Managing Windows Firewall with Advanced Security by Using Group Policy
Updated: December 1, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
To centralize the configuration of large numbers of computers in an organizational network that uses the Active Directory Domain Services (AD DS), you can deploy settings for Windows Firewall with Advanced Security through Group Policy. Group Policy provides access to the full feature set of Windows Firewall with Advanced Security, including profile settings, rules, and computer connection security rules. In fact, you configure Group Policy settings for Windows Firewall with Advanced Security by opening the same snap-in through the Group Policy Management Console. You can also configure Group Policy settings with the netsh advfirewall context by using the set store command to point netsh to a Group Policy object instead of the local computer. Because the domain-member computer requests Group Policy updates, the traffic is therefore solicited and is not dropped by default when Windows Firewall with Advanced Security is enabled (unless the outbound default is configured to block traffic).
When you use Group Policy to configure Windows Firewall with Advanced Security in an organizational network, Group Policy might disable some local Windows Firewall with Advanced Security configuration options, even for local administrators.
In Windows Vista and later versions of Windows, the Network Location Awareness feature provides the flexibility to ensure that Group Policy is correctly applied in different situations. In earlier versions of the Windows operating system, Windows processes Group Policy under the following circumstances:
Computer policies are processed when the Windows operating system starts.
User policies are processed when a user logs on.
Both computer and user policies are refreshed periodically.
In addition to these circumstances, Windows Vista and later versions of Windows also process Group Policy under the following circumstances:
Computer and user policies are processed when a computer establishes a virtual private network (VPN) connection with a remote site.
Computer and user policies are processed when a computer comes out of hibernation or standby mode.
The additional processing helps to ensure that computers obtain the most recent Group Policy settings more frequently and whenever the computer changes connections.
For more information about using Group Policy to deploy Windows Firewall with Advanced Security settings and rules, see Step-by-Step Guide to Deploying Policies for Windows Firewall with Advanced Security (http://go.microsoft.com/fwlink/?linkid=96318).