PDA

View Full Version : Disabling windows firewall on sbs2003 network



FAB
28-04-2011, 10:34 AM
Morning all

I have an SBS2003 network here with a decent firewall already in place.
I've disabled the windows firewall via GPO. For the majority of PCs, that is working fine. GPO set to disable it for the Domain Profile, but enable it for Standard Profile.

For a couple of PCs (out of 50) the windows firewall is on when they start up the PC. They get a windows firewall warning when starting Outlook (for example). If I go to Control Panel/Windows Firewall it's turned on and tells me that the PC is running the firewall since it's on the Standard Profile - not connected to the domain. But it is.

If I run RSOP I get the correct settings through.

I tried taking the PC off the domain and rejoining it, same issue.

Weirdly if I run gpupdate /force then the firewall then turns off!

Any help gratefully appreciated.

CYaBro
28-04-2011, 10:47 AM
Why disable the firewalls in the first place?
I have never had to do that at any of my client sites that run SBS 2003 or 2008.
Rather use GPO to open any ports as needed.

mikebartnz
28-04-2011, 11:02 AM
Why disable the firewalls in the first place?
I have never had to do that at any of my client sites that run SBS 2003 or 2008.
Rather use GPO to open any ports as needed.
Because he is using another one.

CYaBro
28-04-2011, 12:04 PM
Because he is using another one.

Yes, as everyone should be but that firewall is most likely just for the internet.
What about internal attacks say from someone bringing in an infected USB stick?

mikebartnz
28-04-2011, 12:17 PM
Yes, as everyone should be but that firewall is most likely just for the internet.
What about internal attacks say from someone bringing in an infected USB stick?
You could be right in that it only covers the internet. We will just have to wait to here from him.

FAB
28-04-2011, 01:00 PM
HI guys. Yes have other firewall. Also using Nod32 that has stopped users with infected USB keys previously. In saying that, very few usb keys are used here. I can say that as it's a small place all on the floor and open plan so as I wonder about during the day I can keep an eye on things.

I have no interest in using Windows Firewall - hence my post.

Alex B
28-04-2011, 01:21 PM
Something is over ruling GP. What are the differences when you do a gpresult on one were it works vs one where it doesn't work before you run a gpupdate...I had a similar issue a while back, it was the ISA Client on the client machines causing it in the end.

Barnabas
28-04-2011, 05:08 PM
try changing the group policy Always wait for the network at computer startup and logon as the pc's may be starting up and logging on before they have a chance to apply the policy correctly.

Suggest you create a new OU and move the affected pc's into it and then apply this policy change at that level so that the other machines dont get affected. You dont want this to apply to any laptop users either as if they leave the building they wont be able to logon

1101
29-04-2011, 12:33 PM
google this for some info.
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall

I delete 'windowsfirewall' in reg (below) to when the disable option is greyed out.

FAB
06-05-2011, 10:11 AM
Hi guys
Thanks for the advice. GPO already set to wait for network before logging on.

I think we are looking in the wrong direction though, as the message in Windows Firewall (control panel) is that it is using hte Standard i.e. off Domain settings.

That's the reason the firewall is still coming on and the direction I need to look in.

However I've taken the PC off the domain and rejoined it, with no difference. Also it's appeared on two other PCs now.

One thing I noticed is that when I log into the SBS2003 DC it is saying hte max number of licenses has been exceeded - 45 installed max usage 49. I've searched abuot this and while a few people say it can cause issues (but they don't say what) I am wondering if this is the cause - the DC not letting the user/pc join the domain, even though in actual fact they do?

SolMiester
06-05-2011, 10:14 AM
Hi guys
Thanks for the advice. GPO already set to wait for network before logging on.

I think we are looking in the wrong direction though, as the message in Windows Firewall (control panel) is that it is using hte Standard i.e. off Domain settings.

That's the reason the firewall is still coming on and the direction I need to look in.

However I've taken the PC off the domain and rejoined it, with no difference. Also it's appeared on two other PCs now.

One thing I noticed is that when I log into the SBS2003 DC it is saying hte max number of licenses has been exceeded - 45 installed max usage 49. I've searched abuot this and while a few people say it can cause issues (but they don't say what) I am wondering if this is the cause - the DC not letting the user/pc join the domain, even though in actual fact they do?

NO, I have a SBS network over their licence count with no issues!

FAB
09-05-2011, 11:34 AM
Darn..was hoping I had an angle there. Will have to do some more network testing on this one and find out why the pcs think they are not on the domain.

CYaBro
09-05-2011, 12:06 PM
How were these PCs put on the SBS domain?
Did you run the wizard via http://servername/connectcomputer?

SolMiester
09-05-2011, 12:18 PM
I didnt on mine, I join a domain from computername in system icon!

CYaBro
09-05-2011, 12:38 PM
I didnt on mine, I join a domain from computername in system icon!

On an SBS domain I've had a few strange issues when I have done it that way so always now make sure that the connect computer wizard is used.
The reason is because it does more than just put the computer on the domain.

FAB
09-05-2011, 01:06 PM
Hey CYB
No - well I expect they were just joined 'normally', it was way before I got here. But I'll remove it from the domain and rejoin using http://servername/connectcomputer
Will let you know how I get on, thanks for the suggestion.