none
Local Firewall Policies Overriding Domain Group Policies

    คำถาม

  • Hello!  I just discovered that in Windows 7, a local firewall exception can be created that can override an exception set via the domain group policy.  For instance, we have a domain GP that defines the "File and Printer Sharing" firewall rules and limits access to specific subnets.  However, a local program installation/administrator is able to define a custom port exception to TCP 445 to allow any IP to connect, and it appears that the workstation respects this setting.  With this local change, file sharing is available to this computer from all computers on our network.

    I discovered this problem after I installed the Remote Server Admin Tools (RSAT) on a workstation.  It appears that when the DFS Management tool is activated, it creates a firewall exception called DFS Management (SMB-In) that allows access over TCP 445 to any IP address.  Unfortunately, I also found that this local exception overrides the domain GP that I had set where I had explicitly limited this access for file and print sharing. 

    Note that I also tested this in XP and I was unable to add a custom port exception for 445 since the firewall interface gave me a warning indicating that there was a conflict with a managed exception (this is what I expected).

    I would like to avoid disabling local firewall rules entirely since we would then need to define exceptions for all of the custom programs we have across our network.  However, I would like Windows to enforce that if a domain firewall GP is being applied, that a local firewall exception cannot override the domain policy.  How can I correct this behavior?

    Thanks!

    • แก้ไขโดย Aakash Shah 24 กุมภาพันธ์ 2555 5:27
    24 กุมภาพันธ์ 2555 2:17

ตอบทั้งหมด

  • Is it not possible to create a local firewall using GPO that overwrites the one there with the settings you desire? I know in GPO you get the option for domain and standard.
    24 กุมภาพันธ์ 2555 12:37
  • There are two settings for each Firewall profile (under settings);

    • Apply local firewall rules
    • Apply local connection security rules

    These settings define whether or not locally defined rules are applied. The default configuration is that they are. If you disable these settings then locally created rules (either by an Admin or a program) will have no effect.

    The firewall does work on the basis of a block rule will win over an allow rule, therefore you could create specific block rules in GPO and still allow local admins to create and apply rules.


    Regards qSilverx

    24 กุมภาพันธ์ 2555 15:44
  • @A13x:  I am looking to manage all of this via domain group policy and would like to avoid making any changes to local exceptions.  The local exception that was added in by the DFS Management exception applies to all 3 profiles: Domain, Private, Public (I am using the Windows Firewall with Advanced security interface).  The exception I added via GP also included all 3 profiles, but it's scope was limited to specific Remote IPs.  However, the local exception appears to override the domain policy.

    @qsilverx: I had tested using the "Deny" option with "Apply local firewall rules" and this did correctly limit the scope as I intended.  However, this is unfortunately not an option since we manage many different departments that are constantly getting new software that add in their own exceptions, and so maintaining it would be very difficult.

    I tried to create a Block rule and specify what IPs would be allowed, but this unfortunately didn't work - I can only specify what I want to block, which is everything but a few subnets and IPs.

    @All: What I still do not understand is how a local exception is able to override an exception defined by a domain policy since I have never seen that happen with Group Policy.  Does anyone else have any other thoughts/suggestions?

    Thanks!

    25 กุมภาพันธ์ 2555 2:26
  •  
    > @All: What I still do not understand is how a local exception is able
    > to override an exception defined by a domain policy since I have never
    > seen that happen with Group Policy.  Does anyone else have any other
    > thoughts/suggestions?
     
    Unless you set "Apply local firewall rules" to "No", local rules are
    just added to GPO rules. This setting can be found in Windows Firewall
    with Advanced Security - Overview - "Windows Firewall Properties" -
    "Domain Profile" (or others) - Settings - "Customize".
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    27 กุมภาพันธ์ 2555 11:42
  • Martin:

    Hello!  Is this behavior new with the Windows Firewall with Advanced Security in Windows 7?  I tested this behavior in Windows XP, and the firewall correctly prevented me from creating a local rule that would have overriden the File and Printing sharing exception that I have set via GP.  Also, most other GPs that I've used always give precedence to the rule delivered via domain GP instead of the local GP if there is a conflict.

    Thanks!


    • แก้ไขโดย Aakash Shah 27 กุมภาพันธ์ 2555 16:10
    27 กุมภาพันธ์ 2555 16:08
  •  
    > Hello!  Is this behavior new with the Windows Firewall with Advanced
    > Security in Windows 7?  I tested this behavior in Windows XP, and the
    > firewall correctly prevented me from creating a local rule that would
    > have overriden the File and Printing sharing exception that I have set
    > via GP.  Also, most other GPs that I've used always give precedence to
    > the rule delivered via domain GP instead of the local GP if there is a
    > conflict.
    >
     
    I never took care about that - our users are not administrators, so they
    cannot change it anyway. And for me it sounds ok - Rules mix up and the
    "loosest" rule allows traffic. Another thing would be "one rule allows,
    another one forbids". I'm not sure what would happen in this case when
    local and GPO rules mix up, so I did a quick test:
     
    Enabled iSCSI via Domain GPO "allow", and via local GPO "deny". In RSOP,
    iSCSI was allowed, and in wf.msc the local GPO rule wasn't visible.
    Removed the Domain GPO rule, "gpupdate". Now the local GPO "deny" rule
    was active in wf.msc.
     
