Managing Windows Firewall through GPO

Managing Windows Firewall through GPO

Summary : Rick Vanover describes how to manage computer account profiles for Windows Firewall centrally with Group Policy. He also warns of one risk to using Windows Firewall with Group Policy.

While running firewalls is a good practice to protect systems from harm, it also can get in the way. One thing I really like about Windows Firewall is its ability to be centrally managed, and the best way to do this is through a Group Policy Object (GPO).

On a per-server basis, Windows Firewall can still be managed through the interface in the Control Panel. For Windows Core editions, you can learn the command to disable Windows Firewall via a prompt.

For Windows Firewall, you can set a computer’s account profiles in the Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall With Advanced Security area of Group Policy. In this GPO, you can set rules for a computer account for each of the profile types (Public, Private, and Domain) (Figure A).

Figure A 
Click the image to enlarge.

This is a good situation for using a security group to filter membership for a GPO. It may not make sense to apply this GPO to an entire organizational unit. This can be due to different operating systems, mixed requirements, and policy. Broad application of this type of configuration is less desirable, so GPO filtering by security group becomes attractive.

You might be wondering: What happens when the computer account is not connected to the Active Directory domain and is unable to execute this policy? In most situations, Windows Server systems aren’t often disconnected from their Active Directory domain controllers, but it can happen. When a computer that has this policy applied is removed from the domain, the configuration is retained.

The risky thing about Windows Firewall being used with Group Policy is that it would supersede the local configuration. For example, if a firewall policy is deployed via a GPO that blocks certain traffic, the GPO would need to be changed. You cannot make the change on the fly by simply going into the firewall console or using netsh advfirewall commands.

Rick Vanover is an IT infrastructure manager for a financial services organization in Columbus, Ohio. He has years of IT experience and focuses on virtualization, Windows-based server administration and system hardware.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s