none
Firewall lock down with current settings

    Question

  • Hello,

    We are trying to lock-down existing Windows firewall rules via GPO so no new rules or changes could NOT be done on the machines.  Have any one done it?

    Thanks

    Tuesday, January 05, 2016 5:00 PM

Answers

  • Ok, it is time to bring the big guns out, jejeje

    What we can do is to apply "Deny" permissions on a registry level in order to lock down the modification of advanced firewall rules:

    - Execute regedit
    - Brows to this path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
    - Right click on "FirewallRules" and select "permissions..."
    - Add the "Everyone" security group
    - Select "Advanced"
    - Select the "Everyone" security group and click on "edit" button
    - Change the "Type" field to "Deny"
    - Click no the "Show advanced permissions" link
    - Check mark on "Set Value", "Create Subkey" and "Delete"
    - Un-check the "Read Control" and click OK
    - Then click "Apply" on the "advanced Security Settings for FirewallRules"

    By doing this procedure you are denying the modification of the firewall rules but the users are still able to turn on/off the firewall, to disable this option you will need to enable the policy "Windows Firewall: Protect all network connections" whish is located within the GPO in this path:

    Computer configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile

    If the computer could not be joined to the domain then you can use this same local policy (gpedit.msc) looking for the "Standard Profile" instead of "Domain Profile"

    Computer configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile

    Friday, January 08, 2016 6:33 PM
  • Hi,
     
    Am 05.01.2016 um 18:00 schrieb snikolayenko:
    > We are trying to lock-down existing Windows firewall rules via GPO so no
    > new rules or changes could NOT be done on the machines.  Have any one
    > done it?
     
    Thats not the way it works.
    You have LOCAL rules or GP ruled  settings combined with local or not,
    but GP rules always override local settings.
     
    But AFAIR, there is no "leave it as it is" Firewall GP.
     
    In addition to YoElPirra idea of DENY settings in registry:
    you can populate registry/ntfs or service permissions with GP :-)
     
    Computer Configuration - Windows Settings - Security Settings - Registry
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Friday, January 08, 2016 9:29 PM

All replies

  • Hello snikolayenko,

    You can use GPO using the "Windows Firewall with Advanced Security" Policy.

    This settings are placed in this path:
    Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security

    You will need to configure the Rules that you want to define to your client computers and then apply the GPO.

    If you already have a client computer as a example of the rules you could also use the "Export policy..." action in the "Windows Firewall with Advanced Security" console, this action will create a .wfw file which you can move to your Domain Controller and then import this file on the GPO where you want to define the policies for your client computers.

    I hope this information help you to reach your goal. :D

    5ALU2 !

    Tuesday, January 05, 2016 11:57 PM
  • Thanks for the reply, we are trying to avoid creating multiple GPO's with defined rules.  We have lots of one-off servers that have different firewall rules defined.

    Just trying to keep existing rules and lock down an ability to modify them.

    Thank you. Stan

    Friday, January 08, 2016 4:30 PM
  • Ok, it is time to bring the big guns out, jejeje

    What we can do is to apply "Deny" permissions on a registry level in order to lock down the modification of advanced firewall rules:

    - Execute regedit
    - Brows to this path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
    - Right click on "FirewallRules" and select "permissions..."
    - Add the "Everyone" security group
    - Select "Advanced"
    - Select the "Everyone" security group and click on "edit" button
    - Change the "Type" field to "Deny"
    - Click no the "Show advanced permissions" link
    - Check mark on "Set Value", "Create Subkey" and "Delete"
    - Un-check the "Read Control" and click OK
    - Then click "Apply" on the "advanced Security Settings for FirewallRules"

    By doing this procedure you are denying the modification of the firewall rules but the users are still able to turn on/off the firewall, to disable this option you will need to enable the policy "Windows Firewall: Protect all network connections" whish is located within the GPO in this path:

    Computer configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile

    If the computer could not be joined to the domain then you can use this same local policy (gpedit.msc) looking for the "Standard Profile" instead of "Domain Profile"

    Computer configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile

    Friday, January 08, 2016 6:33 PM
  • Cool!!! Thanks, I'll give it a try and let you know.  BTW. we already locked down firewall on/off option.

    Thanks

    Friday, January 08, 2016 7:47 PM
  • Hi,
     
    Am 05.01.2016 um 18:00 schrieb snikolayenko:
    > We are trying to lock-down existing Windows firewall rules via GPO so no
    > new rules or changes could NOT be done on the machines.  Have any one
    > done it?
     
    Thats not the way it works.
    You have LOCAL rules or GP ruled  settings combined with local or not,
    but GP rules always override local settings.
     
    But AFAIR, there is no "leave it as it is" Firewall GP.
     
    In addition to YoElPirra idea of DENY settings in registry:
    you can populate registry/ntfs or service permissions with GP :-)
     
    Computer Configuration - Windows Settings - Security Settings - Registry
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Friday, January 08, 2016 9:29 PM
  • Can adding a user "everyone" and setting deny be done via GP?:

     Execute regedit
    - Brows to this path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
    - Right click on "FirewallRules" and select "permissions..."
    - Add the "Everyone" security group
    - Select "Advanced"
    - Select the "Everyone" security group and click on "edit" button
    - Change the "Type" field to "Deny"
    - Click no the "Show advanced permissions" link
    - Check mark on "Set Value", "Create Subkey" and "Delete"
    - Un-check the "Read Control" and click OK
    - Then click "Apply" on the "advanced Security Settings for FirewallRules"

    Friday, February 19, 2016 6:53 PM
  • Here is what I did:

    1. Created "powershell" script:

    $acl = Get-Acl HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("everyone","Delete,CreateSubkey,SetValue","Deny")
    $acl.SetAccessRule($rule)
    $acl |Set-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

    2. Used GP to "Create" a scheduled task with Powershell execution.

    Thank you all! 

    Friday, March 04, 2016 5:12 PM