    This of course does not work when one rule is "predefined", the other is
    a custom one. How would the Firewall know that they belong to the same
    services? And how should it determine one to be valid and the other not,
    as long as you permit local exceptions?
     
    Most "other" GP settings are single registry keys where "last writer
    wins". Firewall rules are additive, all writers are cumulative.
     
    If you rely on secure firewall configurations, you shoud forbid local
    rules anyway.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • เสนอเป็นคำตอบโดย Arthur_LiMicrosoft, Moderator 28 กุมภาพันธ์ 2555 2:02
    • ยกเลิกการนำเสนอเป็นคำตอบโดย Aakash Shah 7 มีนาคม 2555 2:53
    27 กุมภาพันธ์ 2555 21:01

  • Hi,


    I would like to
    confirm what is the current situation? If there is anything that I can do for
    you, please do not hesitate to let me know, and I will be happy to
    help.




    Arthur
    Li


    If you are
    TechNet Subscriptionuser and have
    any feedback on our support quality, please send your feedback
    here.

    Arthur Li

    TechNet Community Support

    29 กุมภาพันธ์ 2555 13:54
  • Arthur: Hello!  I am still in a situation where the local exception for DFS Management (SMB In) that was created by the RSAT activation of DFS is overriding my domain policy that restricts SMB to specific subnets.

    Based on Martin's information above (BTW thanks for responding Martin!), it appears that my options are limited and that currently the only way to address this would be to deny local rules.  Unfortunately, we have a very heterogeneous environment and hence this is not feasible for us to maintain all of the firewall exceptions in GP.

    My end goal is to be able to tell our security team, with certainty, that SMB access has been limited, without the burden of maintaining all of the firewall exceptions needed for all of the programs in our environment.

    Based on Martin's information above, it appears that firewall rules are cumulative.  Is there any way to change this so that if a conflict exists, it honors the rule delivered by GP, but otherwise honors local rules?

    I've read that if a rule has a tighter scope, then it is supposed to take precedence.  Is this true?  If so, what tighter scope can I apply so that my domain policy always wins to limit SMB?

    Any other suggestions or comments would be appreciated.

    Thanks!

    • แก้ไขโดย Aakash Shah 2 มีนาคม 2555 15:49
    1 มีนาคม 2555 5:24
  •  

    Hi,

    After doing some research, I would agree with Martin Binder. Please try the suggestions Martin provided and let us know the result.

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    12 มีนาคม 2555 8:32
  • Arthur:

    I am aware that denying local rules would prevent the local SMB rule from applying.  However, this is not feasible for us due to the very heterogeneous type of environment we are in.  My questions are:

    1. Based on Martin's information above, it appears that firewall rules are cumulative.  Is there any way to change this so that if a conflict exists, it honors the rule delivered by GP, but otherwise honors local rules?
    2. I've read that if a rule has a tighter scope, then it is supposed to take precedence.  If this is true, what tighter scope can I apply so that my domain policy always wins to limit SMB?

    Thanks.

    13 มีนาคม 2555 1:56
  • My Friend, GPO implementation works on this procedure...

    L=local

    S=site

    D=domain

    OU=org unit

    so, if you anything writen in Local that would be overwirte by Site -> Domain -> and than finaly be oU (If applicable)


    Kamal Sharma

    • เสนอเป็นคำตอบโดย netengineer.kamal 13 มีนาคม 2555 7:06
    • ยกเลิกการนำเสนอเป็นคำตอบโดย Aakash Shah 13 มีนาคม 2555 15:09
    13 มีนาคม 2555 7:06
  •  
    > Based on Martin's information above, it appears that firewall rules
    > are cumulative.  Is there any way to change this so that if a conflict
    > exists, it honors the rule delivered by GP, but otherwise honors local
    > rules?
     
    It is not really a conflict (one allows, the other denies), but it's two
    independend rules... Forbid local exceptions and you're done.
     
    >  1. I've read that if a rule has a tighter scope, then it is supposed
    >     to take precedence.  If this is true, what tighter scope can I
    >     apply so that my domain policy always wins to limit SMB?
    >
     
    That's up to your environment - IP ranges (remote) are a possible solution.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    13 มีนาคม 2555 11:17
  • Kamal:

    I'm aware of how normal GPO precedence works. My question was regarding how the firewall rules take precedence.  Thanks though.


    • แก้ไขโดย Aakash Shah 13 มีนาคม 2555 15:32
    13 มีนาคม 2555 15:11
  • Martin:

    Thanks for your response. Unfortunately forbidding local exceptions is not feasible in our current environment.  What I was wondering is how I can have the SMB policy restriction that I have set always win, while still allowing other local policies that I have not defined via GP continue to work.

