XP Firewall GPO not applying at startup

U

Usenet

I have the following GPO applied to an OU containing our workstations:

Computer Configuration (Enabled)hide
Policieshide
Windows Settingshide
Security Settingshide
Windows Firewall with Advanced Securityhide
Global Settingshide
Policy Setting
Policy version Not Configured
Disable stateful FTP Not Configured
Disable stateful PPTP Not Configured
IPsec exempt Not Configured
IPsec through NAT Not Configured
Preshared key encoding Not Configured
SA idle time Not Configured
Strong CRL check Not Configured

Domain Profile Settingshide
Policy Setting
Firewall state Off
Inbound connections Not Configured
Outbound connections Not Configured
Apply local firewall rules Not Configured
Apply local connection security rules Not Configured
Display notifications Not Configured
Allow unicast responses Not Configured
Log dropped packets Not Configured
Log successful connections Not Configured
Log file path Not Configured
Log file maximum size (KB) Not Configured

Connection Security Settingshide
Administrative Templateshide
Policy definitions (ADMX files) retrieved from the local
machine.Network/Network Connections/Windows Firewall/Domain Profilehide
Policy Setting Comment
Windows Firewall: Protect all network connections Disabled

Network/Network Connections/Windows Firewall/Standard Profilehide
Policy Setting Comment
Windows Firewall: Protect all network connections Enabled

System/Logonhide
Policy Setting Comment
Always wait for the network at computer startup and logon Enabled

User Configuration (Enabled)hide
No settings defined.


What we're seeing is that on many workstations the XP firewall remains
on when they are booted up on the domain, until you run "gpupdate
/force" at which point the firewall switches off.

If you run "gpresult" before running the gpupdate /force Windows shows
the GPO as being applied.

Does anyone have any suggestions please?

We have what I would consider to be a normal, flat network, single
subnet with a 2003 R2 DHCP server i.e. nothing unusual to my mind.

Thanks in advance.
 
M

Meinolf Weber

Hello usenet,

Check out this one:
Computer Configuration - Administrative Templates - Network - Network Connections
- Prohibit use of Internet Connection Firewall on your DNS domain

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I have the following GPO applied to an OU containing our workstations:
>
> Computer Configuration (Enabled)hide
> Policieshide
> Windows Settingshide
> Security Settingshide
> Windows Firewall with Advanced Securityhide
> Global Settingshide
> Policy Setting
> Policy version Not Configured
> Disable stateful FTP Not Configured
> Disable stateful PPTP Not Configured
> IPsec exempt Not Configured
> IPsec through NAT Not Configured
> Preshared key encoding Not Configured
> SA idle time Not Configured
> Strong CRL check Not Configured
> Domain Profile Settingshide
> Policy Setting
> Firewall state Off
> Inbound connections Not Configured
> Outbound connections Not Configured
> Apply local firewall rules Not Configured
> Apply local connection security rules Not Configured
> Display notifications Not Configured
> Allow unicast responses Not Configured
> Log dropped packets Not Configured
> Log successful connections Not Configured
> Log file path Not Configured
> Log file maximum size (KB) Not Configured
> Connection Security Settingshide
> Administrative Templateshide
> Policy definitions (ADMX files) retrieved from the local
> machine.Network/Network Connections/Windows Firewall/Domain
> Profilehide
> Policy Setting Comment
> Windows Firewall: Protect all network connections Disabled
> Network/Network Connections/Windows Firewall/Standard Profilehide
> Policy Setting Comment
> Windows Firewall: Protect all network connections Enabled
> System/Logonhide
> Policy Setting Comment
> Always wait for the network at computer startup and logon Enabled
> User Configuration (Enabled)hide
> No settings defined.
> What we're seeing is that on many workstations the XP firewall remains
> on when they are booted up on the domain, until you run "gpupdate
> /force" at which point the firewall switches off.
>
> If you run "gpresult" before running the gpupdate /force Windows shows
> the GPO as being applied.
>
> Does anyone have any suggestions please?
>
> We have what I would consider to be a normal, flat network, single
> subnet with a 2003 R2 DHCP server i.e. nothing unusual to my mind.
>
> Thanks in advance.
>
 
B

Bruce Sanderson

Windows XP does not have the "Windows Firewall with Advanced Security. Most
of the settings in Computer Configuration, Policies, Windows Settings,
Security Settings, Windows Firewall with Advanced Security settings will be
ignored by Windows XP SP2 computers.

