none
Windows Firewall - Authorized Computers - not working RRS feed

  • Question

  • Applying rules to "File and Printer Sharing (Echo Request - ICMPv4-In)" ...

          File and Printer Sharing (Echo Request - ICMPv4-In) - Allowed
                   Client 1: Ping successful
                   Client 2: Ping successful

          File and Printer Sharing (Echo Request - ICMPv4-In) - Blocked
                   Client 1: Ping unsuccessful
                   Client 2: Ping unsuccessful

          File and Printer Sharing (Echo Request - ICMPv4-In) - Allow Only Secure Connections...
                   Client 1: Ping successful
                   Client 2: Ping successful

         File and Printer Sharing (Echo Request - ICMPv4-In) - Allow Only Secure Connections... 
         Only allow connections from remote computers: checked
         Remote Computers: AD\{Client 1's Computer Name}
                   Client 1: Ping successful
                   Client 2: Ping successful <-- I expected different result

    Perhaps my problem is just the need for further configuration? I'm stuck, why is Client 2's connection allowed albeit only Client 1's computer name entered in the "Only allow connections from remote computers" box

    Monday, July 22, 2013 5:44 PM

Answers

  •  

    Figured out the solution. I'll tell you what I did specifically, for others seeking similar solutions, you can look over what I did, and adapt it to your specific needs.

     

    The server and clients need an agreed upon method with which to pass extra jazz (such as computer names) into connection requests. That is done in Windows Firewall via Connection Security Rules. For testing purposes, I managed these via the Windows Advanced Firewall GUI, but it will be implemented via a GPO. It can also be scripted. I'll give you the script command that would achieve the same settings that I set up in the GUI as it's a bit easier to articulate the specific settings ...
                    Server:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequestout auth1=computerkerb
                    Client1:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequireout auth1=computerkerb
                    Client2:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequestout auth1=computerkerb

     

    Notice the slight different between the server and the client Connection Security Rule, if you set the server to "requireinrequireout" the server will lose connection to the network as it is requiring all outgoing traffic to be secure. What’s important for the server in this setup is "requirein," what’s important for the clients is that they "requireout." If you don’t specify the server's ip address, you won’t get good results, it's a necessity. Therefor it must also be a static IP (no surprise here).

     

    Now that they're offering the computer name in their communication, we can use it within the Firewall. Within the Windows Firewall with Advanced Security GUI, you can right click on "Windows Firewall with Advanced Security on Local Computer" and select properties. Since I'm working on a domain, I changed only the Domain Profile settings. For the Inbound Connections, I changed it to from the default "Block (default)" to "Block All Connections." This serves as our bottle neck.

    Finally I made a custom inbound rule to allow traffic if it is secure, all programs, any protocol, all ports. I named it "All Communication." Obviously you could make a more specific rule that I did, mine basically covers everything for testing purposes. I checked the "Override Block Rules" check box, if you forget this, you won't override the "Block All Communications" that we set earlier. Since it's an override, you must select at least one computer, I made a AD group that houses the computers I want to grant access to (the idea being that for future adds or removes, it can be managed simply by AD group addition or subtraction instead of further managing the firewall) - so I entered the group in the "Authorized Computers" box.

    Viola. Only the computers in that AD group can access the server. I manage share permissions independently, and am able to control which computers are able to get through the firewall via an AD group for easy future manageability.

    It's a shame I couldn't find this anywhere else. Hope it serves someone else's needs as in my research I observed many people wanting to do the same (or similar) thing.

    • Marked as answer by MFiebs Wednesday, July 24, 2013 6:39 PM
    Wednesday, July 24, 2013 6:39 PM

All replies

  •  

    Figured out the solution. I'll tell you what I did specifically, for others seeking similar solutions, you can look over what I did, and adapt it to your specific needs.

     

    The server and clients need an agreed upon method with which to pass extra jazz (such as computer names) into connection requests. That is done in Windows Firewall via Connection Security Rules. For testing purposes, I managed these via the Windows Advanced Firewall GUI, but it will be implemented via a GPO. It can also be scripted. I'll give you the script command that would achieve the same settings that I set up in the GUI as it's a bit easier to articulate the specific settings ...
                    Server:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequestout auth1=computerkerb
                    Client1:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequireout auth1=computerkerb
                    Client2:
                            netsh advfirewall consec add rule name="Whatever makes sense" endpoint1=any endpoint2=<server IP address> action=requireinrequestout auth1=computerkerb

     

    Notice the slight different between the server and the client Connection Security Rule, if you set the server to "requireinrequireout" the server will lose connection to the network as it is requiring all outgoing traffic to be secure. What’s important for the server in this setup is "requirein," what’s important for the clients is that they "requireout." If you don’t specify the server's ip address, you won’t get good results, it's a necessity. Therefor it must also be a static IP (no surprise here).

     

    Now that they're offering the computer name in their communication, we can use it within the Firewall. Within the Windows Firewall with Advanced Security GUI, you can right click on "Windows Firewall with Advanced Security on Local Computer" and select properties. Since I'm working on a domain, I changed only the Domain Profile settings. For the Inbound Connections, I changed it to from the default "Block (default)" to "Block All Connections." This serves as our bottle neck.

    Finally I made a custom inbound rule to allow traffic if it is secure, all programs, any protocol, all ports. I named it "All Communication." Obviously you could make a more specific rule that I did, mine basically covers everything for testing purposes. I checked the "Override Block Rules" check box, if you forget this, you won't override the "Block All Communications" that we set earlier. Since it's an override, you must select at least one computer, I made a AD group that houses the computers I want to grant access to (the idea being that for future adds or removes, it can be managed simply by AD group addition or subtraction instead of further managing the firewall) - so I entered the group in the "Authorized Computers" box.

    Viola. Only the computers in that AD group can access the server. I manage share permissions independently, and am able to control which computers are able to get through the firewall via an AD group for easy future manageability.

    It's a shame I couldn't find this anywhere else. Hope it serves someone else's needs as in my research I observed many people wanting to do the same (or similar) thing.

    • Marked as answer by MFiebs Wednesday, July 24, 2013 6:39 PM
    Wednesday, July 24, 2013 6:39 PM
  • Hi MFiebs,

    Thanks for posting in Microsoft TechNet forums.

    By sharing your experience we can help other community members facing similar problems. Thanks for your efforts.
     
    Best Regards
     
    Ted

    Thursday, July 25, 2013 1:45 AM
  • This is just awesome. It does serves me well! Thanks..
    Saturday, October 22, 2016 6:21 PM
  • Wowsers, beware to others. By following this I locked myself out of the server. I dont even know what happened, but the Connection Security Rule probably blocked out all incoming traffic. I now have to delete the server and set it up from scratch...    Nevertheless this post was helpful. Stupid that there is an option to whitelist Remote Computers, yet it doesnt work without all this.
    Thursday, June 4, 2020 12:25 PM