restricted list of IPs)

> Does Windows Firewall work like this? Is it correct to assume that the
> other associated Registry values like HKLM\SOFTWARE
> \Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!
> RemoteAddresses
> are not essential to determine if the GPO setting is configured to
> Enabled/Disabled?
>

Again, I believe that in this case it is sufficient but you would want to
check that there is a restriction on IPs allowed to use the exception.

> What about the Allow Logging setting ? There is no value that stores
> 'Enabled' , only 2 values LogFileSize & LogFilePath..How do I
> determine if Logging is Enabled? Is the presence of both values
> essential?
>

I an unsure what policy you refer to. I would say "what logging", but
again, your best approach would be to use a test/reference system and
see what is the case.
 
S

Steve Riley [MSFT]

I'm guessing that you have a need to detect the state of the firewall and
certain configuration settings, correct? I'm going to assume here that
you're writing some kind of script to do this. It's still a bit unclear
about what it is that you need to accomplish, exactly.

If you use group policies to configure the firewall, you have to supply
certain values, so then the registry entries will be set correctly. For
example, when you enable "Allow remote administration exceptions," you also
need to define which subnets will be the source of incoming administration
requests. So I'd guess that maybe you should check for both in your script.
Let's say that you enable it, but don't define any allowed incoming source
subnets. I honestly couldn't tell you how the computer will behave in this
case. This is not an allowed configuration, so your script should raise some
kind of error message.

The logging setting has more than just the two registry entries you see. The
collection is LogDroppedPackets, LogSuccessfulConnections, LogFilePath,
LogFileSize. The first two indicate what you want to log. If you enable
either or both, then you need to define the location (path) and maximum log
size. Again, we can't predict how it'll behave if you enable logging but
don't define the path and size. So your script should ensure that both are
defined if either kind of log is enabled.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"gayle" <gayle.ribeiro@gmail.com> wrote in message
news:1187579782.232243.211510@r34g2000hsd.googlegroups.com...
> Thanks for your response.I'm not trying to modify the firewall rules
> from the registry - just seeing if some Windows Firewall GPO settings
> [ those that have more than 1 registry value associated with them ]
> are configured by looking up their registry values by following
> details in PolicySettings.xls - The Security Policy Reference from
> Technet
>
> Since some Windows Firewall GPO settings have multiple Registry values
> listed, I would like to know whether this registry value
> HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
> \DomainProfile\RemoteAdminSettings!Enabled,
> when set to enabled, is sufficient for this setting to be enabled
> Windows Firewall: Allow remote
> administration exception
>
> Does Windows Firewall work like this? Is it correct to assume that the
> other associated Registry values like HKLM\SOFTWARE
> \Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!
> RemoteAddresses
> are not essential to determine if the GPO setting is configured to
> Enabled/Disabled?
>
> What about the Allow Logging setting ? There is no value that stores
> 'Enabled' , only 2 values LogFileSize & LogFilePath..How do I
> determine if Logging is Enabled? Is the presence of both values
> essential?
>
 
G

gayle

Thanks for your insight..I want to find how each Windows Firewall GPO
setting located in
GROUP POLICY\Computer Configuration\Administrative Templates
\Network Connections\Windows Firewall
is configured [whether set to Enabled/Disabled] using a script that
will read Registry values that store these.

Couple of things -
1] The spreadsheet "PolicySettings.xls" [I mentioned in my 1st post]
gives all the registry values associated with a Windows Firewall GPO
Setting. Is there a source that gives which exactly which Registry
value(s) store(s) each setting ?

2] Roger wrote "You know, the most quick way to answer these sorts
of things is to
set up a brief experiment. "

There are multiple interfaces using which Remote Desktop Exception can
be configured. So, the effect of changing the Policy setting in GPO
Editor is not readily visible.
These settings are available in the GPO Editor & the effect of Remote
Desktop Exception is also possible through the My Computer>Properties-
Remote Tab

I'm not aware if there are other interfaces that bring about the same
effect as the other Windows Firewall GPO settings too
Is there any way to see the effect of changing the GPO settings only
without any influence from other places where they are set? Setting
up an experiment will be a lot easier then.
 
S

Steve Riley [MSFT]

Gayle, I'm lost to understand what you're really trying to accomplish. Take
a step away from registry settings, GPOs, rules... please explain what it is
that you want to do.

#1 - The spreadsheet tells you the registry keys. The only source of values
is you! You supply whatever values you want. However, for the firewall, you
shouldn't edit the registry. Instead, you should use only the control panel
or group policy.

#2 - This is where I'm lost. What is it that you think you can't do through
the control panel or group policy?

