From: Zachary on
I am trying to configure a group policy that will allow me to control the
windows built in firewall across our domain. What I don't know how to do is
configure it so that if a PC needs the firewall to be temporarily disabled
an administrator can come do that for the machine. I have a test OU setup
to do this so any suggestions can be tested.


From: Jordan on
I had an issue with local admins and Power users trying to turn off their AV
so I used GP to disable access to turn off the AV service unless you were an
admin.

Computer config
--Windows Settings
---Security Settings
----System Services
-----Windows ICS/Firewall

Check define policy and set to automatic
Edit the Security so only System and whatever group you want to be able stop
the service. You would be best off making sure you use a group so you can
add the users or other groups to that group.

If you want to be a little more picky about what port or what service you
may want to allow you can use the Windows firewall policy settings to tweak
what you want to allow. For instance I only allow selected programs to run:

Computer
--AdminTemplates
---Network
----NetworkConnections
-----Windows Firewall
------Domain (and standard for when laptops are off network)
-------Define Program Exceptions

Look into how to set for your network. Basically:

Program.exe : * : Enabled: ProgDescription

The star says all netoworks, but you can limit it to subnet, local,
whatever.

You also need to "Allow local program exception" for this to work

You can also us the Define Port Exceptions as well to allow connections from
remote computers. I use these setting to make sure only requests from my IP
addresses are allowed and also prevent users from sharing printers, drives,
etc.


Zachary" <zdundore(a)agraind.com> wrote in message
news:uTIdue8kKHA.2164(a)TK2MSFTNGP02.phx.gbl...
>I am trying to configure a group policy that will allow me to control the
>windows built in firewall across our domain. What I don't know how to do
>is configure it so that if a PC needs the firewall to be temporarily
>disabled an administrator can come do that for the machine. I have a test
>OU setup to do this so any suggestions can be tested.
>
>
>



From: Zachary on
i tried setting the security on the service and that was a no go. No matter
what i do, or what user i log in as, the Windows ICS/Firewall Service won't
start. I get an error:

error 0x80004015 the class is configured to run as a security id different
from the caller

This sounded like a very simple solution and would like to deploy it, am i
doing somthing wrong? Did you run into this when you deployed these GPO
settings?

"Jordan" <none(a)here.com> wrote in message
news:OWz$M$ilKHA.2164(a)TK2MSFTNGP02.phx.gbl...
>I had an issue with local admins and Power users trying to turn off their
>AV so I used GP to disable access to turn off the AV service unless you
>were an admin.
>
> Computer config
> --Windows Settings
> ---Security Settings
> ----System Services
> -----Windows ICS/Firewall
>
> Check define policy and set to automatic
> Edit the Security so only System and whatever group you want to be able
> stop the service. You would be best off making sure you use a group so
> you can add the users or other groups to that group.
>
> If you want to be a little more picky about what port or what service you
> may want to allow you can use the Windows firewall policy settings to
> tweak what you want to allow. For instance I only allow selected programs
> to run:
>
> Computer
> --AdminTemplates
> ---Network
> ----NetworkConnections
> -----Windows Firewall
> ------Domain (and standard for when laptops are off network)
> -------Define Program Exceptions
>
> Look into how to set for your network. Basically:
>
> Program.exe : * : Enabled: ProgDescription
>
> The star says all netoworks, but you can limit it to subnet, local,
> whatever.
>
> You also need to "Allow local program exception" for this to work
>
> You can also us the Define Port Exceptions as well to allow connections
> from remote computers. I use these setting to make sure only requests
> from my IP addresses are allowed and also prevent users from sharing
> printers, drives, etc.
>
>
> Zachary" <zdundore(a)agraind.com> wrote in message
> news:uTIdue8kKHA.2164(a)TK2MSFTNGP02.phx.gbl...
>>I am trying to configure a group policy that will allow me to control the
>>windows built in firewall across our domain. What I don't know how to do
>>is configure it so that if a PC needs the firewall to be temporarily
>>disabled an administrator can come do that for the machine. I have a test
>>OU setup to do this so any suggestions can be tested.
>>
>>
>>
>
>
>