Group Policy to Disable Windows Firewall on Domain

Group Policy to Disable Windows Firewall on Domain

Re-Posting of several articles pertaining to group policy settings for windows firewall.
http://www.lansweeper.com/kb/6/firewall.html
http://www.techrepublic.com/blog/datacenter/disable-uac-for-windows-servers-through-group-policy/3709
http://www.404techsupport.com/2012/10/use-group-policy-to-allow-ping-and-remote-management-on-windows-7/


A firewall should prevent ping from outside the network and administrator access is needed to use management tools like Remote Registry, the hidden admin share (C$), and Computer Management of another computer, the policy change should be relatively safe while allowing more predictable remote access.

There, you want to enable the Windows Firewall: Allow ICMP exceptions and Windows Firewall: Allow inbound file and printer sharing exception.

Under Allow inbound file and printer sharing, you can specify the network range where requests should be allowed. You can use an * (asterisk) to allow any network or specify IP addresses or subnets.

For allow ICMP exceptions, to only allow ping check the “Allow inbound echo request” box to enable that setting.

After the policy takes effect on your clients (or force it by running ‘gpupdate /force’), you will be able to ping them and reach them with remote management tools.

Go to Start > Administrative Tools > Policies
Select the policy to edit (Usually: the default policy), right-click and choose “edit”.
Go to Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile.
Disable the “Protect All Network connections” rule. This can also be done on the “Standard Profile”, as well.

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security area of Group Policy. In this GPO, rules can be set for a computer account for each of the profile types (Public, Private, and Domain)

How to configure the windows firewall using group policies

Last updated on November 24 2012

The easiest way to configure the windows firewall is to use group policies. (Requires an Active Directory domain)

You need to change the Windows firewall - domain policy (this policy applies to computers when they are connected to your domain)

After creating the policy it can take several hours before it takes effect on your workstations.



The setting that you need to enable is "Windows Firewall: Allow remote administration exception"

You can choose "*" for all machines or just the IP address of your Lansweeper server.



To verify if the policy is applied on a workstation you can use the "netsh firewall show state" command

C:\>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Enable

Please read this technet article about problems when the domain profile is not working : http://technet.microsoft.com/en-ca/library/bb878049.aspx

To view which GPO's are applied to the client you can use the gpresult.exe command.

If for some reason you can't apply group policies you can use the following commands to configure the windows firewall. (save as firewall.cmd)

call netsh firewall set service RemoteAdmin enable
call netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135