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"gayle" <gayle.ribeiro@gmail.com> wrote in message
news:1187664128.024384.11060@k79g2000hse.googlegroups.com...
>
> Thanks for your insight..I want to find how each Windows Firewall GPO
> setting located in
> GROUP POLICY\Computer Configuration\Administrative Templates
> \Network Connections\Windows Firewall
> is configured [whether set to Enabled/Disabled] using a script that
> will read Registry values that store these.
>
> Couple of things -
> 1] The spreadsheet "PolicySettings.xls" [I mentioned in my 1st post]
> gives all the registry values associated with a Windows Firewall GPO
> Setting. Is there a source that gives which exactly which Registry
> value(s) store(s) each setting ?
>
> 2] Roger wrote "You know, the most quick way to answer these sorts
> of things is to
> set up a brief experiment. "
>
> There are multiple interfaces using which Remote Desktop Exception can
> be configured. So, the effect of changing the Policy setting in GPO
> Editor is not readily visible.
> These settings are available in the GPO Editor & the effect of Remote
> Desktop Exception is also possible through the My Computer>Properties-
> Remote Tab
>
> I'm not aware if there are other interfaces that bring about the same
> effect as the other Windows Firewall GPO settings too
> Is there any way to see the effect of changing the GPO settings only
> without any influence from other places where they are set? Setting
> up an experiment will be a lot easier then.
>
 
R

Roger Abell [MVP]

"gayle" <gayle.ribeiro@gmail.com> wrote in message
news:1187664128.024384.11060@k79g2000hse.googlegroups.com...
>
> Thanks for your insight..I want to find how each Windows Firewall GPO
> setting located in
> GROUP POLICY\Computer Configuration\Administrative Templates
> \Network Connections\Windows Firewall
> is configured [whether set to Enabled/Disabled] using a script that
> will read Registry values that store these.
>
> Couple of things -
> 1] The spreadsheet "PolicySettings.xls" [I mentioned in my 1st post]
> gives all the registry values associated with a Windows Firewall GPO
> Setting. Is there a source that gives which exactly which Registry
> value(s) store(s) each setting ?
>

I for one am having a hard time determining what you mean by that
last question. PolicySettings.xls collects together the policies that
may be set due to one of the adm/admx files. If you want the fully
detail as to the registry entry set or the predefined values gpedit
shows for selection (for some of the policies) then read the adm/admx
file as it is all in there.

> 2] Roger wrote "You know, the most quick way to answer these sorts
> of things is to
> set up a brief experiment. "
>

Yes, I did, but it also was a general comment.
At that point it was not clear to me that you were only concerned
about the Windows firewall.
If you are wanting to see the details of the current firewall config,
and see whether the domain or standalone policy is in use, then
for XP and later you should know about the firewall context of the
netsh command. There is also an API if you code.


> There are multiple interfaces using which Remote Desktop Exception can
> be configured. So, the effect of changing the Policy setting in GPO
> Editor is not readily visible.

??
That is not my experience, at least if you use gpudate to make
the altered GPO effective.


> These settings are available in the GPO Editor & the effect of Remote
> Desktop Exception is also possible through the My Computer>Properties-
> Remote Tab
>

The Remote tab in System properties only allow for enabling/disabling
Remote Desktop and for management of the members in the group called
Remote Desktop Users. These are not the firewall setting related to
Remote Desktop exception, but the Remote Desktop config itself .
However that dialog in System properties does tweak the firewall
exception so it is consistent with enabling RD usage.

But, are you not now changing the topic ?
Previously you were talking about the firewall remote management
exception, which, as far as I have noticed, is only initially available
via the group policy setting.

> I'm not aware if there are other interfaces that bring about the same
> effect as the other Windows Firewall GPO settings too

The main interface for the firewall? i.e. in the properties of the
network connectoids.

> Is there any way to see the effect of changing the GPO settings only
> without any influence from other places where they are set? Setting

What is that asking?
If there are multiple interfaces that impact the same settings,
how could they not be influencing the same thing ?

Again, for the Windows firewall try the show command in the
netsh firewall context. Start / run cmd and in the cmd window
enter netsh and then at the netsh prompt enter firewall. Then
at the netsh firewall context prompt enter show to see what
commands you can use to examine the run state and config of
the Windows firewall.
If you make a change in a GPO and use gpupdate to force the
application of the GPO so it is effective, then the netsh firewall
context will show that effect.

> up an experiment will be a lot easier then.
>
 
You must log in or register to reply here.

Similar threads

A
  • Article
Announcing Windows 11 Insider Preview Build 22635.4076 (Beta Channel)
Replies
0
Views
30
Amanda Langowski
A
B
  • Article
Releasing Windows 10 Build 19045.4713 to Beta and Release Preview Channels
Replies
0
Views
42
Brandon LeBlanc
B
C
  • Article
Windows Subsystem for Linux September 2023 update
Replies
0
Views
119
Craig Loewen
C
A
  • Article
Announcing Windows 11 Insider Preview Build 22635.3858 (Beta Channel)
Replies
0
Views
43
Amanda Langowski
A
B
  • Article
Announcing Windows 11 Insider Preview Build 22621.2199 and 22631.2199 (Beta Channel)
Replies
0
Views
120
Brandon LeBlanc
B
Back
Top Bottom