Re: XP SP2 & GPO controlled firewall gets activated for unknown reasons...

From: Michael van Zwieten (mvanzwieten_at_gmail.com)
Date: 12/03/04

  • Next message: Wozny, Scott (US - New York): "RE: Disable Network ID and Change button"
    Date: Fri, 3 Dec 2004 11:27:14 -0500
    To: Sullivan Tim P <tim@nativemode.com>
    
    

    Hey Tim... Thanks for writing back...

    My 'Prohibit use of ICF on your DNS Domain Network' setting is set to
    'enabled', and hasn't changed... The firewalls don't disable
    themselves at regular intervals, because we either usually require the
    user to reboot, or if it's particularly stubborn, we would have to
    issue a 'gpupdate /force' command on their machine followed by a
    reboot. One day their machine will be fine... or even fine for
    several days... the next it may be on, the next it may be fine
    again... Although it typically seems to happen with machines that are
    left on for longer periods of time.

    Nothing worth noting in the event viewer...

    All our users are restricted users, and don't have rights to change
    firewall settings, especially since it's being controlled by GPO.

    I did get a response from a fellow from Microsoft, and he advised me
    to turn on the 'Allow ICMP Exceptions' item in the firewall policy...
    He said that this may be the cause because the machine wouldn't be
    able to communicate with AD DC's like they regularly would because
    ICMP is actually used in this process... Mine was disabled at the
    time, so I turned all ICMP rules on. I'm still waiting to see if that
    made any difference...

    Take care,
    Mike

    On Thu, 2 Dec 2004 20:56:45 -0700, Sullivan Tim P <tim@nativemode.com> wrote:
    > Double check the setting for 'Prohibit use of Internet Connection
    > Firewall on your DNS domain network'. If it's at regular intervals that
    > the firewall disables itself, does it coincide with your GPO refresh
    > rate? What does the machines event viewer logs look like?
    >
    > Also, have you ruled out the user as the one who is changing the
    > settings? A user with administrative rights can change the settings.
    >
    > Tim
    >
    >
    >
    > -----Original Message-----
    > From: Michael van Zwieten [mailto:mvanzwieten@gmail.com]
    > Sent: Thursday, December 02, 2004 12:40 PM
    > To: focus-ms@securityfocus.com
    > Subject: XP SP2 & GPO controlled firewall gets activated for unknown
    > reasons...
    >
    > Hi Everyone,
    >
    > I configured GroupPolicy to control the XP SP2 Firewall using the
    > standard and domain profiles. In the standard profile, the firewall is
    > on... in the Domain profile, the firewall is off.
    >
    > We have come to find that for some unknown reason, random workstations
    > throughout our organization will simply turn their domain profile off,
    > and turn their firewall on. This makes remote admin/support impossible
    > in our situation...
    >
    > Doing a 'netsh firewall show state' shows that the firewall is on when
    > it should be off, since the workstation is sitting on a LAN hooking into
    > our domain. When we reboot, or do a 'gpupdate /force' and a reboot will
    > usually turn the firewall off, and normal operations are resumed...
    > until it randomly drops again, and turns the firewall on.
    >
    > Like others that I'm in contact with have found, this problem only
    > occurs sometimes, not always... and it seems random. When looking at
    > client settings, they are no different from ones that work, to ones that
    > don't work. Nothing in the event log.
    >
    > Apparently SP2 does some sort of network discovery to see if it belongs
    > to the same DNS suffix as the domain it belongs to in AD. The clients
    > aren't dropping off the network, and never lose connection.
    > Clients aren't hibernating, nic cards aren't going to sleep, etc.
    >
    > Does anyone have any ideas on how to make this GP controlled XP Firewall
    > mess a bit more reliable?
    >
    > Thanks for your help,
    > Mike
    >
    > ------------------------------------------------------------------------
    > ---
    > ------------------------------------------------------------------------
    > ---
    >
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Wozny, Scott (US - New York): "RE: Disable Network ID and Change button"