Thursday, January 31, 2008

Windows XP firewall exceptions with domain group policy.

The following applies to WIndows XP Pro with SP1/2.

Long read on MS website itself.

InShort read.

What and where:

To add firewall exceptions to the workstations running windows XP with domain Group Policy have to enable the following GP:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain profile\Define program exceptions
The above setting allows only exceptions listed in the group policy's allowed list.

If you want the domain workstations to keep the local windows firewall exceptions also, besides the ones that being applied from domain, then enable the following setting:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain profile\Allow local program exceptions.

It will apply both, the the domain exceptions list and the local defined ones.
Keep in mind that with "Allow local program exceptions" local/domain admins can add/change new local exceptions. But they will not be able to do anything with domain defined firewall exceptions lists. It will be grayed out for them.

How to:
The following is the syntax for the windows firewall exceptions in the ""Define programs exception" policy setting:
Full Path to the program:IP address from to where: Enabled/Disabled: Comment
C:\Program Files\CA\eTrustITM\Realmon.exe:192.168.0.0/16:enabled: ITM 8.1 monitoring

C:\Program Files\CA\eTrustITM\InoRpc.exe:192.168.0.0/16:enabled: ITM 8.1 remote scan
C:\Program Files\CA\eTrustITM\Shellscn.exe:192.168.0.0/16:enabled: ITM 8.1 remote scan