none
GPO Backup (Folder) with Firewall settings for ICMP.

    Question

  • Is it possible to use SCM to create a local policy backup folder with settings to allow a machine to response to ICMP type 8 each response requests?

    I can do it in XPSP3, but I am struggling to do the same with Windows 7SP1.


    Stephen Moll Senior Systems Engineer BAE Systems

    Monday, October 01, 2012 1:27 PM

Answers

  • Stephen;

    Some, but not all, of the legacy firewall settings may affect the firewall behavior in Windows Vista and later. The best approach is to use the Windows Firewall with Advanced Security settings on Windows 7. You can create a custom inbound rule to enable ICMP, if you want to can limit the allowed ICMP types in the rule. So in the group policy editor, navigate to Computer Configuration\Windows Settings\Secuirty Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Securityright click on Inbound Rules and select New Rule. Select Custom, then click Next twice. For Protocol type, select ICMPv4. If you want to limit ICMP types click Customize. Click Next repeatedly to finish the wizard.


    Kurt Dillard http://www.kurtdillard.com

    Wednesday, October 03, 2012 4:48 PM

All replies

  • Stephen;

    You can use LocalGPO to backup the local group policy object, but I'm not sure that the setting you are referring to is  a GPO setting. What is the setting name? What other details can you share about it like registry path and value name, a TechNet or KB article that documents it, etc.

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Monday, October 01, 2012 3:47 PM
  • Hi Kurt,

    Sorry for not getting back to this sooner, things are a bit hectic here!

    Our engineering builds for Windows are locked down, but with XP we have been allowing ICMP exceptions, so that engineers can use ping, etc. to check out network functionality when problems arise. This option doesn't appear in the "Add Settings" list for Windows 7SP1.

    The specific setting for Windows XPSP3 is:

    Windows Firewall: Allow ICMP exceptions

    Under this there are several ICMP type options, but we set only the one for "Allow inbound echo request".

    Could we expect the setting from the Windows XPSP3 options to work with a Windows 7 build? I am guessing not.

    Is there an option in the Windows 7 settings to achieve the same affect? I can't see one. The only setting related to ICMP that I can find seems to be a switch for only one of the ICMP types available in XP, namely the "Allow ICMP redirect".


    Stephen Moll Senior Systems Engineer BAE Systems

    Wednesday, October 03, 2012 10:02 AM
  • Stephen;

    Some, but not all, of the legacy firewall settings may affect the firewall behavior in Windows Vista and later. The best approach is to use the Windows Firewall with Advanced Security settings on Windows 7. You can create a custom inbound rule to enable ICMP, if you want to can limit the allowed ICMP types in the rule. So in the group policy editor, navigate to Computer Configuration\Windows Settings\Secuirty Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Securityright click on Inbound Rules and select New Rule. Select Custom, then click Next twice. For Protocol type, select ICMPv4. If you want to limit ICMP types click Customize. Click Next repeatedly to finish the wizard.


    Kurt Dillard http://www.kurtdillard.com

    Wednesday, October 03, 2012 4:48 PM
  • Yes, I know I can do that, however that doesn't tie in with what we want to achieve in terms of creating standard non-domain builds. We managed it with XP, and now find that the same basic process can't be done with W7.

    The nature of the work we undertake means that at no time can a machine being built, either real or virtual be directly connected to the internet.

    Therefore a standard build is in summary:

    (1) Install base OS from DVD.

    (2) Install patches and updates using an offline updating tool.

    (3) Use LocalGPO tool to apply standard security template from SCM.

    (4) Use LocalGPO tool to apply local deviations from standard template, which includes settings for ICMP, additional accounts, login security notices etc.

     

    This process is pretty well established and understood for XP, but it can't be used for W7 at the moment, as we can't get the LocalGPO tool to be able to make the firewall settings we want.

     


    Stephen Moll Senior Systems Engineer BAE Systems

    Thursday, October 04, 2012 9:48 AM
  • Stephen;

    I'm confused. LocalGPO exports the firewall rules if you implement them using in the local group policy as I describe above. If you open gpedit.msc and add the rule, then export the local GPO using our LocalGPO tool the rule should be included in the .POL file that's part of the GPO backup, for example, I just followed those steps, named my custom rule "ICMP," and see this in the .POL file:

    [SOFTWARE\Policies\Microsoft\WindowsFirewall;PolicyVersion;;;
    ][SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules;{E48A7C12-35B3-473A-BFD9-B38F03C2741F};;x;v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|Name=ICMP|]

    I apologize if I'm overlooking something but this seems to accomplish what you say you want to do.


    Kurt Dillard http://www.kurtdillard.com

    Thursday, October 04, 2012 5:00 PM
  • We are trying to create and maintain the templates within the SCM, but I will take a look at your proposed solution more closely tomorrow.

    Stephen Moll Senior Systems Engineer BAE Systems

    Thursday, October 04, 2012 5:18 PM
  • OK, I couldn't resist the wait and have stayed at the office to try this out.

    I created a fresh VM with W7SP1 and installed the LocalGPO tool.

    I exported the local policy to a GPO Backup folder.

    I then set the firewall rules as you describe in order to allow the machine to respond to ICMPv4 Echo Requests.

    I exported the local policy a second time as a GPO Bakcup folder.

    I then imported both of those policies into the SCM and did a compare/merge, with the result that 167 unique settings were compared and 167 of those settings are common, i.e. there is no difference between the policy templates. This reinforces my view that the SCM as a tool for creating importable templates for standalone builds loses some of its utility when trying to manage Windows 7 and I'm guessing the same will be true for Windows 8, and Server 2008R2.


    Stephen Moll Senior Systems Engineer BAE Systems

    Thursday, October 04, 2012 6:14 PM
  • SCM doesn't include support for managing or editing firewall rules, I know that would be a useful feature but I'm not sure if or when the developers will be able to add it. The LocalGPO tool can export and import them from and to the local group policy. So, you could export your baseline from SCM as a GPO backup, then you could apply it with LocalGPO to one standalone machine. On that machine you could then configure the firewall rules, and export the complete policy using LocalGPO, then apply it to your other machines.

    Kurt Dillard http://www.kurtdillard.com

    Friday, October 05, 2012 2:54 PM
  • Its late Friday here, so I'll be dissappearing home soon. I will therefore take another look at this on Monday. I am beginning to get my head around this, but the problem I have is explaining this to the Information Assurance team here. They like things to be straight foward and logical, and this was OK with XP. Having security policy templates in SCM for which all the security settings are not visible let alone manageable, is going to make them nervous.

    have a nice weekend Kurt.


    Stephen Moll Senior Systems Engineer BAE Systems

    Friday, October 05, 2012 3:47 PM