2003 AD Prevent Disabling Windows Firewall

[Netadministrator]

I have a problem with users disabling Windows Firewall on their laptop computers. I have to keep the users in the Administrators group on the laptops because of some applications require it to run. This allows them more rights than I would like to give them. The Power Users group will not allow the applications to run.

Is there a way to prevent users from disabling Windows Firewall in Active Directory?

 

[58sniper]

Not if they are local admins. You could set a GPO for the firewall setting, but they can override it (well, at least until the GPO hits again).

Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2wgp.mspx

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[porkchopexpress]

I think if you enable the 'Windows Firewall: Protect all network connections' policy (domain profile) the option for local users even admins to turn off the firewall is greyed out. I'm not actually able to test this at present but i'm sure i've tried in the past and that was the result.

An admin that knows what they're doing could get around this but your average user should be prevented from fiddling.

 

[captaincrunch00]

User Config
Admin Templates
Network
Network Connections
Prohibit Access to Properies of LAN Connection
And
Prohibit Access to Properties of components of a LAN connection.


That should do it.

 

[captaincrunch00]

I wish I could edit my post... I think these settings are for 2003, dont know if they're in 2000.

Would you believe I thought I was in the 2003 forum?

 

[58sniper]

I would believe it. I do that in the Exchange forums all the time.

The problem with prohibiting access to property pages is that it can be a pain when trying to troubleshoot a problem.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[captaincrunch00]

I was thinking about this, and I would put a written policy in place saying something like "All windows XP PCs must have the firewall enabled."

Then you could yell at them and slap their wrists if they do it again. It'd give you more leverage than saying "This is how I'd like it done."

I agree with Sniper above me though, it'd make it harder to troubleshoot, but is that offset by making sure they cant screw with your settings?

 

[porkchopexpress]

I would still test the 'Windows Firewall: Protect all network connections' policy, i tried it last night and it greys out the button so it cannot be dissabled.

 

[58sniper]

But can they start/stop the service?

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[porkchopexpress]

Quite possibly but you could prevent them using the services applet, like i say users that know what they're doing could turn it off but your average user that happens to have admin rights will not.

 

[captaincrunch00]

And if they keep doing it, severe beatings and rubbing salt in the wounds may be the only way to go.
It worked in my company. By the way: Does anyone want to buy a Rack?

Hell, you can lock their desktop so they cant even right click if you want.
Set a group policy to disable pretty much everything, take almost everything out of the Start Menu, stop right click, stop internet properties, take out the network connections from the desktop....
After a week of not being able to do jack squat they might listen a bit better.

 

[porkchopexpress]

I think i'd go with the salt