Windows 7 / Networking

Considerations When Managing Windows Firewall Using Group Policy

The following considerations should be kept in mind when managing Windows Firewall using Group Policy:

  • The state of each firewall profile in the firewall policy of a GPO is initially Not Configured. This means that firewall policy applied to computers targeted by the GPO will have no effect. For example, if the domain profile of Windows Firewall on a targeted computer is enabled, it will remain enabled after Group Policy processing has occurred. Similarly, if the domain profile of Windows Firewall on a targeted computer is disabled, it will remain disabled after Group Policy processing has taken place on the computer. So if a local administrator on the targeted computer turns off Windows Firewall on his computer, it will remain turned off even after Group Policy processing has taken place on the computer. Therefore, if you want to ensure that the firewall policy in the GPO applies to targeted computers, you must enable the firewall profiles in the policy. To do this, right-click the following policy node in the GPO:
    Windows Firewall with Advanced Security - LDAP://CN={GUID},CN=POLICIES,CN= SYSTEM,DC=domain_name,DC=COM
    Select Properties from the context menu, and on each profile tab (Domain Profile, Private Profile, and Public Profile), change the Firewall State policy setting from Not Configured to On (Recommended).
  • The default inbound and outbound rules for each firewall profile in the firewall policy of a GPO are also initially Not Configured. Therefore, if you want to ensure that firewall rules are processed as expected when the GPO is processed by targeted computers, you should configure the desired default inbound and outbound rules in the policy. To do this, right-click on the policy node described above and select Properties from the context menu. Then on each profile tab (Domain Profile, Private Profile, and Public Profile), change the Inbound Connections and Outbound Connections policy settings to the values you want to use, which are typically the following.
    Note that if multiple GPOs for firewall policy target the same computer and each GPO has different default rules configured, the default rules for the GPO that has the highest precedence apply. Note also that if you set outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive it will not receive subsequent Group Policy updates unless you first create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying the policy.
  • By default, rule merging is enabled between local firewall policy on Windows 7 computers and firewall policy specified in GPOs that target those computers. This means that local administrators can create their own firewall and connection security rules on their computers, and these rules will be merged with the rules obtained through Group Policy targeting the computers. Rule merging can be enabled or disabled on a per-GPO, per-profile basis by opening the Properties of the policy node described previously, selecting a firewall profile, and clicking Customize under Settings. Then under Rule Merging in the Customize Settings For The firewall_profile dialog box, change the Apply Local Firewall Rules and/or Apply Local Connection Security Rules policy settings from Not Configured to Yes (Default) or No.
    To ensure that only GPO-supplied rules are applied to computers targeted by the GPO and that locally defined rules on the computers are ignored, change these two policy settings from Not Configured to No. If you decide to leave rule merging enabled in the firewall policy of a GPO by configuring these two policy settings as either Yes (Default) or Not Configured, you should explicitly configure all firewall policy settings that may be needed by the targeted computers including firewall and IPsec settings, firewall rules, and connection security rules. Otherwise, any policy settings that you leave unconfigured in the GPO can be overridden by the local administrator on the targeted computer by using the Windows Firewall with Advanced Security snap-in or the Netsh command.

More Info See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx, for a walkthrough of how to deploy firewall and connection security rules using Group Policy.

Note For faster processing of GPOs that are used only for applying firewall policy to targeted computers, disable the User portion of the GPO using the GPMC.

[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Windows Firewall and IPsec
  2. Understanding Windows Firewall with Advanced Security
  3. Improvements to Windows Firewall Introduced Previously in Windows Vista
  4. Additional Improvements to Windows Firewall in Windows 7
  5. Understanding the Windows Filtering Platform
  6. Windows Firewall and the Startup Process
  7. Understanding Windows Service Hardening
  8. Understanding Service SIDs
  9. Windows Firewall and WSH
  10. Windows Firewall and Service Triggers
  11. Understanding Multiple Active Firewall Profiles
  12. Understanding Rules
  13. Understanding Firewall Rules
  14. Inbound vs . Outbound Rules
  15. Allow vs . Block Rules
  16. Allow If Secure Rules
  17. Authenticated Bypass Rules
  18. Filtering Conditions FOR Firewall RULES
  19. Understanding Connection Security Rules
  20. Types of Connection Security Rules
  21. Supported IPsec Settings for Connection Security Rules
  22. Default IPsec Settings for Connection Security Rules
  23. Windows Firewall and Windows PE
  24. Understanding Default Rules
  25. Understanding WSH Rules
  26. Understanding Rules Processing
  27. Managing Windows Firewall with Advanced Security
  28. Tools for Managing Windows Firewall with Advanced Security
  29. Managing Windows Firewall Using Control Panel
  30. Managing Windows Firewall Using the Windows Firewall with Advanced Security Snap-in
  31. Managing Windows Firewall Using Group Policy
  32. Considerations When Managing Windows Firewall Using Group Policy
  33. Managing Windows Firewall Using the Netsh Command
  34. Common Management Tasks
  35. Enabling or Disabling Windows Firewall
  36. Configuring Firewall Profiles and IPsec Settings by Using Group Policy
  37. Creating and Configuring Firewall Rules
  38. Creating and Configuring Connection Security Rules
  39. Monitoring Windows Firewall
  40. Troubleshooting Windows Firewall
  41. Troubleshooting Windows Firewall Using Firewall Logs
  42. Troubleshooting Windows Firewall Using Event Logs
  43. Troubleshooting Windows Firewall Using Auditing
  44. Troubleshooting IPsec Issues Using Netsh Wfp
  45. Troubleshooting Windows Filtering Platform and IPsec Issues Using Netsh Trace