question

AlexMcFarland-2053 avatar image
0 Votes"
AlexMcFarland-2053 asked AlexMcFarland-2053 commented

Turn on Windows Firewall when off domain via GP- not working

Hi,

I would like to configure a setting for all laptops in my organization where the Windows Firewall turns on when the laptop is out of our network/cannot reach a domain controller. I thought I could do this via group policy and local security policy, but it doesn't seem like it is working. From my understanding this is how precedence takes place by default: Local → site → Domain → OU → Child OU. I think that I am misunderstanding how this works so any help would really be appreciated.

I configured the local security policy as follows, very basic for now when I am testing, just turn on the firewall for private and public profiles:

11033-image.png

and I thought that it would "switch over" when the machine connected to a private or public network. I am using a jetpack hotspot to test with (external Verizon network) and I can clearly see in control panel that the firewall for all 3 profiles is still turned on, and that it is because of the organization's policy still being applied (domain policy I am assuming?):
11016-image.png

Here the laptop is connected to my jetpack hotspot (cannot see domain controllers or our network at all when it's connected to this hotspot), I see a local policy is being applied via gpresult, note I did not remove this from the domain rather I connected it to a private network with the jetpack hotspot:
10969-image.png

This is how I defined the local policy:

10974-image.png

10995-image.png

Maybe it is just my understanding that is incorrect and this actually cannot work the way that I want it to.

I also tested one more thing - I removed the laptop from the domain entirely and put it on a workgroup to see what would happen. Once I rebooted and checked the firewalls again, I noticed that they turned on as they are supposed to.

I think that this is what is happening: When the laptop is enrolled in our domain & on a private network where it cannot communicate w/ our DCs, the domain profile still overrides the local security settings even when it's not connected to our domain network (when it's connected to any other private/public network). This makes sense from a security standpoint - you wouldn't want a user to walk out of your organization and be able to configure these local polices (hence protected local admin account that is not given to users) nor have the fine-grained policies of your domain disappear. I think I am starting to understand this but I would love to read more resources and opinions from anyone with some experience. I also am looking into Microsoft's DirectAccess as we have valid enterprise licenses for Windows 10 and Server 2012 R2/2016/2019. I looked into a VPN client of some sort, but I think I may run into authentication issues doing that and I kind of do not want these laptops having a back-end way into my domain network. My hope and end goal is to add extra layers of security besides anti-virus to protect and manage mobile devices when they are not within our network. Thank you so much!



windows-10-setupazure-ad-group-management
image.png (200.0 KiB)
image.png (82.8 KiB)
image.png (150.4 KiB)
image.png (577.5 KiB)
image.png (466.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LeonLaude avatar image
0 Votes"
LeonLaude answered AlexMcFarland-2053 commented

Hi,

Group Policy is currently not supported in the Q&A forums, the supported products are listed over here https://docs.microsoft.com/en-us/answers/products (more to be added later on).

You can ask the experts in the dedicated Group Policy forum over here:
https://social.technet.microsoft.com/Forums/en-us/home?forum=winserverGP

(Please don't forget to accept helpful replies as answer)

Best regards,
Leon

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you, moved my question over there.

0 Votes 0 ·