Xp firewall on if not in domain

8 Feb 2006 2:15 PM

EysteinHS

Hi,

I wonder if one can use the gpo's in Windows 2003 server to set the client
machines to turn on their firewall (xp sp2) when they are outside the domain,
and turn it off when the computer is back in the domain again?
In case it's possible, how does one do that?

--
EysteinHS

8 Feb 2006 2:41 PM

SixHouse

if youre not logging on to the domain then obviously gpo's wont apply

Show quoteHide quote

"EysteinHS" <Eystei***@discussions.microsoft.com> wrote in message
news:E4C86F3B-0209-45CD-958B-39A947551A00@microsoft.com...
> Hi,
>
> I wonder if one can use the gpo's in Windows 2003 server to set the client
> machines to turn on their firewall (xp sp2) when they are outside the
> domain,
> and turn it off when the computer is back in the domain again?
> In case it's possible, how does one do that?
> --
> EysteinHS

8 Feb 2006 5:09 PM

Gareth Saunders

Hi there

I'm not too sure if it is possible, but once the windows firewall is turned
on via a gpo, as long as the user does not have administrative rights, it is
almost impossible for them to turn it off when outside of the domain.

To what end are you trying to enable the firewall when the users are outside
of the domain? If it's to stop them connecting to another ISP and surf the
web etc, I've found the simplest solution is simply to add your own DNS
servers via the GPO. Even if they do connect, they cannot browse anything.

Regards

Gareth Saunders
BOFH

Show quoteHide quote

"EysteinHS" wrote:

> Hi,
>
> I wonder if one can use the gpo's in Windows 2003 server to set the client
> machines to turn on their firewall (xp sp2) when they are outside the domain,
> and turn it off when the computer is back in the domain again?
> In case it's possible, how does one do that?
> --
> EysteinHS

8 Feb 2006 9:39 PM

Edog

EysteinHS wrote:

> Hi,
>
> I wonder if one can use the gpo's in Windows 2003 server to set the client
> machines to turn on their firewall (xp sp2) when they are outside the domain,
> and turn it off when the computer is back in the domain again?
> In case it's possible, how does one do that?

Windows 2K3 has GPO settings for Domain and Standard. My understanding
is that the Domain settings apply for machines that are connected
directly and logging on to the domain, whereas the Standard is for
remote users (laptops) for when they are not directly connected to the
domain. Haven't tested that yet, so don't know how well it works or what
mechanism determines whether the machine is connected or remote. See
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/fwgrppol.mspx
for more info.

11 Feb 2006 4:03 AM

Cary Shultz

Here is a thought:

Since the pecking order is Local, Site, Domain and then OU why not set that
local policy on the system (gpedit.msc) to be on but then set a 'Domain'
based GPO (probably you would link this GPO to the OU in which the computer
account objects would physically reside...or link this GPO to the domain
level and use security group filtering) that turns it off.

This way, at least in theory, when the system is simply part of a workgroup
(read: not in the domain) the local policy will be in affect but once the
system is joined to the domain (and placed in the correct container) the
domain level GPO will apply.

Now, these are .adm files so there is probably some registry tattooing going
on. This might cause a problem.

--
Cary W. Shultz
Roanoke, VA 24012

Show quoteHide quote

"EysteinHS" <Eystei***@discussions.microsoft.com> wrote in message
news:E4C86F3B-0209-45CD-958B-39A947551A00@microsoft.com...
> Hi,
>
> I wonder if one can use the gpo's in Windows 2003 server to set the client
> machines to turn on their firewall (xp sp2) when they are outside the
> domain,
> and turn it off when the computer is back in the domain again?
> In case it's possible, how does one do that?
> --
> EysteinHS