Windows Firewall through policies + SCM

So everybody should enable firewall policies in order to keep their environment secure. Best practice is to manage the firewalls through policies.. keep a default policy to enable the firewall and do not allow incoming connections.. then based on server role add exceptions and ports. That way, each server added to the domain is secured by the firewall by default, but additional policies can enable applications to receive traffic.

When designing policies with the Security Compliancy Manager you can quickly design the Firewall policies and import these settings to a policy in your environment. However, when you configure the policies through that console, also make sure to configure the exceptions through that console!

In short, when you configure the donotallowexceptions, the registrykey HKLMSOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileDoNotAllowExceptions is set to REG_DWORD:1. When you configure the exceptions through the normal GPO editor, this key is NOT reset to 0, thus no exceptions are allowed and your configured exceptions will not work!. By configuring the exception also using this SCM console, you specifically edit the REG_DWORD to be 0.

PS: It is best to only configure the Windows Firewall with Advanced Security in the 2008 template:
Do not use: Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain Profile
Use: Computer ConfigurationWindows SettingsSecurity SettingsWindows Firewall with Advanced SecurityWindows Firewall with Advanced SecurityWindows Firewall PropertiesDomain Profile

Tagged