How to deploy Windows Firewall using Group Policy

When managing a larger network environment, network security is often the most energy-consuming link. Take the firewall configured with Windows XP SP2, if let network management for the network of computers to configure each, the workload will be very large, and in the details of the configuration is also prone to error. So, how can we improve the efficiency of firewall configuration in large-scale environment?

Windows Firewall is an extremely important security design in Windows XP SP2 that can effectively help us complete the security management of our computers. Today, I will show you how to use Group Policy (groups Policy) in the computer room to centrally deploy Windows Firewall, to improve the efficiency of configuring firewalls for computers in the network.

Why do you want to centrally deploy

First, we want to understand what Group Policy does to Windows Firewall. Group Policy can determine whether local administrator-level users can make various settings for Windows Firewall and decide which features of Windows Firewall are "disabled" or "allowed" ...

Obviously, these several functions just can cooperate with the domain function to carry on the security management of the engine room, this lays the foundation for the Group Policy to be able to bulk deploy the Windows Firewall of the room. At this point, all client Windows Firewall application permissions will be unified to the domain administrator, and any local administrator settings for Windows Firewall will be under the Domain Admins approval. In addition, domain administrators can use Group Policy to complete the Windows Firewall configuration of all clients without having to do it on a per-platform basis.

Deploying firewalls with Group Policy

Now that we understand the benefits of centralizing deployment, let's step through it. Please take a look at the test environment of this article "Windows Server 2003 domain Server +windows XP SP2 client". This article describes how to perform a centralized deployment of Windows Firewall for all clients that have Windows XP SP2 installed on a client (Windows XP SP2) in a computer room managed by a Windows Server 2003 domain server.

Tip: Why not create and configure Group Policy on a domain server, but run it on a client computer? It is easy to understand that Windows Server 2003 operating system (Chinese version) does not yet have Windows Firewall, so it cannot be configured. However, this will be completely resolved with the introduction of the Chinese official version of Windows Server 2003 SP1.

ok! Now let's start the actual operation. First, enter the "MMC" command in the Windows XP SP2 client's Run bar and return to, in the Open Console window, click file → add/Remove snap-in, and then add Group Policy Object Editor.

In the pop-up Welcome Group Policy Wizard Interface, click the Browse button and right-click in the blank space in the Browse Group Policy Objects window, select New from the pop-up menu, and name "firewall" to return to the console window.

Tip: The client's current logon account must have administrator privileges before a new GPO (Group Policy object) can be created. Therefore, the temporary solution to this problem is to add the client's account to the Administrators group in DC, then the client temporarily logs on to the system with the Administrator account and makes the GPO configuration.

After you return to the console window, you can see the domain profile and standard profile two policy subsets in the firewall policy set (Figure 1). The domain profile is used primarily in a network that contains a domain DC, that is, when the host is connected to the corporate network, and the standard profile is used for use in a Non-domain network.

Figure 1

Obviously, we need to make policy settings in the domain configuration file. Here's a quick way to make a security configuration of a child policy:

Protect all network connections: enabled, which forces the client to enable Windows Firewall and is not affected by the client local policy.

No exceptions are allowed: Not configured; This allows the client to schedule itself.

Define program exceptions: Enabled, that is, to define excepted traffic by program file name, so you can centrally configure network programs that are allowed to run in the computer room.

Allow local program exceptions: disabled; If disabled, the Exception Settings section of Windows Firewall will be grayed out.

Allow remote administration exceptions: Disabled; If the client is not allowed to administer remotely, disable.

Allow file and Printer sharing exceptions: disabled; If some clients have shared resources that need to be applied, they should be enabled.

Allow ICMP exception: disabled; If you want to use the ping command, you must enable it.

Allow Remote Desktop exception: disabled; that is, shutting down the client can accept the connection request feature based on Remote Desktop.

Allow UPnP framework exceptions: Disabled; The UPnP message that prevents the client from receiving garbage.

Block notification: Disabled.

Allow logging: Not configured; Allow logging of traffic and configure log file settings.

To block unicast responses to multicast or broadcast requests: enabled; that is, to discard unicast packets that are received because of multicast or broadcast request messages.

Define port exceptions: Enabled, and specify excepted traffic according to TCP and UDP ports.

Allow local port exceptions: Disabled; The client administrator is prevented from making the port exception configuration.

Now let's go through the "Define port exceptions" entry to describe how to configure it. First, in the Domain profile settings area, double-click Windows Firewall: Define port exceptions, click enabled → show in the Properties window that pops up, and Add. Next, enter the port information (such as "80:tcp:*:enabled:webtest") that you want to block or enable, using the format "Port:transport:scope:status:name".

Tip: Port refers to the number of ports; transport refers to a list of computers in TCP or udp;scope that represent all systems or allowed access ports, which is enabled or disabled, and name is the text string used as the label for this entry.

After you complete the above settings, save the policy as "firewall" file. Now, a very important step is to run the Gpupdate/force command in the Command Prompt window to force Group Policy settings to apply to computers that are already logged on in the domain network

Verifying deployment effects

When you are finished refreshing Group Policy, let's take a look at whether Windows Firewall in this computer responds to the policy. Because the "Allow local program exceptions" item has previously been defined as "disabled," the exception setting for Windows Firewall is partially shaded by this definition. Now, let's turn on the Windows Firewall in this computer and see that the disabled part is grayed out, which means that the computer has responded to Group Policy settings.

Next, let's see if the DC responds to Group Policy. In the Run field of the DC server, enter the "dsa.msc" command and return to the Active Directory window, and then enter the Properties window for "shyzhong.com" (Please select according to the actual situation). In the Group Policy tab section you can see that the saved firewall has automatically appeared in the list. If it does not appear, you can add it manually (Figure 2).

Figure 2

By this step, you can see that the entire setting is successful. After that, any computer in the domain that uses Windows XP SP2 will automatically download the settings for Windows Firewall and begin to apply if it logs on to the domain. At this point, the entire computer room Windows Firewall configuration operation successfully completed.

It is not complicated to deploy SP2 firewalls with Group Policy centralization, but the effect is once and for all. You will find that Group Policy is a great helper for centralizing the management of network security.