    I tried to use the remote IP ranges option (my File and Print Sharing policies via GP are currently restricted to specific remote IPs).  Unfortunately, depending on the programs installed locally, SMB was still allowed in due to the local policies.

    All: I've found some resources that indicate that firewall rule precedence works with the following precedence:

    1. Windows Service Hardening
    2. Connection security rules
    3. Authenticated bypass
    4. Block connection
    5. Allow connection
    6. Default profile behavior

    Sources:
    http://technet.microsoft.com/en-us/library/cc755191%28v=ws.10%29.aspx
    http://technet.microsoft.com/en-us/library/dd421709%28v=ws.10%29.aspx

    However, it appears that for each of these precedence groups, there is also a priority within each group based on what I've read on some sites.  Here is a quote from http://www.windowsecurity.com/articles/windows-server-2008-firewall-advanced-security-part2.html

    "Another thing to keep in mind regarding how rules are evaluated is that more specific rules are evaluated before more general rules. For example, rules with specific IP addresses included in the source or destination are evaluated before those that allow any source or destination."

    Here is a similar quote from http://sourcedaddy.com/windows-7/understanding-rules-processing.html:

    "...if two rules in the same group match, then the rule that is more specific (that is, has more matching criteria) is the one that is applied. For example, if rule A matches traffic to 192.168.0.1 and rule B matches traffic to 192.168.0.1 TCP port 80, then traffic to port 80 on that server matches rule B, and its action is the one taken."

    I have been unable to find any documentation on Microsoft's site that lists in more detail what types of parameters are considered more specific. 

    In addition, based on what I experienced, the information above does not appear to be working since my domain policy does have a more specific rule (it is limited to a specific range of IPs) versus the local rule that is open to everyone, but the end result appears to be that SMB is still allowed in.

    Can anyone please help me understand these priority rules better?

    Thanks!


    • แก้ไขโดย Aakash Shah 13 มีนาคม 2555 15:32
    13 มีนาคม 2555 15:31
  •  
    > In addition, based on what I experienced, the information above does
    > not appear to be working since my domain policy does have a more
    > specific rule (it is limited to a specific range of IPs) versus the
    > local rule that is open to everyone, but the end result appears to be
    > that SMB is still allowed in.
     
    That's ok - the most specific rule wins, and you seem to NOT having a
    deny rule for inbound SMB in place. I would give a try to the following:
     
    Create a deny rule for SMB from all remote addresses
    Create an allow rule for the SMB servers you need
     
    If Microsofts documentation is right, this should work, but didn't test...
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    14 มีนาคม 2555 12:06
  • Windows Firewall with Advanced Security supports the following types of rules:

    • Windows Service Hardening. This type of built-in rule restricts services from establishing connections in ways other than they were designed. Service restrictions are configured so that Windows services can communicate only in specified ways (for example, allowed traffic might be restricted to a specified port). 
    • Connection security rules. This type of rule defines how and when computers authenticate using IPsec. A connection security rule can also require encryption, which helps to keep data private. Connection security rules are typically used to establish server and domain isolation, as well as to enforce NAP policy.
    • Authenticated bypass rules. This type of rule allows the connection of specified computers or users even when inbound firewall rules would block the traffic. This rule requires that the network traffic from the authorized computers is authenticated by IPsec so identity can be confirmed. For example, you can allow remote firewall administration from only certain computers by creating authenticated bypass rules for those computers, or enable support for remote assistance by the Help Desk. This kind of rule is sometimes used in enterprise environments to permit “trusted” network traffic analyzers to access computers to assist in troubleshooting connectivity problems. A bypass rules lists the computers that are permitted to bypass rules that would otherwise block network traffic. Because the computer running the network analysis authenticates and is identified as being on the “allowed” list in the bypass rule, authenticated traffic from that computer is permitted through the firewall.
    • Block rules. This type of rule explicitly blocks a particular type of incoming or outgoing traffic. Because these rules are evaluated before allow rules, they take precedence. Network traffic that matches both an active block and an active allow rule is blocked.
    • Allow rules. This type of rule explicitly allows a particular type of incoming or outgoing traffic.
    • Default rules. These rules define the action that takes place when a connection does not match any other rule. The inbound default is to block connections and the outbound default is to allow connections. The defaults can be changed in Windows Firewall Properties on a per-profile basis.

    Figure 2 shows the order in which Windows Firewall with Advanced Security applies the various types of rules. This ordering of rules is always enforced, even when rules are coming from Group Policy. Rules, including those from Group Policy, are sorted and then applied. Windows Service Hardening rules are not configurable via Group Policy. Domain administrators can allow or deny local administrators the permission to create new rules.

    5666657d-a005-4544-bb4a-8a858cf7c53c

    N.SATHISHKUMAR, MICROSOFT STUDENT PARTNER, INDIA.

    • เสนอเป็นคำตอบโดย n.sathishkumar 1 มกราคม 2556 22:37
    • ยกเลิกการนำเสนอเป็นคำตอบโดย Aakash Shah 2 มกราคม 2556 2:07
    1 มกราคม 2556 22:37