Re: Windows Firewall Turned on Automatically

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 09/26/05 

Date: Mon, 26 Sep 2005 18:27:56 +0200

Dave Petzel wrote:
> Windows Firewall Has Two Profiles Domain and Standard. This allows you to
> have different configurations depending if the computer is on its home domain
> or not. GPO is ineffective as a result of this because we want the firewall
> on for the standard profile and off for the domain profile. With the machine
> not detecting the correct profile it renders GPO useless.
>
Hi,

Note that is some cases the Standard Profile will be used even
if the computers are connected to the domain. This will happen
if last-received Group Policy update DNS name does not match any
of the connection-specific DNS suffixes of the currently connected
connections on the computer. In this case, the non-domain settings
will be used.

From
The Cable Guy - May 2004
Network Determination Behavior for Network-Related Group Policy Settings
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

<quote>
To apply this behavior to Windows Firewall settings:

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based (such as
an Ethernet or 802.11 wireless network adapter) matches the value
of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the domain profile.

() If the connection-specific DNS suffix of a currently connected
connection on the computer that is not PPP or SLIP-based does not
match the value of the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\History\NetworkName registry entry, Windows Firewall uses
the standard profile.

You can determine the connection-specific DNS suffixes of the
currently connected connections on the computer from the display
of the ipconfig command issued from a command prompt.

</quote>

Read the Cable Guy article for more about this. 

-- 
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Relevant Pages

  • Re: Windows Firewall GPO Settings
    ... >> What is the difference between the Domain Profile and Standard Profile ... > connections on the computer the FW's ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows firewall spontaneously changes profiles
    ... a gp update from a dc that plumbs a new network name. ... I think the best-practice guidence is to set both domain and standard ... profile gp settings to be the same to cover this scenario where the box ... > The Windows Firewall has switched the active policy profile. ...
    (microsoft.public.windows.server.security)
  • Re: Policies for laptops - Windows Firewall
    ... Connections> Windows Firewall ... domain and standard profile settings and enable Windows Firewall for both ...
    (microsoft.public.windows.group_policy)
  • Re: Firewall settings for admin users.
    ... Windows Firewall: Allow local program exceptions ... in whichever profile (Standard or Domain) that you want the PC's ...
    (microsoft.public.win2000.group_policy)
  • Re: Windows Firewall & GPO
    ... It is Premium with ISA ... > different profiles - Domain Profile and Standard Profile. ... > profile controls the settings that are applied to the Windows Firewall ... >> broadband connection and I tried to set that up. ...
    (microsoft.public.windows.server.sbs)