The settings in Computer Configuration, Administrative Templates, Network,
Network Connections, Windows Firewall are for managing the firewall on
Windows XP SP2 computers.

Whether the "Domain" or "Standard" "Profile" will be applied depends on some
DNS settings - this is explained in the article at
http://technet.microsoft.com/en-ca/library/bb878049.aspx.

The experience we had with this when we initially configured the XP Firewall
via GPO is that the XP workstations did not initially correctly determine
whether they were connected to the "managed" (Domain) network or not and
selected the "Standard Profile" even when connected to the office (managed)
network. However, after several restarts, they made the correct
determination and the "Domain Profile" was correctly applied when they were
actually connected to the in office network and the "Standard Profile" when
they were not (e.g. laptops in use out of the office). Unfortunately, we
were never able to determine exactly what was causing the incorrect firewall
selection, but the problem went away by itself after the computers were
restarted several times.

The command

netsh firewall show currentprofile

reports whether the "Domain" or "Standard" profile is in use.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Usenet" <usenet@nospam.please> wrote in message
news:usenet-35656D.19134905042008@softbank060082049208.bbtec.net...
>I have the following GPO applied to an OU containing our workstations:
>
> Computer Configuration (Enabled)hide
> Policieshide
> Windows Settingshide
> Security Settingshide
> Windows Firewall with Advanced Securityhide
> Global Settingshide
> Policy Setting
> Policy version Not Configured
> Disable stateful FTP Not Configured
> Disable stateful PPTP Not Configured
> IPsec exempt Not Configured
> IPsec through NAT Not Configured
> Preshared key encoding Not Configured
> SA idle time Not Configured
> Strong CRL check Not Configured
>
> Domain Profile Settingshide
> Policy Setting
> Firewall state Off
> Inbound connections Not Configured
> Outbound connections Not Configured
> Apply local firewall rules Not Configured
> Apply local connection security rules Not Configured
> Display notifications Not Configured
> Allow unicast responses Not Configured
> Log dropped packets Not Configured
> Log successful connections Not Configured
> Log file path Not Configured
> Log file maximum size (KB) Not Configured
>
> Connection Security Settingshide
> Administrative Templateshide
> Policy definitions (ADMX files) retrieved from the local
> machine.Network/Network Connections/Windows Firewall/Domain Profilehide
> Policy Setting Comment
> Windows Firewall: Protect all network connections Disabled
>
> Network/Network Connections/Windows Firewall/Standard Profilehide
> Policy Setting Comment
> Windows Firewall: Protect all network connections Enabled
>
> System/Logonhide
> Policy Setting Comment
> Always wait for the network at computer startup and logon Enabled
>
> User Configuration (Enabled)hide
> No settings defined.
>
>
> What we're seeing is that on many workstations the XP firewall remains
> on when they are booted up on the domain, until you run "gpupdate
> /force" at which point the firewall switches off.
>
> If you run "gpresult" before running the gpupdate /force Windows shows
> the GPO as being applied.
>
> Does anyone have any suggestions please?
>
> We have what I would consider to be a normal, flat network, single
> subnet with a 2003 R2 DHCP server i.e. nothing unusual to my mind.
>
> Thanks in advance.
 
You must log in or register to reply here.

Similar threads

M
Mapped Drives not showing in File Explorer
Replies
0
Views
93
Michael Lynch (mlynch)
M
A
Windows firewall block connections to localnet
Replies
0
Views
99
Anton K2
A
C
Windows 10 20H2 and Server Essentials 2016 (1607) GPO no longer applying
Replies
0
Views
708
Cyber(Joe)
C
T
Windows 10 Firewall Incoming Rules
Replies
0
Views
310
Tony Plueard
T
B
  • Article
Releasing Windows 11 Build 22621.1776 to the Release Preview Channel
Replies
0
Views
181
Brandon LeBlanc
B
Back
Top Bottom