none
Enabling default Firewall Policy for desktop by GPO

    Question

  • Hi Darren,

    I have 2008 r2 DC's and windows 7 and other desktops.

    my queries are.

    when i create a GPO,found advace firewall policy is not enabled ( i have checked on the dc windows Firewall is service not started) and also on the other dcs too windows firewall service is disabled.

    My queries to you.

    NB:nvironment is prod.

    1. what happens when i enabled windows firewall service on DC where am creating and deploying GPO.

    2. what are the affects of starting windows firewall services on the DC.( as environment is already a Producation)

    and not sure about what is exisitng n/w firewall etc.

    3. is it necessary to start windows firewall policy on all DC to enable GPO for windows firewall default policy to desktops/

    4.what exactly are prechange requirements like n/w team.application team before testing on 2 desktops OU which is on production environment.

    please let me know you experience on the same and please share it banavalg@yahoo.com

    Sunday, July 31, 2016 1:12 AM

Answers

  • Hi,

    first off, you shouldn't disable the firewall service on Windows since Vista since other services may depend on that functionality. If you need to prevent the firewall from blocking any traffic, simply set it to Allow by default - either locally on the machine in question or globally via GPO.

    To your questions:

    1. the Firewall will start with the settings that apply, you can check those in the local GPO editor or Control Panel prior to enabling the service.

    2. this largely depends on what settings the firewall will start with. If you set it to Allow any, there will be no effects.

    3. no. You probably wouldn't target a Desktop Firewall GPO to your DCs anyway. At least, yopu shouldn't ;-)

    4. as far as I can see, the network team would not be affected. the application team will have to formulate the exactr traffic requirements for servers and clients so that you can reflect those in your Firewall GPO prior to activating that.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Sunday, July 31, 2016 11:43 AM
  • Hi,

    Thanks for your post.

    If you enable firewall on DCs, what you should pay more attention, you need open all ports which the Active Directory service need.

    Here is an article below about Active Directory Domain Services Port Requirements for your reference.

    Active Directory and Active Directory Domain Services Port Requirements

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 1, 2016 12:30 PM
    Moderator

All replies

  • Hi Darren,

    I have 2008 r2 DC's and windows 7 and other desktops.

    my queries are.

    when i create a GPO,found advace firewall policy is not enabled ( i have checked on the dc windows Firewall is service not started) and also on the other dcs too windows firewall service is disabled.

    My queries to you.

    NB:nvironment is prod.

    1. what happens when i enabled windows firewall service on DC where am creating and deploying GPO.

    2. what are the affects of starting windows firewall services on the DC.( as environment is already a Producation)

    and not sure about what is exisitng n/w firewall etc.

    3. is it necessary to start windows firewall policy on all DC to enable GPO for windows firewall default policy to desktops/

    4.what exactly are prechange requirements like n/w team.application team before testing on 2 desktops OU which is on production environment.

    please let me know you experience on the same and please share it banavalg@yahoo.com

    Sunday, July 31, 2016 1:14 AM
  • Hi,

    first off, you shouldn't disable the firewall service on Windows since Vista since other services may depend on that functionality. If you need to prevent the firewall from blocking any traffic, simply set it to Allow by default - either locally on the machine in question or globally via GPO.

    To your questions:

    1. the Firewall will start with the settings that apply, you can check those in the local GPO editor or Control Panel prior to enabling the service.

    2. this largely depends on what settings the firewall will start with. If you set it to Allow any, there will be no effects.

    3. no. You probably wouldn't target a Desktop Firewall GPO to your DCs anyway. At least, yopu shouldn't ;-)

    4. as far as I can see, the network team would not be affected. the application team will have to formulate the exactr traffic requirements for servers and clients so that you can reflect those in your Firewall GPO prior to activating that.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Sunday, July 31, 2016 11:43 AM
  • cross post, see https://social.technet.microsoft.com/Forums/en-US/48c83a1e-e43d-4bc1-a426-deee69702200/gpo-default-firewall-policies-for-desktops?forum=winserverDS

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Sunday, July 31, 2016 11:43 AM
  • Hi,

    Thanks for your post.

    If you enable firewall on DCs, what you should pay more attention, you need open all ports which the Active Directory service need.

    Here is an article below about Active Directory Domain Services Port Requirements for your reference.

    Active Directory and Active Directory Domain Services Port Requirements

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 1, 2016 12:30 PM
    Moderator