GPO_DOMISO_Firewall_2003_XP

Applies To: Windows Server 2008, Windows Server 2008 R2

This GPO is authored by using the Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall section in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server computers that are running either Windows Server 2003 or Windows XP.

This GPO provides the following settings and rules:

  • Most of the Windows Firewall settings described in this section are applied to both the domain and standard profiles. However, settings that prevent users from adding their own rules are enabled on the standard profile, but disabled on the domain profile. That ability is typically required when the user is not on the organization's network.

  • The firewall is enabled and configured by modifying the settings shown in the following table.

    Setting Domain Profile Standard Profile

    Allow local program exceptions

    Disabled

    Not configured

    Protect all network connections

    Enabled

    Enabled

    Do not allow exceptions

    Disabled

    Disabled

    Allow inbound file and printer sharing exception

    Enabled, with address set to 192.168.0.0/16

    Not configured

    Allow ICMP exceptions

    Enabled, all check boxes selected

    Not configured

    Prohibit notifications

    Enabled

    Not configured

    Allow local port exceptions

    Disabled

    Not configured

    Allow inbound remote administration exception

    Enabled, with address set to 192.168.0.0/16

    Not configured

    Allow inbound Remote Desktop exceptions

    Enabled, with address set to 192.168.0.0/16

    Not configured

    Allow inbound UPnP framework exceptions

    Enabled, with address set to 192.168.0.0/16

    Not configured

Note

By setting Allow local program exceptions and Allow local port exceptions to Disable, and by setting Prohibit notifications to Enable, you block users from manually allowing new programs. Therefore, you must define any required firewall exception rules for programs by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications, created the required rules, and tested the resulting rules in a test lab and then on a set of pilot computers.

  • An inbound program exception to allow traffic for the WGBank Dashboard program is assigned to the domain profile only, with the following text added:

    %ProgramFiles%\WGBank\Dashboard.exe:192.168.0.0\16:Enabled:WGBank Dashboard

Next: Isolated Domain GPOs